More advanced example for acm_certificate_validation involving SANs/How to iterate over list of maps

[blckct]

aws_acm_certificate returns an array of maps and iterating over that is rather tricky in Terraform since element() doesn't allow it. I think it would be nice to include a recommended way to create mutliple aws_route53_records using count instead of writing out a seperate record for every SAN.

resource "aws_acm_certificate" "cert" {
  domain_name = "example.com"
  validation_method = "DNS"
  subject_alternative_names = [
      "foo.example.com",
      "bar.example.com"
    ]
}

data "aws_route53_zone" "zone" {
  name = "example.com."
  private_zone = false
}

resource "aws_route53_record" "cert_validation" {
  count = "${length(aws_acm_certificate.cert.domain_validation_options)}"
  name = "???"
  type = "???"
  zone_id = "${data.aws_route53_zone.zone.id}"
  records = ["???"]
  ttl = 60
}

resource "aws_acm_certificate_validation" "cert" {
  certificate_arn = "${aws_acm_certificate.cert.arn}"
  validation_record_fqdns = ["${aws_route53_record.cert_validation.*.fqdn}"]
}

[Telling]

You can use Terraform's lookup function to do this:

resource "aws_route53_record" "default" {
  count   = "${length(var.subject_alternative_names)+1}"
  zone_id = "${data.aws_route53_zone.default.zone_id}"
  name    = "${lookup(aws_acm_certificate.default.domain_validation_options[count.index], "resource_record_name")}"
  type    = "${lookup(aws_acm_certificate.default.domain_validation_options[count.index], "resource_record_type")}"
  ttl     = "${var.ttl}"
  records = ["${lookup(aws_acm_certificate.default.domain_validation_options[count.index], "resource_record_value")}"]
}

This lives in a module and the subject_alternative_names list defaults to []. I had to use the length of the subject_alternative_names variable because using

length(aws_acm_certificate.default.domain_validation_options)

gives:

* module.foo.aws_route53_record.default: aws_route53_record.default: value of 'count' cannot be computed

I would add this to the docs, but not sure since I had to use the hacky way to get the count :/

[blckct]

Oooh, I totally missed lookup in the docs.

And, it seems that count is undefined until the certificate is created. How about:

count = "${length(aws_acm_certificate.default.subject_alternative_names) + 1}"

That way it relies only on aws_acm_certificate. And I believe the more hacky the solution has to be the better it's given as an example.

[Telling]

I agree that using aws_acm_certificate.default.subject_alternative_names would be preferable, but that does not work when trying to create a certificate without any SANs which means I cannot use it for my usecase, but maybe you can :)

[blckct]

Okay, I don't have a clue how to go around that one then. Either way your ideas made my config file much more sane. I think an example with a hard coded count will be better than what we have right now.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[davidkarlsen]

This seems to still be unresolved - are there any workarounds for it?

[dpetzold]

I had a large certificate with multiple tlds and I ended up scripting it:

https://gist.github.com/dpetzold/c6df0ae042a29130fa58278db196234f

I am thinking aws_acm_certificate_validation could have a create_route53_validation_records option and if its true it would create the records and then maybe even delete them after the validation is done. Would really appreciate some thoughts on that.

[kitsunde]

https://github.com/mediapop/terraform-aws-certificate we made module for creating certificates over multiple zones and hostnames in 2018 if anyone is interested, I'm not sure if that covers what everyone is asking for here. It's not yet released for 0.12, but there's a PR for it.

[bflad]

Hi folks 👋

The aws_acm_certificate was reworked for version 3.0.0 of the Terraform AWS Provider and its now possible to directly reference the domain_validation_options attribute for DNS validation:

data "aws_route53_zone" "public_root_domain" {
  name = "example.com"
}

resource "aws_acm_certificate" "existing" {
  domain_name = "existing.example.com"
  subject_alternative_names = [
    "existing1.example.com",
    "existing2.example.com",
    "existing3.example.com",
  ]
  validation_method = "DNS"
}

resource "aws_route53_record" "existing" {
  for_each = {
    for dvo in aws_acm_certificate.existing.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = data.aws_route53_zone.public_root_domain.zone_id
}

resource "aws_acm_certificate_validation" "existing" {
  certificate_arn         = aws_acm_certificate.existing.arn
  validation_record_fqdns = [for record in aws_route53_record.existing : record.fqdn]
}

Please see the following references for more information or to ask followup usage questions:

• Version 3 Upgrade Guide section on aws_acm_certificate changes
• aws_acm_certificate resource documentation
• Community Forums

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!