-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathget-acm-certificate.yml
101 lines (85 loc) · 4.2 KB
/
get-acm-certificate.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# Requires community.aws (ansible-galaxy collection install community.aws)
# You must set certificate_region variable to the region you wish to use (e.g. eu-west-1)
# You must set validation_domain to the domain you wish to use for validation (e.g. yoursite.com)
# You must set certificate_domain to the domain you wish to issue a certificate for (e.g. api.yoursite.com)
- include: merge-vars.yml
- name: Get ACM Certificate
debug:
msg: "Getting/Creating ACM Certificate for {{ certificate_domain }}"
- name: Unset(ish) facts, in case this is the second time we've run this
set_fact:
certificate_arn: ""
certificate_status: ""
# If we already have an issued certificate, find it and set it into certificate_arn fact
- name: Get all ACM certificates
shell: aws acm list-certificates --region {{certificate_region}} --certificate-statuses ISSUED
register: output
- set_fact:
certificate_list: "{{ (output.stdout|from_json).CertificateSummaryList|to_json }}"
- name: Iterate through the certificate list
set_fact:
certificate_arn: "{{ item.CertificateArn }}"
certificate_status: "ISSUED"
when: item.DomainName == certificate_domain
with_items: "{{certificate_list}}"
# If we already have a pending validation certificate, find it and set it into certificate_arn fact
- name: Get all ACM certificates
shell: aws acm list-certificates --region {{certificate_region}} --certificate-statuses PENDING_VALIDATION
register: output
when: certificate_arn is not defined or certificate_arn == ""
- set_fact:
certificate_list: "{{ (output.stdout|from_json).CertificateSummaryList|to_json }}"
when: certificate_arn is not defined or certificate_arn == ""
- name: Iterate through the certificate list
set_fact:
certificate_arn: "{{ item.CertificateArn }}"
certificate_status: "PENDING_VALIDATION"
when: (certificate_arn is not defined or certificate_arn == "") and (item.DomainName == certificate_domain)
with_items: "{{certificate_list}}"
# When we don't have a certificate at all, get a new one
- name: send ACM request if needed
shell: |
aws acm request-certificate \
--region {{certificate_region}} \
--validation-method DNS \
--domain-name "{{ certificate_domain }}" \
--domain-validation-options DomainName="{{ certificate_domain }}",ValidationDomain="{{ validation_domain }}"
register: acm
when: certificate_arn is not defined or certificate_arn == ""
- set_fact:
certificate_arn: "{{ (acm.stdout|from_json).CertificateArn }}"
certificate_status: "PENDING_VALIDATION"
when: certificate_arn is not defined or certificate_arn == ""
# If our certificate is PENDING_VALIDATION, get and create the DNS record
- name: Wait for certificate DNS record to be made available
command: aws acm describe-certificate --certificate-arn {{ certificate_arn }} --region {{ certificate_region }}
register: result
retries: 12
delay: 10
until: (result.stdout|from_json).Certificate.DomainValidationOptions[0].ResourceRecord.Name is defined
when: certificate_status == "PENDING_VALIDATION"
- set_fact:
certificate_validation: "{{ (result.stdout|from_json).Certificate.DomainValidationOptions[0] }}"
when: certificate_status == "PENDING_VALIDATION"
- name: Create Route53 DNS record for the certificate
community.aws.route53:
state: present
zone: "{{ certificate_validation.ValidationDomain }}"
record: "{{ certificate_validation.ResourceRecord.Name }}"
type: "{{ certificate_validation.ResourceRecord.Type }}"
ttl: 7200
value: "{{ certificate_validation.ResourceRecord.Value }}"
wait: yes
when: certificate_status == "PENDING_VALIDATION"
# Now wait for the certificate to validate itself. This can take some time but it's usually pretty quick
- name: Wait for certificate to be validated
command: aws acm describe-certificate --certificate-arn {{ certificate_arn }} --region {{ certificate_region }}
register: result
retries: 180 # 30 mins. Hopefully it won't take this long!
delay: 10
until: (result.stdout|from_json).Certificate.Status == "ISSUED"
when: certificate_status == "PENDING_VALIDATION"
# Finally, log the certificate
- name: Print certificate ARN
debug:
msg: "Certificate ARN for {{ certificate_domain }} is: {{ certificate_arn }}"