Multidomain cert with DNS in different accounts #158
Description
Description
DNS validation always fails when trying to do something like this (see below)
It doesnt create all the requied DNS validations. the terraform Plan looks good but it never ends up creating all the validating records.
module "siteone_acm" {
source = "terraform-aws-modules/acm/aws"
version = "~> 5.0.0"
providers = {
aws = aws.internal
}
domain_name = "siteone.com"
subject_alternative_names = [
"*.foo.siteone.com",
"*.bar.siteone.com",
"*.foo.sitetwo.com",
"*.bar.sitetwo.com",
"*.foo.sitethree.com",
"*.bar.sitethree.com",
]
tags = merge({ Name = "siteone.com" }, module.tags.map)
validation_method = "DNS"
create_route53_records = false
acm_certificate_domain_validation_options = concat(
module.route53_records_siteone.validation_route53_record_fqdns,
module.route53_records_sitetwo.validation_route53_record_fqdns,
module.route53_records_sitethree.validation_route53_record_fqdns
)
}
module "route53_records_siteone" {
source = "terraform-aws-modules/acm/aws"
version = "~> 4.0"
providers = {
aws = aws.internal
}
create_certificate = false
create_route53_records_only = true
validation_method = "DNS"
distinct_domain_names = [for x in module.siteone_acm.distinct_domain_names : x if endswith(x, "siteone.com")]
zone_id = data.aws_route53_zone.amer.zone_id
acm_certificate_domain_validation_options = module.siteone_acm.acm_certificate_domain_validation_options
}
module "route53_records_sitetwo" {
source = "terraform-aws-modules/acm/aws"
version = "~> 4.0"
providers = {
aws = aws.external
}
create_certificate = false
create_route53_records_only = true
validation_method = "DNS"
distinct_domain_names = [for x in module.siteone_acm.distinct_domain_names : x if endswith(x, "sitetwo.com")]
zone_id = data.aws_route53_zone.sitetwo.zone_id
acm_certificate_domain_validation_options = module.siteone_acm.acm_certificate_domain_validation_options
}
module "route53_records_sitethree" {
source = "terraform-aws-modules/acm/aws"
version = "~> 4.0"
providers = {
aws = aws.external
}
create_certificate = false
create_route53_records_only = true
validation_method = "DNS"
distinct_domain_names = [for x in module.siteone_acm.distinct_domain_names : x if endswith(x, "sitethree.com")]
zone_id = data.aws_route53_zone.sitethree.zone_id
acm_certificate_domain_validation_options = module.siteone_acm.acm_certificate_domain_validation_options
}
I think part of the issue is because of the way the records are iterated:
module.route53_records_siteoney.aws_route53_record.validation[73] they are using a count instead of a for_each for the domain so when the ordering changes it tries to verify a siteone in a zone for sitetwo.
If there is a better way to do this please let me know.
Versions
Terraform v1.5.5
on darwin_arm64
- provider registry.terraform.io/hashicorp/aws v6.2.0
- Module version [Required]:
4.0.0 & 5.0.0
I copied some stuff from the readme. i reallize i should try again with version 6.0.0
Reproduction Code [Required]
see the above example.
Steps to reproduce the behavior:
Try to create a cert with multiple domains via DNS in other accounts.
Expected behavior
A certificate is created and the DNS validations are created correctly
Actual behavior
Not all validating DNS records are created. looks to be created under the wrong zone