Ansible Logo

Ansible: Automatically Generate and Verify AWS ACM Certificate

Posted by

Ansible’s AWS ACM module didn’t, at time of writing, support generating new certificates. ACM certificates can be programatically generated and verified (using DNS) with a bit of glue and sticky tape. This assumes that the Route53 zone for your domain is in your AWS account (or you can somehow grant permission to add records to it in another account).

Here’s the Playbook on GitHub:

It’s mostly ready for use but might require some minor tweaks for your usecase. It’s designed to be stateless so if a certificate exists or Ansible bailed out half way through the play, it’ll retrieve the state from ACM and carry on.

The procedure is thus:

  1. Try to get the ISSUED certificate, if one exists
  2. Try to get the PENDING_VALIDATION certificate, if one exists
  3. Request a new certificate if we don’t have one at all
  4. Wait for certificate DNS record to be made available
  5. Create Route53 DNS record for the certificate
  6. Wait for certificate to be validated

Feel free to submit a GitHub Pull Request if you have some enhancements/bug fixes.

Leave a Reply

Your email address will not be published. Required fields are marked *