From 9d7b8eeb79b0e4a3de51a246ec68cdd3eda90632 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arturo=20Filast=C3=B2?= <arturo@filasto.net>
Date: Tue, 24 Sep 2024 14:30:08 +0300
Subject: [PATCH] Fix cert validation when FQDN is inside of other zone

* Add 6.th.ooni.org to list of th addresses
---
 tf/environments/prod/main.tf               |  3 ++-
 tf/modules/ooniapi_acm_certificate/main.tf | 11 ++++++-----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf
index 2b7bf0f..eb495c6 100644
--- a/tf/environments/prod/main.tf
+++ b/tf/environments/prod/main.tf
@@ -579,9 +579,10 @@ module "ooniapi_frontend" {
   alternative_domains = {
     "api.ooni.org" : local.dns_root_zone_ooni_org
     "5.th.ooni.org" : local.dns_root_zone_ooni_org,
+    "6.th.ooni.org" : local.dns_root_zone_ooni_org,
   }
 
-  oonith_domains = ["5.th.ooni.org"]
+  oonith_domains = ["5.th.ooni.org", "6.th.ooni.org"]
 
   stage            = local.environment
   dns_zone_ooni_io = local.dns_zone_ooni_io
diff --git a/tf/modules/ooniapi_acm_certificate/main.tf b/tf/modules/ooniapi_acm_certificate/main.tf
index 486de69..3abbc57 100644
--- a/tf/modules/ooniapi_acm_certificate/main.tf
+++ b/tf/modules/ooniapi_acm_certificate/main.tf
@@ -30,7 +30,7 @@ resource "aws_acm_certificate" "this" {
 
   tags = var.tags
 
-  subject_alternative_names = [for domain_name, zone_id in var.alternative_domains : domain_name]
+  subject_alternative_names = keys(var.alternative_domains)
 
   lifecycle {
     create_before_destroy = true
@@ -40,9 +40,10 @@ resource "aws_acm_certificate" "this" {
 resource "aws_route53_record" "cert_validation" {
   for_each = {
     for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => {
-      name   = dvo.resource_record_name
-      record = dvo.resource_record_value
-      type   = dvo.resource_record_type
+      name        = dvo.resource_record_name
+      record      = dvo.resource_record_value
+      type        = dvo.resource_record_type
+      domain_name = dvo.domain_name
     }
   }
 
@@ -51,7 +52,7 @@ resource "aws_route53_record" "cert_validation" {
   records         = [each.value.record]
   ttl             = 60
   type            = each.value.type
-  zone_id         = var.main_domain_name_zone_id
+  zone_id         = lookup(var.alternative_domains, each.value.domain_name, var.main_domain_name_zone_id)
 }
 
 resource "aws_acm_certificate_validation" "this" {