Terraform AWS Provider v6 から「リソースレベルで」リージョンを指定できるようになった🌍️ 今まではエイリアス付きのプロバイダーを定義する必要があった.詳しくは Terraform AWS provider 6.0 now generally available に載っている.
最近カスタムドメインで Amazon CloudFront を構築する機会があった.Amazon CloudFront ディストリビューションに指定する AWS Certificate Manager (ACM) は us-east-1(バージニアリージョン)にデプロイする必要があって,リソースレベルのリージョン指定を使ってみた.簡単にまとめておこうと思う.
To use an ACM certificate with a CloudFront distribution, make sure you request (or import) the certificate in the US East (N. Virginia) Region (us-east-1).
Amazon CloudFront + Amazon S3 をカスタムドメインで構築する場合は以下のような実装(あくまでサンプルコード)になる.
data "aws_route53_zone" "main" { name = "xxxxx.com" } resource "aws_s3_bucket" "assets" { bucket = "xxxxx-sandbox-assets" } resource "aws_s3_bucket_public_access_block" "assets" { bucket = aws_s3_bucket.assets.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true } resource "aws_s3_bucket_policy" "assets" { bucket = aws_s3_bucket.assets.id policy = data.aws_iam_policy_document.assets.json } data "aws_iam_policy_document" "assets" { statement { principals { type = "Service" identifiers = ["cloudfront.amazonaws.com"] } actions = ["s3:GetObject"] resources = ["${aws_s3_bucket.assets.arn}/*"] condition { test = "StringEquals" variable = "aws:SourceArn" values = [aws_cloudfront_distribution.main.arn] } } } resource "aws_acm_certificate" "cdn" { region = "us-east-1" domain_name = "sandbox-cdn.xxxxx.com" validation_method = "DNS" lifecycle { create_before_destroy = true } } resource "aws_route53_record" "validation" { for_each = { for dvo in aws_acm_certificate.cdn.domain_validation_options : dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type } } allow_overwrite = true zone_id = data.aws_route53_zone.main.zone_id name = each.value.name type = each.value.type records = [each.value.record] ttl = 60 } resource "aws_cloudfront_origin_access_control" "main" { name = "sandbox-cdn-oac" origin_access_control_origin_type = "s3" signing_behavior = "always" signing_protocol = "sigv4" } resource "aws_cloudfront_distribution" "main" { enabled = true aliases = ["sandbox-cdn.xxxxx.com"] origin { domain_name = aws_s3_bucket.assets.bucket_regional_domain_name origin_id = aws_s3_bucket.assets.id origin_access_control_id = aws_cloudfront_origin_access_control.main.id } default_cache_behavior { target_origin_id = aws_s3_bucket.assets.id viewer_protocol_policy = "redirect-to-https" allowed_methods = ["GET", "HEAD"] cached_methods = ["GET", "HEAD"] forwarded_values { query_string = false cookies { forward = "none" } } } restrictions { geo_restriction { restriction_type = "none" } } viewer_certificate { acm_certificate_arn = aws_acm_certificate.cdn.arn ssl_support_method = "sni-only" minimum_protocol_version = "TLSv1.2_2021" } } resource "aws_route53_record" "cdn" { zone_id = data.aws_route53_zone.main.zone_id name = "sandbox-cdn.xxxxx.com" type = "A" alias { name = aws_cloudfront_distribution.main.domain_name zone_id = aws_cloudfront_distribution.main.hosted_zone_id evaluate_target_health = false } }
今回のポイントは aws_acm_certificate で,リソースのプロパティに region = "us-east-1" と実装すれば us-east-1(バージニアリージョン)に AWS Certificate Manager 証明書をデプロイできる.
小ネタではあるけど便利だから覚えておくとイイ💪
