skip to Main Content

I own a domain name, let’s say fancydomain.com (managed through AWS). I also have a kubernetes cluster running somewhere (but not on AWS), with a nginx ingress controller that acts as a load balancer. I have the IP of the load balancer.

I would like to point the domain name to the IP of the load balancer, and I would like the load balancer to handle the TLS certificate. But I’m struggling in two places:

  • It looks like I’m failing to properly redirect to the IP of the LB
  • I don’t understand how/where the TLS certificate (created by AWS) should be integrated

So far this is my terraform:

resource "aws_route53domains_registered_domain" "fancydomain" {
  domain_name   = var.domain_name
  auto_renew    = true
  
  name_server {
    name = "ns-709.awsdns-24.net"
  }
  name_server {
    name = "ns-1732.awsdns-24.co.uk"
  }
  name_server {
    name = "ns-1144.awsdns-15.org"
  }
  name_server {
    name = "ns-434.awsdns-54.com"
  }
}

resource "aws_route53_zone" "fancydomain_zone" {
  name = var.domain_name
}

# Create an ACM Certificate
resource "aws_acm_certificate" "fancydomain_certificate" {
  domain_name       = var.domain_name
  validation_method = "EMAIL"

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_route53_record" "www" {
  allow_overwrite = true
  zone_id = aws_route53_zone.fancydomain_zone.zone_id
  name    = var.domain_name
  type    = "A"
  ttl     = 300

  records = ["this.is.my.serverip"]
}

Also, the nginx load balancer does work at the moment. It uses a self-signed certificate, and if I lure my computer by modifying the /etc/hosts like below, I managed to access the domain by querying https://fancydomain.com.:

/etc/hosts

1.2.3.4 fancydomain.com

Any idea what I could try to get unstuck?

EDIT: The name servers for the registered domain are the same as the hosted zone’s ones:

enter image description here

enter image description here

2

Answers


  1. Chosen as BEST ANSWER

    Ultimately I think @erik258 was right, I think the name servers of the registered domain probably weren't in sync with the ones from the hosted zone. I ended up using a data source for the name servers of the zone, and I used it to set the ones in the register domain. Behold:

    resource "aws_route53domains_registered_domain" "fancydomain" {
      depends_on = [aws_route53_zone.fancydomain_zone]
    
      domain_name   = var.domain_name
      auto_renew    = true
      
      #Choose Enable/True (to lock the domain) or Disable/False (to unlock the domain).
      transfer_lock = true
    
      dynamic "name_server" {
        for_each = data.aws_route53_zone.fancydomain_zone.name_servers
    
        content {
          name = name_server.value
        }
      }
    
      tags = {
        Environment = "prod"
      }
    }
    
    resource "aws_route53_zone" "fancydomain_zone" {
      name = var.domain_name
    }
    
    data "aws_route53_zone" "fancydomain_zone" {
      name = var.domain_name
    }
    
    resource "aws_route53_record" "www" {
      allow_overwrite = true
      zone_id = aws_route53_zone.fancydomain_zone.zone_id
      name    = var.domain_name
      type    = "A"
      ttl     = 300
    
      records = ["my.ip.here"]
    }
    

    After I applied that it started working. Still not 100% sure of what was the problem before.


  2. The free certificate that ACM provides is meant to be used in AWS managed services only(like ALB, CloudFront etc.). There is no way to download it and use it elsewhere. In your case, you have the load-balancer/nginx outside of AWS, so it can’t be used. I do not see any issue with the aws_route53_record above.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search