From 627b0eb3f04bdb57efdf87a9dbc63dff4876f254 Mon Sep 17 00:00:00 2001 From: "Jeremy T. Bouse" Date: Thu, 4 Feb 2021 22:53:45 -0500 Subject: [PATCH 1/4] WIP: Multiple HostedZone support * Lookup hosted zone_id of distinct_domains * Ignore wildcard validation records --- main.tf | 18 ++++++++++++++---- outputs.tf | 5 +++++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index e21241f..de837b5 100644 --- a/main.tf +++ b/main.tf @@ -1,9 +1,19 @@ locals { # Get distinct list of domains and SANs - distinct_domain_names = distinct(concat([var.domain_name], [for s in var.subject_alternative_names : replace(s, "*.", "")])) + distinct_domain_names = distinct(concat([replace(var.domain_name, "*.", "")], [for s in var.subject_alternative_names : replace(s, "*.", "")])) # Copy domain_validation_options for the distinct domain names - validation_domains = var.create_certificate ? [for k, v in aws_acm_certificate.this[0].domain_validation_options : tomap(v) if contains(local.distinct_domain_names, replace(v.domain_name, "*.", ""))] : [] + validation_domains = var.create_certificate ? [for k, v in aws_acm_certificate.this[0].domain_validation_options : tomap(v) if contains(local.distinct_domain_names, replace(v.domain_name, "\\*\\.", ""))] : [] + + host_to_zone_regex = "/^(?:.*\\.)?([^.]+\\.[^.]+)$/" + zone_id_map = zipmap(local.distinct_domain_names, data.aws_route53_zone.this.*.zone_id) +} + +data "aws_route53_zone" "this" { + count = length(local.distinct_domain_names) + + name = replace(local.distinct_domain_names[count.index], local.host_to_zone_regex, "$1") + private_zone = false } resource "aws_acm_certificate" "this" { @@ -25,9 +35,9 @@ resource "aws_acm_certificate" "this" { } resource "aws_route53_record" "validation" { - count = var.create_certificate && var.validation_method == "DNS" && var.validate_certificate ? length(local.distinct_domain_names) + 1 : 0 + count = var.create_certificate && var.validation_method == "DNS" && var.validate_certificate ? length(local.distinct_domain_names) : 0 - zone_id = var.zone_id + zone_id = lookup(local.zone_id_map, element(local.validation_domains, count.index)["domain_name"], var.zone_id) name = element(local.validation_domains, count.index)["resource_record_name"] type = element(local.validation_domains, count.index)["resource_record_type"] ttl = var.dns_ttl diff --git a/outputs.tf b/outputs.tf index 192f516..8092cf2 100644 --- a/outputs.tf +++ b/outputs.tf @@ -27,3 +27,8 @@ output "validation_domains" { description = "List of distinct domain validation options. This is useful if subject alternative names contain wildcards." value = local.validation_domains } + +output "zone_id_map" { + description = "List of distinct domains to hosted zone id." + value = local.zone_id_map +} \ No newline at end of file From 2a2a134025d5c154a6c0a7b9b402e307fde32414 Mon Sep 17 00:00:00 2001 From: "Jeremy T. Bouse" Date: Thu, 4 Feb 2021 23:13:28 -0500 Subject: [PATCH 2/4] WIP: Add checks for validate_certificate --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index de837b5..68a31fa 100644 --- a/main.tf +++ b/main.tf @@ -6,11 +6,11 @@ locals { validation_domains = var.create_certificate ? [for k, v in aws_acm_certificate.this[0].domain_validation_options : tomap(v) if contains(local.distinct_domain_names, replace(v.domain_name, "\\*\\.", ""))] : [] host_to_zone_regex = "/^(?:.*\\.)?([^.]+\\.[^.]+)$/" - zone_id_map = zipmap(local.distinct_domain_names, data.aws_route53_zone.this.*.zone_id) + zone_id_map = var.validate_certificate ? zipmap(local.distinct_domain_names, data.aws_route53_zone.this.*.zone_id) : {} } data "aws_route53_zone" "this" { - count = length(local.distinct_domain_names) + count = var.create_certificate && var.validation_method == "DNS" && var.validate_certificate ? length(local.distinct_domain_names) : 0 name = replace(local.distinct_domain_names[count.index], local.host_to_zone_regex, "$1") private_zone = false From a782f6cef9f0e792f31d61f55cb0bd50ae4ab5a4 Mon Sep 17 00:00:00 2001 From: "Jeremy T. Bouse" Date: Thu, 4 Feb 2021 23:29:57 -0500 Subject: [PATCH 3/4] WIP: backwards compatibility --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 68a31fa..886465d 100644 --- a/main.tf +++ b/main.tf @@ -6,10 +6,10 @@ locals { validation_domains = var.create_certificate ? [for k, v in aws_acm_certificate.this[0].domain_validation_options : tomap(v) if contains(local.distinct_domain_names, replace(v.domain_name, "\\*\\.", ""))] : [] host_to_zone_regex = "/^(?:.*\\.)?([^.]+\\.[^.]+)$/" - zone_id_map = var.validate_certificate ? zipmap(local.distinct_domain_names, data.aws_route53_zone.this.*.zone_id) : {} + zone_id_map = var.validate_certificate ? zipmap(local.distinct_domain_names, data.aws_route53_zone.parent.*.zone_id) : {} } -data "aws_route53_zone" "this" { +data "aws_route53_zone" "parent" { count = var.create_certificate && var.validation_method == "DNS" && var.validate_certificate ? length(local.distinct_domain_names) : 0 name = replace(local.distinct_domain_names[count.index], local.host_to_zone_regex, "$1") From 0448ff70615c52fcb7cf3bf88c394eb41ec33bc6 Mon Sep 17 00:00:00 2001 From: "Jeremy T. Bouse" Date: Tue, 9 Feb 2021 09:44:23 -0500 Subject: [PATCH 4/4] Upgrade aws provider version --- versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.tf b/versions.tf index 06ac0c1..9b878f6 100644 --- a/versions.tf +++ b/versions.tf @@ -2,6 +2,6 @@ terraform { required_version = ">= 0.12.6" required_providers { - aws = ">= 2.53" + aws = ">= 3.0" } }