Acm certificate validation not handled properly

[Blakeinstein]

terraform-cdk/examples/typescript/aws-cloudfront-proxy/main.ts

Line 84 in 158d857

name: cert.domainValidationOptions("0").resourceRecordName,

I referenced the code above, and produce something like the following.

const certificateResource = new ACM.AcmCertificate(this, props.domainName + '_certificate', {
  domainName: props.domainName,
  validationMethod: 'DNS',
  tags: {
    environment: props.environment,
  },
  lifecycle: {
    createBeforeDestroy: true,
  },
});
certificate = certificateResource.arn;
const validationRecord = new Route53.Route53Record(this, props.domainName + '_certificate_record', {
  zoneId: hostedZone.zoneId,
  name: certificateResource.domainValidationOptions('0').resourceRecordName,
  type: certificateResource.domainValidationOptions('0').resourceRecordType,
  records: [
    certificateResource.domainValidationOptions('0').resourceRecordValue,
  ],
  ttl: 60,
});

certificateDependable = new ACM.AcmCertificateValidation(this, props.domainName + '_certificate_validation', {
  certificateArn: certificateResource.arn,
  validationRecordFqdns: [
    validationRecord.fqdn,
  ],
});

Raises the following error

 on cdk.tf.json line 65, in resource.aws_route53_record.typescript-aws_examplecom_certificate_record_67B1E051:
│   65:         "type": "${aws_acm_certificate.typescript-aws_examplecom_certificate_A8CEFE35.domain_validation_options.0.resource_record_type}",
Elements of a set are identified only by their value and don't have any
separate index or key to select with, so it's only possible to perform
operations across all elements of the set.

Futhermore I would like add a few alternative names as discussed here and would like to know the syntax for the same.

[jsteinich]

I'm sure there's an example somewhere for this, but the closet I could find was #42 (comment)

[Blakeinstein]

I'm sure there's an example somewhere for this

I don't think that will work since as suggested by the comment, domainValidationOptions is now a function

[Blakeinstein]

A solution that could work is printing the appropriate hcl code via override.

I am unsure how you can refer to a resource's id at compile time however. since cdk generates tokens that a replaced later

update: found out about friendlyUniqueId which seems to use the correct id. Lets see where it takes me

Now I am unsure of how to resolve the following

update: Fixed it, this solution works. ( atleast I hope )

const validationRecord = new Route53.Route53Record(this, props.domainName + '_certificate_record', {
  zoneId: hostedZone.zoneId,
  allowOverwrite: true,
  name: '${each.value.name}',
  records: ['${each.value.record}'],
  ttl: 60,
  type: '${each.value.type}',
});
validationRecord.addOverride('for_each',
  `\${{
    for dvo in aws_acm_certificate.${certificateResource.friendlyUniqueId}.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }}`,
);

let certificateDependable = new ACM.AcmCertificateValidation(this, props.domainName + '_certificate_validation', {
  certificateArn: certificateResource.arn,
});
certificateDependable.addOverride('validation_record_fqdns', `\${[for record in aws_route53_record.${validationRecord.friendlyUniqueId} : record.fqdn]}`);

[github-actions]

I'm going to lock this issue because it has been closed for 30 days. This helps our maintainers find and focus on the active issues. If you've found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.