Provide a resource which is an ACM certificate with builtin route53 DNS validation

[alex]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently you can create an ACM certificate, and then use domain_validation_options in order to use terraform resources to create DNS records to fulfill the validation. This looks something like this:

resource "aws_acm_certificate" "cert" {
  domain_name               = var.domain_names[0]
  subject_alternative_names = slice(var.domain_names, 1, length(var.domain_names))
  validation_method         = "DNS"
}

resource "aws_route53_record" "website_cert_validation" {
  count = length(aws_acm_certificate.cert.domain_validation_options)

  name    = aws_acm_certificate.cert.domain_validation_options[count.index].resource_record_name
  type    = aws_acm_certificate.cert.domain_validation_options[count.index].resource_record_type
  zone_id = var.zone_id
  records = [aws_acm_certificate.cert.domain_validation_options[count.index].resource_record_value]
  ttl     = 300
}

resource "aws_acm_certificate_validation" "cert_validation" {
  certificate_arn         = aws_acm_certificate.cert.arn
  validation_record_fqdns = aws_route53_record.website_cert_validation.*.fqdn
}

If you run this you'll immediately find that it doesn't work -- because aws_route53_record.website_cert_validation.count relies on the apply step for another resource, you can't actually terraform plan this. No worries, there's a workaround! Change that resource to be:

resource "aws_route53_record" "website_cert_validation" {
  count = length(var.domain_names)

  name    = aws_acm_certificate.cert.domain_validation_options[count.index].resource_record_name
  type    = aws_acm_certificate.cert.domain_validation_options[count.index].resource_record_type
  zone_id = var.zone_id
  records = [aws_acm_certificate.cert.domain_validation_options[count.index].resource_record_value]
  ttl     = 300
}

length(aws_acm_certificate.cert.domain_validation_options) should always be the same as length(var.domain_names), right? Wrong! ACM is able to cache validation in some cases, so it won't ask you to prove ownership of a domain if you already have. This produces an error like:

Error: Invalid index

  on ../modules/acm/main.tf line 10, in resource "aws_route53_record" "website_cert_validation":
  10:   name    = aws_acm_certificate.cert.domain_validation_options[count.index].resource_record_name
    |----------------
    | aws_acm_certificate.cert.domain_validation_options is empty list of object
    | count.index is 0

The given key does not identify an element in this collection value.


Error: Invalid index

  on ../modules/acm/main.tf line 11, in resource "aws_route53_record" "website_cert_validation":
  11:   type    = aws_acm_certificate.cert.domain_validation_options[count.index].resource_record_type
    |----------------
    | aws_acm_certificate.cert.domain_validation_options is empty list of object
    | count.index is 0

The given key does not identify an element in this collection value.


Error: Invalid index

  on ../modules/acm/main.tf line 13, in resource "aws_route53_record" "website_cert_validation":
  13:   records = [aws_acm_certificate.cert.domain_validation_options[count.index].resource_record_value]
    |----------------
    | aws_acm_certificate.cert.domain_validation_options is empty list of object
    | count.index is 0

The given key does not identify an element in this collection value.

Unfortunately, I don't believe it's possible to resolve this with the functionality in terraform today -- count fundamentally must be derived from the certificate resource, it's the only thing that knows how many validation records are required.

To solve this, I believe terraform-provider-aws needs to include a resource that is an AWS ACM certificate that holds the cycle of creating DNS records to respond to the request internally, because you can't express the workflow properly in HCL.

New or Affected Resource(s)

• aws_acm_domain_validated_certificate

Potential Terraform Configuration

resource "aws_acm_domain_validated_certificate" "my_cert" {
    domain_name = var.domain_names[0]
    subject_alternative_names = slice(var.domain_anmes, 1, length(var.domain_names))
    route53_zone_id = var.zone_id
    dns_ttl = 60
}

References

[alysaleha]

@alex Is there a workaround a fix is pushed?

[alex]

There is no workaround for this at the moment.

[bflad]

Hi folks 👋 Thanks for this feature request, although it looks to be in relation to an ACM API change that we just pushed a bug fix for: #9596 / #9598. That fix will be released with version 2.23.0 of the Terraform AWS Provider, later this week.

Regarding the potential of creating a new resource that combines requesting the ACM certificate and Route 53 records, creating Terraform resources that interact with multiple AWS services is not a pattern that is suited well in Terraform or the Terraform AWS Provider. Terraform itself is designed for tracking singular units of infrastructure and attempting to work outside that framework would introduces unnecessary code complexity and maintenance burden into the project. Since ACM itself allows any DNS provider for verification, we prefer to offer a single Terraform resource for using their generic domain validation implementation so operators can create the necessary DNS infrastructure for passing validation separately from requesting the certificate itself.

Thanks again for submitting this and please follow #9596 for updates about the release of the domain validation options fix or any further discussions on that topic.

[ghost]

This has been released in version 2.23.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[beanaroo]

@bflad Thanks! Glad the API change has been addressed. That unfortunately doesn't address the problem pointed out in this issue. I understand the desire to not provide an integrated resource. Is there an open item tracking the problem elsewhere?

I'd like to understand how we can use Terraform for ACM certificate DNS validation. Needing to run partial plans sounds like a problem. (Especially when using Terraform in an automated manner)

[beanaroo]

Just to add to the above implementation, iterating over domain_validation_options does not work either since base and wildcard domains tend to have identical validation records, resulting in failure to create already existing records.

domain_validation_options = [
        {
            domain_name           = "mydomain.com"
            resource_record_name  = "_a54029.mydomain.com."
            resource_record_type  = "CNAME"
            resource_record_value = "_06f577.olprtlswtu.acm-validations.aws."
        },
        {
            domain_name           = "*.mydomain.com"
            resource_record_name  = "_a54029.mydomain.com."
            resource_record_type  = "CNAME"
            resource_record_value = "_06f577.olprtlswtu.acm-validations.aws."
        },
        {
            domain_name           = "*.members.mydomain.com"
            resource_record_name  = "_d384f0.members.mydomain.com."
            resource_record_type  = "CNAME"
            resource_record_value = "_290e0b.olprtlswtu.acm-validations.aws."
        },
        {
            domain_name           = "*.staff.mydomain.com"
            resource_record_name  = "_917094.staff.mydomain.com."
            resource_record_type  = "CNAME"
            resource_record_value = "_9f601b.olprtlswtu.acm-validations.aws."
        }
    ]

You'll need to compile a list of resource_record_names and calculate length based on a distinct result.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!