I’m deploying AWS infrastructure with terraform. It’s almost entirely contained within a VPC, behind a VPN. The only exception is certbot
, which needs a port open to the public internet in order to verify site ownership.
Before terraform, we were temporarily opening ports when we provisioned new EC2 instances, and when we needed to renew certificates. Here are the main steps:
- Launch instance
- Configure security group with an open port
- Run certbot and configure SSL
- Lock down security group to only allow traffic through the VPN
For renewing certs, the steps are:
- Adjust the security group by opening a port
- Run AWS Ceritified certbot renew
- Lock down security group to only allow traffic through the VPN again
How would I do something similar in terraform?
Alternatively, is there some other preferred pattern for this kind of deployment?
(Before you ask, we’ve already reviewed and rejected the idea of certifying through AWS ACM, because we don’t need or want load balancing or a public CDN in this stack.)