Fix cert validation when FQDN is inside of other zone

* Add 6.th.ooni.org to list of th addresses
ooni · Sep 24, 2024 · 9d7b8ee · 9d7b8ee
1 parent 93ee8dd
commit 9d7b8ee
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 6 deletions.
diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf
@@ -579,9 +579,10 @@ module "ooniapi_frontend" {
  alternative_domains = {
  "api.ooni.org" : local.dns_root_zone_ooni_org
  "5.th.ooni.org" : local.dns_root_zone_ooni_org,
+ "6.th.ooni.org" : local.dns_root_zone_ooni_org,
  }
 
- oonith_domains = ["5.th.ooni.org"]
+ oonith_domains = ["5.th.ooni.org", "6.th.ooni.org"]
 
  stage = local.environment
  dns_zone_ooni_io = local.dns_zone_ooni_io

diff --git a/tf/modules/ooniapi_acm_certificate/main.tf b/tf/modules/ooniapi_acm_certificate/main.tf
@@ -30,7 +30,7 @@ resource "aws_acm_certificate" "this" {
 
  tags = var.tags
 
- subject_alternative_names = [for domain_name, zone_id in var.alternative_domains : domain_name]
+ subject_alternative_names = keys(var.alternative_domains)
 
  lifecycle {
  create_before_destroy = true
@@ -40,9 +40,10 @@ resource "aws_acm_certificate" "this" {
 resource "aws_route53_record" "cert_validation" {
  for_each = {
  for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => {
- name = dvo.resource_record_name
- record = dvo.resource_record_value
- type = dvo.resource_record_type
+ name = dvo.resource_record_name
+ record = dvo.resource_record_value
+ type = dvo.resource_record_type
+ domain_name = dvo.domain_name
  }
  }
 
@@ -51,7 +52,7 @@ resource "aws_route53_record" "cert_validation" {
  records = [each.value.record]
  ttl = 60
  type = each.value.type
- zone_id = var.main_domain_name_zone_id
+ zone_id = lookup(var.alternative_domains, each.value.domain_name, var.main_domain_name_zone_id)
 }
 
 resource "aws_acm_certificate_validation" "this" {