Description
You cannot 'edit' an ACM cert once it is issued, so you cannot add domains. This makes SAN certificates unsuitable in many cases, yet the role behaviour as it stands is to create a SAN cert if multiple domains are supplied.
The problem is once attached to an ALB or a CloudFront distribution, the only way to delete a certificate is to tear the infra down entirely so there's no association. So if you want to add a domain to an ASG and you can't tear the whole infra down, you're a bit stuck! You can do it manually, but it would be good if SAN certs were an option rather than an assumption where there are multiple domains.
This means when presented with extra domains the ACM role should either create a SAN cert or loop through domains and create a cert for each one. This also means the return var that contains the cert ARN - aws_acm_certificate_arn - needs to be a list of ARNs, not a single one. Something like this:
- name: Initialise existing cert vars.
ansible.builtin.set_fact:
aws_acm_certificate_arns: "{{ aws_acm_certificate_arns | default([]) }}"
_aws_acm_domain_in_cert_list: false
- name: Iterate through the certificate list checking for domain.
ansible.builtin.set_fact:
aws_acm_certificate_arns: "{{ aws_acm_certificate_arns + [ item.CertificateArn ] }}"
_aws_acm_domain_in_cert_list: true
when: item.DomainName == aws_acm.domain_name
with_items: "{{ _aws_acm_cert_list }}"The ASG role should make use of this new behaviour once it is ready. Essentially we'll expect a list of created cert ARNs back from the role, not a single one.