Currently in tvlk-prod there are 3 ACM certificate for *.main.tvlk.cloud domain. To simplify infra management, site infra is consolidating the use of ACM certificate for ELB / ALB to use one DNS validated *.main.tvlk.cloud ACM certificate.
All ELB / ALB configuration already mass changed to use the follwing ACM certificatearn:aws:acm:ap-southeast-1:715824975366:certificate/5598cd2e-a420-438e-8097-dee3f08037e6
The following ACM certificates should not be used and will be removed later
Email ValidatedÂ
ARN : arn:aws:acm:ap-southeast-1:715824975366:certificate/e8a1f0f4-ea72-409a-9829-4197fba158cc
DNS Validated (old):arn:aws:acm:ap-southeast-1:715824975366:certificate/f79d9baf-cff4-486c-bff1-15067dd89c4f
When you're doing infra changes, make sure there is no ACM certificate change. If there is change most likely ACM ARN is hardcoded instead of using aws_acm_certificate data source [1].
If you found ACM Certificate change when making changes on prod, please do:
aws_acm_certificate and use this data source on CLB / ALB resource. For sample on how to use this data source you can refer to [2] and [3].
After doing the steps above there should be no changes on ACM certificate.
You can check links below for resources that still hardcode ACM ARN in resources, tfvars or locals :
Feel free to comment on this post if you have questions regarding this change. Thank you.
[1] https://www.terraform.io/docs/providers/aws/d/acm_certificate.html
[2] https://github.com/traveloka/infra-production-playbooks/blob/master/tf/715824975366/pd/usr/usrbeva/data.tf#L6
[3] https://github.com/traveloka/infra-production-playbooks/blob/master/tf/715824975366/pd/usr/usrbeva/alb_lbint.tf#L29