Terraform module which creates ACM certificates and validates them using Route53 DNS (recommended) or e-mail.
Terraform 0.12. Pin module version to ~> v2.0
. Submit pull-requests to master
branch.
Terraform 0.11. Pin module version to ~> v1.0
.
module "acm" {
source = "terraform-aws-modules/acm/aws"
version = "~> v2.0"
domain_name = "my-domain.com"
zone_id = "Z2ES7B9AZ6SHAE"
subject_alternative_names = [
"*.my-domain.com",
"app.sub.my-domain.com",
]
tags = {
Name = "my-domain.com"
}
}
Sometimes you need to have a way to create ACM certificate conditionally but Terraform does not allow to use count
inside module
block, so the solution is to specify argument create_certificate
.
module "acm" {
source = "terraform-aws-modules/acm/aws"
create_certificate = false
# ... omitted
}
Similarly, to disable DNS validation of ACM certificate:
module "acm" {
source = "terraform-aws-modules/acm/aws"
validate_certificate = false
# ... omitted
}
- For use in an automated pipeline consider setting the
wait_for_validation = false
to avoid waiting for validation to complete or error after a 45 minute timeout. - If you're upgrading to v2.13.0 or above, you might be subject to off-by-one validation record issue. You can solve this without compromising existing validation records by issuing
terraform state rm <your_module_name>.validation[1]
where[1]
can be a different index # depending on the number of validation records your module creates (you can check this withterraform state list module.<your_module_name>.validation
).
Name | Version |
---|---|
terraform | >= 0.12.26 |
aws | >= 2.53 |
Name | Version |
---|---|
aws | >= 2.53 |
No Modules.
Name |
---|
aws_acm_certificate |
aws_acm_certificate_validation |
aws_route53_record |
Name | Description | Type | Default | Required |
---|---|---|---|---|
certificate_transparency_logging_preference | Specifies whether certificate details should be added to a certificate transparency log | bool |
true |
no |
create_certificate | Whether to create ACM certificate | bool |
true |
no |
dns_ttl | The TTL of DNS recursive resolvers to cache information about this record. | number |
60 |
no |
domain_name | A domain name for which the certificate should be issued | string |
"" |
no |
subject_alternative_names | A list of domains that should be SANs in the issued certificate | list(string) |
[] |
no |
tags | A mapping of tags to assign to the resource | map(string) |
{} |
no |
validate_certificate | Whether to validate certificate by creating Route53 record | bool |
true |
no |
validation_allow_overwrite_records | Whether to allow overwrite of Route53 records | bool |
true |
no |
validation_method | Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into Terraform. | string |
"DNS" |
no |
wait_for_validation | Whether to wait for the validation to complete | bool |
true |
no |
zone_id | The ID of the hosted zone to contain this record. | string |
"" |
no |
Name | Description |
---|---|
distinct_domain_names | List of distinct domains names used for the validation. |
this_acm_certificate_arn | The ARN of the certificate |
this_acm_certificate_domain_validation_options | A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used. |
this_acm_certificate_validation_emails | A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used. |
validation_domains | List of distinct domain validation options. This is useful if subject alternative names contain wildcards. |
validation_route53_record_fqdns | List of FQDNs built using the zone domain and name. |
Module managed by Anton Babenko.
Apache 2 Licensed. See LICENSE for full details.