Support multiple SSL certificates on first HTTPS port listener

Author: Steven Nemetz

examples/https-multi-certs/README.md

@@ -0,0 +1 @@
+# ALB using HTTPS with multiple SSL certificates

examples/https-multi-certs/main.tf

@@ -0,0 +1,44 @@
+data "aws_vpc" "vpc" {
+  tags {
+    Env = "one"
+  }
+}
+
+# Look up security group
+data "aws_subnet_ids" "public_subnet_ids" {
+  vpc_id = "${data.aws_vpc.vpc.id}"
+
+  tags {
+    Network = "Public"
+  }
+}
+
+data "aws_subnet_ids" "private_subnet_ids" {
+  vpc_id = "${data.aws_vpc.vpc.id}"
+
+  tags {
+    Network = "Private"
+  }
+}
+
+#
+module "lb-https" {
+  source                       = "../../"
+  name                         = "lb-https-multi"
+  environment                  = "one"
+  organization                 = "wiser"
+  certificate_additional_names = ["*.one.wiser.com", "*.test.wiser.com"]
+  certificate_name             = "*.wiser.com"
+  instance_http_ports          = ""
+  instance_https_ports         = "443,8443"
+  instance_tcp_ports           = ""
+  internal                     = false                                          # PUBLIC
+  lb_http_ports                = ""
+  lb_https_ports               = "443,8443"
+  lb_protocols                 = ["HTTPS"]
+  lb_tcp_ports                 = ""
+  ports                        = "3000,4000"
+  security_groups              = ["sg-bef0a5c2"]                                #  PUBLIC -> use whitelist SG
+  subnets                      = "${data.aws_subnet_ids.public_subnet_ids.ids}" # PUBLIC -> use public subnets
+  vpc_id                       = "${data.aws_vpc.vpc.id}"
+}

examples/https-multi-certs/outputs.tf

@@ -0,0 +1,122 @@
+//
+// LB attributes
+//
+output "arn" {
+  description = "ARN of the LB itself. Useful for debug output, for example when attaching a WAF."
+  value       = "${module.lb-https.arn}"
+}
+
+output "dns_name" {
+  description = "The DNS name of the LB presumably to be used with a friendlier CNAME."
+  value       = "${module.lb-https.dns_name}"
+}
+
+output "id" {
+  description = "The ID of the LB we created."
+  value       = "${module.lb-https.id}"
+}
+
+output "zone_id" {
+  description = "The zone_id of the LB to assist with creating DNS records."
+  value       = "${module.lb-https.zone_id}"
+}
+
+# arn_suffix
+# canonical_hosted_zone_id
+
+//
+// LB Listener attributes
+//
+output "listener_http_arns" {
+  description = "The ARNs of the HTTP LB Listeners"
+  value       = "${module.lb-https.listener_http_arns}"
+}
+
+output "listener_http_ids" {
+  description = "The IDs of the HTTP LB Listeners"
+  value       = "${module.lb-https.listener_http_ids}"
+}
+
+output "listener_https_arns" {
+  description = "The ARNs of the HTTPS LB Listeners"
+  value       = "${module.lb-https.listener_https_arns}"
+}
+
+output "listener_https_ids" {
+  description = "The IDs of the HTTPS LB Listeners"
+  value       = "${module.lb-https.listener_https_ids}"
+}
+
+output "listener_tcp_arns" {
+  description = "The ARNs of the network TCP LB Listeners"
+  value       = "${module.lb-https.listener_tcp_arns}"
+}
+
+output "listener_tcp_ids" {
+  description = "The IDs of the network TCP LB Listeners"
+  value       = "${module.lb-https.listener_tcp_ids}"
+}
+
+output "listener_arns" {
+  description = "ARNs of all the LB Listeners"
+  value       = "${module.lb-https.listener_arns}"
+}
+
+output "listener_ids" {
+  description = "IDs of all the LB Listeners"
+  value       = "${module.lb-https.listener_ids}"
+}
+
+//
+// LB Target Group attributes
+//
+output "target_group_http_arns" {
+  description = "ARNs of the HTTP target groups. Useful for passing to your Auto Scaling group module."
+  value       = "${module.lb-https.target_group_http_arns}"
+}
+
+output "target_group_https_arns" {
+  description = "ARNs of the HTTPS target groups. Useful for passing to your Auto Scaling group module."
+  value       = "${module.lb-https.target_group_https_arns}"
+}
+
+output "target_group_tcp_arns" {
+  description = "ARNs of the TCP target groups. Useful for passing to your Auto Scaling group module."
+  value       = "${module.lb-https.target_group_tcp_arns}"
+}
+
+output "target_group_arns" {
+  description = "ARNs of all the target groups. Useful for passing to your Auto Scaling group module."
+  value       = "${module.lb-https.target_group_arns}"
+}
+
+output "target_group_http_ids" {
+  description = "IDs of the HTTP target groups"
+  value       = "${module.lb-https.target_group_http_ids}"
+}
+
+output "target_group_https_ids" {
+  description = "IDs of the HTTPS target groups"
+  value       = "${module.lb-https.target_group_https_ids}"
+}
+
+output "target_group_tcp_ids" {
+  description = "IDs of the TCP target groups"
+  value       = "${module.lb-https.target_group_tcp_ids}"
+}
+
+output "target_group_ids" {
+  description = "IDs of all the target groups"
+  value       = "${module.lb-https.target_group_ids}"
+}
+
+# arn_suffix
+# name
+
+//
+// Misc
+//
+output "principal_account_id" {
+  description = "The AWS-owned account given permissions to write your LB logs to S3."
+  value       = "${module.lb-https.principal_account_id}"
+}

