我有一个运行 Docker 容器的 EC2,该容器为静态 Web 应用程序提供服务。这是我的一些配置:
DNS.TF
resource "aws_route53_zone" "main" {
name = var.domain_name
}
resource "aws_route53_record" "www" {
zone_id = aws_route53_zone.main.zone_id
name = "www.${var.domain_name}"
type = "A"
// ttl = "300"
// records = [aws_lb.resume-app-application-load-balancer.dns_name]
depends_on = [aws_lb.resume-app-application-load-balancer]
alias {
name = aws_lb.resume-app-application-load-balancer.dns_name
zone_id = aws_lb.resume-app-application-load-balancer.zone_id
evaluate_target_health = true
}
}
resource "aws_route53_record" "root" {
zone_id = aws_route53_zone.main.zone_id
name = var.domain_name
type = "A"
// ttl = "300"
// records = [aws_lb.resume-app-application-load-balancer.dns_name]
depends_on = [aws_lb.resume-app-application-load-balancer]
alias {
name = aws_lb.resume-app-application-load-balancer.dns_name
zone_id = aws_lb.resume-app-application-load-balancer.zone_id
evaluate_target_health = true
}
}
resource "aws_route53_record" "example" {
for_each = {
for dvo in aws_acm_certificate.resume-app-cert.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = aws_route53_zone.main.zone_id
}
ALB.TF
resource "aws_lb" "resume-app-application-load-balancer" {
name = var.resume-app-application-load-balancer-name
internal = false
load_balancer_type = "application"
subnets = [aws_subnet.resume-app-public-subnet.id, aws_subnet.resume-app-public-subnet2.id] # 2 subnets minimum
depends_on = [aws_acm_certificate_validation.resume-app-cert]
}
ALB_LISTENER.TF
# Create a listener on port 443 for HTTPS traffic
resource "aws_lb_listener" "resume-app-application-load-balancer-listener" {
load_balancer_arn = aws_lb.resume-app-application-load-balancer.arn
port = 443
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = aws_acm_certificate.resume-app-cert.arn
default_action {
target_group_arn = aws_lb_target_group.resume-app-application-load-balancer-target-group.arn
type = "forward"
}
depends_on = [aws_acm_certificate_validation.resume-app-cert]
}
ALB_TARGET_GROUP.TF
resource "aws_lb_target_group" "resume-app-application-load-balancer-target-group" {
name = var.resume-app-application-load-balancer-target-group-name
port = 80 # Port on which EC2 instance listens
protocol = "HTTP"
vpc_id = aws_vpc.resume-app-vpc.id
health_check {
path = "/"
port = 80
protocol = "HTTP"
interval = 30
timeout = 10
healthy_threshold = 2
unhealthy_threshold = 2
}
}
ACM + ACM 验证.TF
resource "aws_acm_certificate" "resume-app-cert" {
domain_name = var.domain_name
validation_method = "DNS"
tags = {
Name = "resume-app-ssl-cert"
}
}
resource "aws_acm_certificate_validation" "resume-app-cert" {
certificate_arn = aws_acm_certificate.resume-app-cert.arn
validation_record_fqdns = [for record in aws_route53_record.example : record.fqdn]
}
SECURITY_GROUP.TF
resource "aws_security_group" "resume-app-security-group" {
name = var.security_group_name
description = "Allow HTTP and HTTPS traffic for inbound and outbound connections to the web app."
vpc_id = aws_vpc.resume-app-vpc.id
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = var.cidr_ingress_80
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = var.cidr_ingress_443
}
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = var.cidr_ingress_22
}
ingress {
from_port = -1
to_port = -1
protocol = "icmp"
cidr_blocks = var.cidr_ingress_icmp
}
egress {
from_port = 0
to_port = 0
protocol = var.cidr_egress_protocol
cidr_blocks = var.cidr_egress_ips
}
}
我基本上希望让 ALB 负责终止 SSL 连接。如果我理解正确的话,当请求到达我的域时,它实际上应该被定向到 ALB,后者将负责处理连接。从 ALB 到 EC2 的连接确实会转到端口 80,我认为应该没问题。在我实现 ALB 之前,可以通过端口 80 访问该域。现在根本无法访问。
发布此内容以防有人也遇到此问题,我最终成功向目标组注册了一个 EC2 实例,如下:
resource "aws_lb_target_group_attachment" "resume-app-attach-target-to-ec2" {
target_group_arn = aws_lb_target_group.resume-app-application-load-balancer-target-group.arn
target_id = aws_instance.resume-app-ec2-instance.id
port = 80
}
虽然我仍在对 EC2 无法访问的事实进行故障排除,但它仍然是实现此工作的重要部分。