Using for_each with aws_acm_certificate.domain_validation_options

[jleclanche]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The following piece of code:

resource "aws_route53_record" "www_example_com-acm_validation" {
	for_each = aws_acm_certificate.www_example_com.domain_validation_options

	zone_id = aws_route53_zone.example_com.zone_id
	name = each.value.resource_record_name
	type = each.value.resource_record_type
	records = [each.value.resource_record_value]
	ttl = 60
}

Produces the following error:

Error: Invalid for_each argument

The given "for_each" argument value is unsuitable: the "for_each" argument
must be a map, or set of strings, and you have provided a value of type list
of object.

This seems like a waste of potential, seeing as for_each is the perfect tool to actually implement validation in terraform "correctly".

Right now you have to do something ugly with the config like this:

name = aws_acm_certificate.www_example_com.domain_validation_options.0.resource_record_name
type = aws_acm_certificate.www_example_com.domain_validation_options.0.resource_record_type
records = [aws_acm_certificate.www_example_com.domain_validation_options.0.resource_record_value]

And if you want alternative domain validation you have to copy that. The docs even suggest so:
https://www.terraform.io/docs/providers/aws/r/acm_certificate_validation.html#alternative-domains-dns-validation-with-route-53

New or Affected Resource(s)

• aws_acm_certificate
• aws_route53_record (?)

[so0k]

should be sufficient to use toset() ?

[bflad]

Hi folks 👋 As @so0k mentions above, it should be sufficient to wrap the reference to domain_validation_options with Terraform 0.12 and later's toset() function in version 2.x of the Terraform AWS Provider, e.g.

# Terraform CLI 0.12+ and Terraform AWS Provider 2.X compatible
resource "aws_route53_record" "example" {
  for_each = toset(aws_acm_certificate.example.domain_validation_options)

  name    = each.value.resource_record_name
  records = [each.value.resource_record_value]
  ttl     = 60
  type    = each.value.resource_record_type
  zone_id = aws_route53_zone.example.zone_id
}

Please note that I'm explicitly mentioning version 2.X of the provider here since we plan to fix the ordering issues of domain_validation_options/subject_alternative_names in #8531 via efforts noted in #13053 as part of the next major version of the provider. When that version is released, the toset() will no longer be necessary and for_each usage will be explicitly documented. 👍

Please follow the two issues mentioned above for further tracking of this work and documentation.

[rafaelsales]

No solution for this if I am on Terraform 0.11.x? @bflad

[dnapier]

@bflad - Your solution here gives me this error output:

Error: Invalid for_each set argument

  on modules/acm/main.tf line 13, in resource "aws_route53_record" "route53_record_certificate_validation_default":
  13:   for_each = toset(aws_acm_certificate.acm_certificate_default.domain_validation_options)

The given "for_each" argument value is unsuitable: "for_each" supports maps
and sets of strings, but you have provided a set containing type object.

I've tried using tomap() as well and get a similar error. Any ideas regarding this would be greatly apprecaited.

[dnapier]

Found a solution:

  for_each = { for option in aws_acm_certificate.acm_certificate_default.domain_validation_options: option.resource_record_name => option }

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!