search

terraform-aws-modules / terraform-aws-acm

Terraform module to create AWS ACM resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/acm/aws
Apache License 2.0
184 stars 230 forks source link

DNS Validation Fails on Trailing Dot #95

Closed sjtindell closed 2 years ago

sjtindell commented 2 years ago

Description

I am trying to create an ACM cert in a public hosted zone with a single SAN wildcard name and DNS validation.

I call the module as follows

locals {
    domain_name_ext = trimsuffix("mydomain.com", ".")
}

module "acm_ingress_ext" {
  source  = "terraform-aws-modules/acm/aws"
  version = "~> 3.0"

  domain_name  = local.domain_name_ext
  zone_id      = "SOMEID"

  subject_alternative_names = [
    "*.${local.domain_name_ext}"
  ]

  wait_for_validation = true

  tags = merge(
    local.tags,
    {
      Name = "wildcard-${local.domain_name_ext}"
    }
  )
}

and it creates a cert, validations, and validation records from what I can tell.

The only problem is that it hangs Pending validation because the validation name is

_fc2327e9be3a6470cadb2dcfb0df4182.mydomain.com.

with a trailing dot, and the module seems to create a record

_fc2327e9be3a6470cadb2dcfb0df4182.mydomain.com

without it.

When I execute

output "domains" {
  value = module.acm_ingress_ext.validation_route53_record_fqdns
}

I get

domains = [
  "mydomain.com",
]

Versions

Terraform v1.0.9 on darwin_amd64

Reproduction

Setup the code above and terraform apply

Expected behavior

The validation should succeed, the records should match.

sjtindell commented 2 years ago

When I go request a public ACM cert via the web gui, even if I set the requested name without a dot, it appends a dot to the expected record.

"mydomain.com" becomes "mydomain.com."

sjtindell commented 2 years ago

At https://github.com/terraform-aws-modules/terraform-aws-acm/blob/master/main.tf

I believe I can set a dot on the resource with a change to

resource "aws_route53_record" "validation" {
    name    = "${element(local.validation_domains, count.index)["resource_record_name"]}."
}

or a "fmt" call, but this

resource "aws_acm_certificate_validation" "this" {
    validation_record_fqdns = aws_route53_record.validation.*.fqdn
}

then fails.

Was there a change on Amazon's end somewhere or am I using the module wrong?

sjtindell commented 2 years ago

This was a silly mistake on my end...I created a public hosted zone but forgot to add its NS records to my upstream domain. So ACM simply couldn't resolve the record, it was stuck in Pending, and the mismatch between what the Validation showed with a dot and the actual CNAME not having the dot was a red herring.

For anyone else who runs into it, changing the dots around was wrong and caused lots of

FATAL problem: DomainLabelEmpty
github-actions[bot] commented 1 year ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.