Missing DNS validation recoed

[barak-kalai]

I'm using terraform aws acm module - https://registry.terraform.io/modules/terraform-aws-modules/acm/aws/latest the code is `module "acm" { source = "terraform-aws-modules/acm/aws" version = "~> 4.0"

domain_name = "barak-kalai.com" zone_id = data.terraform_remote_state.zones.outputs.route53_zone_zone_id

validation_method = "DNS"

subject_alternative_names = [ "*.barak-kalai.com" ]

wait_for_validation = true

tags = { Name = "barak-kalai_acm" } }` plan works ok but apply has issues Terraform cloud create the certificate request ok Terrafor create the validation certificate id=Z101159938VGOI878SQ13__a26f4216a9f84d4618c581f811c0a917.barak-kalai.com._CNAME but when it tries to validate i get missing *.barak-kalai.com DNS validation record: _a26f4216a9f84d4618c581f811c0a917.barak-kalai.com

[evankanderson]

I ran into a similar issue with the following:

module "acm-cert-two-zones" {
  source  = "terraform-aws-modules/acm/aws"
  version = "~> 4.0"

  domain_name = "api.domainone.com"
  zone_id     = data.aws_route53_zone.domain.zone_id  # zone_id for 'domainone.com'

  subject_alternative_names = concat(
    "api.domainone.com",
    "api.domaintwo.com",  # NOTE: I also own 'domaintwo.com', and have it in Route53...
  )

  wait_for_validation = true
}

This created a validation DNS record for _f0fc7cee4f586beaebf08a1080a87036.api.domaintwo.com.domainone.com, which wasn't going to work for validating the SAN api.domaintwo.com.

I'm not sure there's a good solution here short of:

1. Using data blocks to automagically figure out the route53 zones. I use something like:

   data "aws_route53_zone" "domain" {
    name = "domainone.com"
   }

2. Redesigning the zone_id parameters.

I'd sort of suggest a third option:

• Document that Route53 validation only works for certs which cover domains in a single Route53 zone.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[evankanderson]

Does it make sense to document this limitation? (Un-stale-ing this issue)

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[evankanderson]

I can try to PR a documentation fix, since it seems there isn't an appetite for other fixes.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.