search

cloudposse / terraform-aws-acm-request-certificate

Terraform module to request an ACM certificate for a domain name and create a CNAME record in the DNS zone to complete certificate validation
https://cloudposse.com/accelerate
Apache License 2.0
106 stars 69 forks source link

Support SANs with multiple hosted zones #55

Closed kevcube closed 2 years ago

kevcube commented 2 years ago

Found a feature? Maybe our Slack Community can help.

Slack Community

Describe the Feature

process_domain_validation_options breaks if subject_alternative_names contains different zones

I am using distinct domains in my subject_alternative_names variable...

  domain_name                       = "website.foundation"
  process_domain_validation_options = true
  subject_alternative_names         = [
    "*.website.foundation",
    "websitefoundation.org",
    "*.websitefoundation.org",
  ]

Expected Behavior

It would be nice to process domain validation options across multiple hosted zones.

kevcube commented 2 years ago

For now I will just set process_domain_validation_options = false and handle the r53 records elsewhere.

nitrocode commented 2 years ago

This may be tricky. You'd have to either explicitly set the zone_id per SAN or somehow figure out if each SAN is associated to a different zone id.

Perhaps, we could create a map of SAN => zone_id implicitly

  1. Loop through all the SANs
  2. Remove any subdomains by split(".") and get all the items after the first one, leaving the domain
  3. Make sure each item in the list is distinct
  4. Pass in this list of unique domain we could add a for_each into the aws_route53_zone data source
  5. Create each record for the SAN and associate each record to the corresponding zone

https://github.com/cloudposse/terraform-aws-acm-request-certificate/blob/8eae0d82fe01ceed96ac881322aebbfbf4564ab7/main.tf#L26-L31