examples/https-multi-certs/providers.tf

@@ -0,0 +1,5 @@
+provider "aws" {
+  region = "${var.region}"
+
+  #version = "1.5"
+}

examples/https-multi-certs/variables.tf

@@ -0,0 +1,3 @@
+variable "region" {
+  default = "us-west-2"
+}

main.tf

@@ -80,6 +80,17 @@ data "aws_acm_certificate" "this" {
   #statuses = ["ISSUED"]
 }
 
+data "aws_acm_certificate" "additional" {
+  count = "${
+    module.enabled.value &&
+    var.type == "application" &&
+    contains(var.lb_protocols, "HTTPS")
+    ? length(var.certificate_additional_names) : 0
+  }"
+
+  domain = "${var.certificate_additional_names[count.index]}"
+}
+
 # May need to create 2: 1 w/ logs and 1 w/o logs
 resource "aws_lb" "application" {
   count              = "${module.enabled.value && var.type == "application" ? 1 : 0}"
@@ -394,6 +405,20 @@ resource "aws_lb_listener" "https" {
   }
 }
 
+# Additional certs for https listener on first port
+# TODO: figure out way to add to all ports
+#   temp: could add another stansa for second port if >= 2 https ports
+resource "aws_lb_listener_certificate" "https" {
+  count = "${
+    module.enabled.value &&
+    var.type == "application" &&
+    contains(var.lb_protocols, "HTTPS")
+    ? length(var.certificate_additional_names) : 0 }"
+
+  listener_arn    = "${element(aws_lb_listener.https.*.arn, 0)}"
+  certificate_arn = "${element(data.aws_acm_certificate.additional.*.arn, count.index)}"
+}
+
 resource "aws_lb_listener" "network" {
   count = "${
     module.enabled.value &&

variables.tf

@@ -58,8 +58,14 @@ variable "enable_logging" {
   default     = false
 }
 
+variable "certificate_additional_names" {
+  description = "List of additional names of SSL Certificates to look up in ACM and use"
+  type        = "list"
+  default     = []
+}
+
 variable "certificate_name" {
-  description = "The name of the SSL Certificate to look up in ACM and use"
+  description = "The name of the default SSL Certificate to look up in ACM and use"
   default     = ""
 }