azavea / terraform-aws-acm-certificate Goto Github PK

View Code? Open in Web Editor NEW

47.0 9.0 41.0 36 KB

A Terraform module to create an Amazon Certificate Manager (ACM) certificate with Route 53 DNS validation.

License: Apache License 2.0

HCL 88.15% Shell 11.85%

terraform terraform-modules aws amazon-web-services aws-acm aws-route53

terraform-aws-acm-certificate's Introduction

terraform-aws-acm-certificate

A Terraform module to create an Amazon Certificate Manager (ACM) certificate with Route 53 DNS validation.

Usage

When making use of this module, ensure that either the AWS_DEFAULT_REGION or AWS_REGION environment variable is set. This helps bypass validation checks that want the provider blocks within this module to have a region attribute specified.

provider "aws" {
  region = "us-east-1"
  alias  = "certificates"
}

provider "aws" {
  region = "us-west-2"
  alias  = "dns"
}

resource "aws_route53_zone" "default" {
  name = "azavea.com"
}

module "cert" {
  source = "github.com/azavea/terraform-aws-acm-certificate"

  providers = {
    aws.acm_account     = "aws.certificates"
    aws.route53_account = "aws.dns"
  }

  domain_name                       = "azavea.com"
  subject_alternative_names         = ["*.azavea.com"]
  hosted_zone_id                    = "${aws_route53_zone.default.zone_id}"
  validation_record_ttl             = "60"
  allow_validation_record_overwrite = true
}

Variables

domain_name - Primary domain name associated with certificate. Also used for the Name tag of the ACM certificate.
subject_alternative_names - Subject alternative domain names.
hosted_zone_id - Route 53 hosted zone ID for domain_name.
validation_record_ttl - Route 53 record time-to-live (TTL) for validation record (default: 60).
allow_validation_record_overwrite - Allow Route 53 record creation to overwrite existing records (default: true).
tags - A map of extra tags that is associated with the ACM Certificate.

Outputs

arn - The Amazon Resource Name (ARN) of the ACM certificate

terraform-aws-acm-certificate's People

Contributors

Stargazers

Watchers

terraform-aws-acm-certificate's Issues

New validation every apply, no changes

I'm applying the following configuration.

module "cert_kye" {
  source = "github.com/azavea/terraform-aws-acm-certificate?ref=1.0.0"

  providers = {
    aws.acm_account     = "aws.certs"
    aws.route53_account = "aws"
  }

  domain_name           = "example.com"
  subject_alternative_names = ["sub.example.com", "www.example.com"]
  hosted_zone_id        = "${data.aws_route53_zone.kye_dev.zone_id}"
  validation_record_ttl = "60"
}

After succeeding, if I plan again immediately I get the following change on every cert

-/+ module.cert_kye.aws_route53_record.validation[1] (new resource required)
      id:                                            "Z1G38T8OFRJIAB__f26c4116acfd0fc3aceb0b36b055c68c.kye.dev._CNAME" => <computed> (forces new resource)

module "cert": count variables are only valid within resources

I've tried to use the module but it appears it has a severe bug:
module "cert": count variables are only valid within resources

Avoid duplicate validation CNAME entries(requires TF 0.12)

Thanks for your example - it helped me in my setup.

I found that if I create a wildcard cert and then also add the root domain as a SAN I get duplicate validation records with the same data and found a fix using the new functions in Terraform 0.12 (maybe there's a better way but I couldn't find one).

After doing this I could remove the allow_overwrite=true setting that I needed before since I got two CNAME records with the exact same values.

locals {
  validation_options_raw = aws_acm_certificate.acm_cert.domain_validation_options

  // Get rid of duplicates

  // Step 1: create map. the ellipsis will make each entry be an array of items
  validation_options_hash = {
    for option in local.validation_options_raw :
    option["resource_record_name"] => {
      resource_record_type  = option["resource_record_type"]
      resource_record_value = option["resource_record_value"]
    }...
  }

  // Step 2: back to array and use the first item in each array
  validation_options = [
    for key in keys(local.validation_options_hash) :
    {
      resource_record_name  = key
      resource_record_type  = lookup(lookup(local.validation_options_hash, key)[0], "resource_record_type")
      resource_record_value = lookup(lookup(local.validation_options_hash, key)[0], "resource_record_value")
    }
  ]

}

Warning: Empty provider configuration blocks are not required

The following warning appears in the plan and apply output since upgrading to Terraform 1.0.0:

╷
│ Warning: Empty provider configuration blocks are not required
│
│   on .terraform/modules/cert/provider.tf line 1:
│    1: provider "aws" {
│
│ Remove the aws.acm_account provider block from module.cert. Add aws.acm_account to the list of configuration_aliases for aws in required_providers to define the provider
│ configuration name.
│
│ (and one more similar warning elsewhere)
╵

Add create_before_destroy lifecycle to aws_acm_certificate resource

We should look into adding a create_before_destroy lifecycle customization to the aws_acm_certificate resource.

This would help in a situation where, for example, you have a certificate associated with an application load balancer. You can't destroy the aws_acm_certificate resource if it's in use, and there won't be a certificate available that you can associate with the ALB listener to replace it.

"Inappropriate value for attribute "subject_alternative_names": element 0:" Error

After upgrading terraform to 0.12, I got following error.

Error: Incorrect attribute value type

  on .terraform/modules/acm_api/main.tf line 4, in resource "aws_acm_certificate" "default":
   4:   subject_alternative_names = ["${var.subject_alternative_names}"]

Inappropriate value for attribute "subject_alternative_names": element 0:
string required

This problem is considered to be due to a change in list.
https://www.terraform.io/upgrade-guides/0-12.html#referring-to-list-variables

Multiple domain in one certificate

Hi.
Great job You've done with that module.
I found an issue.

If i'm trying to provision certificate with multiple domain names:

data "aws_route53_zone" "external" {
  name = "example.com"
}

module "cert" {
  source                    = "github.com/azavea/terraform-aws-acm-certificate?ref=0.1.0"
  domain_name               = "*.example.com"
  subject_alternative_names = ["*.example.io"]
  hosted_zone_id            = "${data.aws_route53_zone.external.zone_id}"
  validation_record_ttl     = "60"
}

or
subject_alternative_names = ["*.example.io", "*.example.net"]

Terraform cant properly interpolate zone_id for each domain.
Module trying to write dns verification only for domain, listed in aws_route53_zone"
It uses same zone_id for different domain name. And ends up with an error.

* module.cert.aws_route53_record.validation[1]: 1 error(s) occurred:

* aws_route53_record.validation.1: [ERR]: Error building changeset: InvalidChangeBatch: FATAL problem: DomainLabelEmpty (Domain label is empty) encountered with '_f8a5abb93431b2ffa4a52f601bd3189f.example.io..example.com'
	status code: 400, request id: 06c85bcd-90e3-11e8-9267-c1e76a4a292e

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Besides that it gives an error, provisioning finishes just fine, correct entries are being added to dns verification records in each domain.