Open bedge opened 3 years ago
This resource is poorly documented on how it works:
Reading the source code
it simply accepts all fqdns as input and then calls describe on the cert to get the full list of the domain validation options
then it iterates over the list of given funds, if found in the domain validation option of the cert it deletes it from the map
after that loop, it simply checks that the length should be zero
following by checking the state of the certificate regardless if the DNS record exists or not!
In my case, these other domains created outside of this account anyway and I can pass a provider for these record
locals {
validation_records = {
# for each domain validation options, build a map for dns records
# skip if domain name starts with *. or domain name is in excluded_domains list
for dvo in module.certificate_request.output.domain_validation_options :
dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
} if length(regexall("^\\*\\.", dvo.domain_name)) == 0 && !contains(var.excluded_domains, dvo.domain_name)
}
validation_record_fqdns = [
for dvo in module.certificate_request.output.domain_validation_options :
dvo.resource_record_name
]
}
resource "aws_route53_record" "example" {
for_each = local.validation_records
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = data.aws_route53_zone.example.zone_id
}
resource "aws_acm_validation" "this" {
certificate_arn = module.certificate_request.output.arn
validation_record_fqdns = local.validation_record_fqdns
}
@innovia I know... it has been a while... I'm not sure if I understand well your comment.
For my understanding the initial list of required fqdns is built based on certificate content. So there is no way to bypass this issue. Source code changed and moved since then... but I thinkt that the behavior didn't change.
I'm having this same issue with a record I created using terraform. Using cloudflare. Haven't figured it out yet.
I fixed by fetching the record ID using curl:
#!/usr/bin/env bash
NAME="REPLACE_WITH_YOUR_RECORD_NAME"
curl -s \
--request GET \
--url "https://api.cloudflare.com/client/v4/zones/REPLACE_WITH_YOUR_ZONE_ID/dns_records?page=1&name=$NAME" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer REPLACE_WITH_YOUR_TOKEN"
For some reason when I fetched the record using https://github.com/cloudflare/python-cloudflare I was getting the wrong ID. Also, I enabled debug mode on terraform and noticed that terraform was also getting the wrong record ID. After fetching the record using curl, and importing it into TF it started working.
The curious thing is that after fetching the record using curl I started getting the right record IP using the python library.
I needed to add additional domains to a cert, as I'm assuming ownership of another domain. The DNS for this other domain isn't owned by the same terraform context, so using aws_acm_certificate_validation forces it to try to create ACM validation entries in r53 for all of the cert names.
I was able to skip the ACM entry creation for the other domain by using a filter in the aws_acm_certificate_validation block:
However, the result is:
So, despite specifically excluding this DNS validation record from being created, because it can't be, it's in another account, terraform apply fails because it wasn't created.
Community Note
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
aws_acm_certificate_validation
Terraform Configuration Files
Expected Behavior
My expectation was that the otherdomain DNS validation record that was intentionally skipped would not be marked as a failure.
Actual Behavior
The one DNS validation record that was explicitly skipped was marked as an error.
Steps to Reproduce
terraform apply
0000