search

scimma / terraform-kubernetes-httpservice

Terraform module for creating an HTTP service on SCIMMA's EKS cluster
BSD 3-Clause "New" or "Revised" License
0 stars 2 forks source link

Erroneous certificate validation error #6

Open cnweaver opened 6 months ago

cnweaver commented 6 months ago

Terraform is producing errors about certificate validation records which look like:

│ Error: 1 error occurred:
│   * missing login.scimma.org DNS validation record: _33408912c503b310e6cf65fded7bff5b.login.scimma.org
│   with module.keycloak.aws_acm_certificate_validation.validation,
│   on .terraform/modules/keycloak/main.tf line 133, in resource "aws_acm_certificate_validation" "validation":
│  133: resource "aws_acm_certificate_validation" "validation" {

even when the record in question exists (and in fact the certificate has already been issued):

$ dig _33408912c503b310e6cf65fded7bff5b.login.scimma.org
_33408912c503b310e6cf65fded7bff5b.login.scimma.org. 3292 IN CNAME _6c67972ded5b4fe51e07595bfdcc29df.gfjzbhpkrq.acm-validations.aws.

This noise makes it hard to use terraform and we should find a way to clean it up.

cnweaver commented 5 months ago

This problem has a couple of parts: The first is that the cert_validation aws_route53_record is being created for each domain name to be validated but using the same zone_id for all, which will not work when the records need to belong to different zones. This problem should be fixed in this code. Doing so is necessary, but not sufficient to solve the overall problem, however, because in the case where this is coming up, the second zone needed is scimma.org, which is not managed through Route53/terraform.