AWS Cert Lambda module creates infrastructure that provides certificates for a domain in a Route53 zone.
Certificates are stored on S3 bucket (encrypted by KMS key) and are verified using DNS method.
It is based on certbot and letsencrypt.org. CloudWatch events are used to trigger lambda according
to refresh_frequency_cron (once every 12 hours by default).
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.0, < 5.0 |
| Name | Version |
|---|---|
| archive | n/a |
| aws | >= 4.0, < 5.0 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_event_rule.certbot | resource |
| aws_cloudwatch_event_target.certbot | resource |
| aws_cloudwatch_log_group.certbot | resource |
| aws_iam_policy.lambda | resource |
| aws_iam_role.lambda | resource |
| aws_iam_role_policy_attachment.lambda | resource |
| aws_lambda_function.certbot | resource |
| aws_lambda_layer_version.certbot_requirements | resource |
| aws_lambda_permission.permission | resource |
| archive_file.certbot | data source |
| aws_iam_policy_document.lambda | data source |
| aws_iam_policy_document.lambda_role | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| domain_names | The domain name to use in the DNS A record for the Vault ELB (e.g. vault.example.com). Make sure that a) this is a domain within the var.hosted_zone_domain_name hosted zone and b) this is the same domain name you used in the TLS certificates for Vault. Only used if var.create_dns_entry is true. | list(string) |
null |
no |
| hosted_zone_id | Identifier of a Hosted Zone in Route53. Lambda will get permissions to modify entries in this Hosted Zone for certificate validation purpose. | string |
n/a | yes |
| name_prefix | Name prefix for all AWS resources that are created with this module. | string |
n/a | yes |
| owner_email | E-mail of the domain owner. Lets Encrypt uses that e-mail address to send reminders regarding domain expiration. Using an alias is recommended, as it let's you avoid having a single person as a manager, i.e. [email protected] | string |
n/a | yes |
| refresh_frequency_cron | CRON expresstion that determines when Vault should restart in order to refresh TLS certificates. Default: Run every 12 hours | string |
"0 */12 * * ? *" |
no |
| s3_bucket_name | Name of existing S3 bucket which will be used to store TLS certificates obtained from Let's Encrypt. | string |
n/a | yes |
| s3_bucket_prefix | Path to certificates on exiting S3 bucket | string |
n/a | yes |
| Name | Description |
|---|---|
| lambda_arn | ARN of Lambda Function |
| lambda_iam_role_arn | ARN of Lambda's IAM Role, that has all required policies in place. |