Question 95339 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Passing certificate arn to ingress annotation using Terraform – Amazon web services

Background

Hi all,
Terraform newbie here.

I’m trying to poll an existing AWS certificate ARN and use that value in my ingress.tf file ingress object annotation.

As a first step, I tried to poll the value using the below terraform code:

  # get-certificate-arn.tf
  data "aws_acm_certificate" "test" {
  domain   = "test.example.com"
  statuses = ["ISSUED"]
  }
  output "test" {
  value = data.aws_acm_certificate.test.*.arn
  description = "TESTING"
  }

When I run this code, it gives me my certificate ARN back (YEY!) like the example below:

Changes to Outputs:
  + debugging = [
      + [
          + "arn:aws:acm:us-east-1:1234567890:certificate/12345abc-123-456-789def-12345etc",
]

Question:

I’d like to take this to the next level and use the output from above to feed the ingress annotations as shown by "???" in the code below:

# ingress.tf
resource "kubernetes_ingress_v1" "test_ingress" {
  metadata {
    name      = "test-ingress"
    namespace = "default"

    annotations = {
      "alb.ingress.kubernetes.io/certificate-arn"      = ????
      ...etc...
    }
  }

I’ve tried:
"alb.ingress.kubernetes.io/certificate-arn" = data.aws_acm_certificate.test.*.arn
which doesn’t work but I can’t quite figure out how to pass the value from the get-certificate-arn.tf "data.aws_acm_certificate.test.arn" to the ingress.tf file.

The error I get is:

Error: Incorrect attribute value type
│
│   on ingress.tf line 6, in resource "kubernetes_ingress_v1" "test_ingress":
│    6:     annotations = {
│    9:       "alb.ingress.kubernetes.io/certificate-arn"      = data.aws_acm_certificate.test.*.arn
        [...truncated...]
│   16:     }
│     ├────────────────
│     │ data.aws_acm_certificate.test is object with 11 attributes
│
│ Inappropriate value for attribute "annotations": element "alb.ingress.kubernetes.io/certificate-arn": string required.

If anyone could advise how (IF?!) one can pass a variable to kubernetes_ingress_v1 ‘annotations’ that would be amazing. I’m still learning Terraform and am still reviewing the fundamentals of passing variables around.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    In the end, the solution was a typo in the data field, removing the "*" resolved the issue. For interests sake, if you want to combine two certificates to an ingress annotation you can join them as shown here[1]:

    "alb.ingress.kubernetes.io/certificate-arn"      = format("%s,%s",data.aws_acm_certificate.test.arn,data.aws_acm_certificate.test2.arn)

  2. 0

    Have you tried maybe using :

    "${data.aws_acm_certificate.test.arn}"

    or alternatively
    you can build the whole annotations block as a local

    local{
 ingress_annotations = {
   somekey  = somevalue
   some_other_key  = data.aws_acm_certificate.test.arn
}

    and using it in the resource

    annotations = local.ingress_annotations

    I’m not that keen on TF
    but you might need to have a more complex setup with a for loop.

    local{
 ingress_annotations = [
   {key  = value } ,{key = data.aws_acm_certificate.test.arn}
   ]
}

resource "kubernetes_ingress_v1" "test_ingress" {
  metadata {
    name      = "test-ingress"
    namespace = "default"

    annotations = {for line in local.ingress_annotations : line.key => line.value
    }
  }
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search