fix: alter CDN module to create public record rather than private

[barkerl]

Description

currently the CDN service module create a private route53 record which is causing some issues with the VOL app.

Related issue: VOL-5755

Before submitting (or marking as "ready for review")

• Does the pull request title follow the conventional commit specification?
• Have you performed a self-review of the code
• Have you have added tests that prove the fix or feature is effective and working
• Did you make sure to update any documentation relating to this change?

[github-actions]

Terraform plan for environment: int

Commit: 7356525

API version: 2791b9c
CLI version: 2791b9c
Selfserve version: 20df1db
Internal version: 20df1db

Plan summary

4 to add, 1 to change, 1 to destroy

🆕 Creates

module.service.module.acm.aws_acm_certificate.this[0]
module.service.module.acm.aws_acm_certificate_validation.this[0]
module.service.module.records.aws_route53_record.this["int-cdn A"]
module.service.module.route53_records.aws_route53_record.validation[0]

🗑️ Deletes

module.service.module.records.aws_route53_record.this["cdn A"]

🔄 Updates

module.service.module.cloudfront.aws_cloudfront_distribution.this[0]

---

Show full plan

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy
+/- create replacement and then destroy

Terraform will perform the following actions:

  # module.service.module.acm.aws_acm_certificate.this[0] must be replaced
+/- resource "aws_acm_certificate" "this" {
      ~ arn                       = "arn:aws:acm:us-east-1:054614622558:certificate/099135b7-9801-4bc5-be75-e44ba35acb89" -> (known after apply)
      ~ domain_name               = "cdn.qa.olcs.dev-dvsacloud.uk" -> "int-cdn.dev-dvsacloud.uk" # forces replacement
      ~ domain_validation_options = [
          - {
              - domain_name           = "cdn.qa.olcs.dev-dvsacloud.uk"
              - resource_record_name  = "_62b2b0011199059d98266e7f730f9bf6.cdn.qa.olcs.dev-dvsacloud.uk."
              - resource_record_type  = "CNAME"
              - resource_record_value = "_71a60b0d1781bd2c65e1a261d9dac565.sdgjtdhdhz.acm-validations.aws."
            },
          + {
              + domain_name           = "int-cdn.dev-dvsacloud.uk"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
        ]
      ~ id                        = "arn:aws:acm:us-east-1:054614622558:certificate/099135b7-9801-4bc5-be75-e44ba35acb89" -> (known after apply)
      ~ key_algorithm             = "RSA_2048" -> (known after apply)
      ~ not_after                 = "2025-09-03T23:59:59Z" -> (known after apply)
      ~ not_before                = "2024-08-05T00:00:00Z" -> (known after apply)
      ~ pending_renewal           = false -> (known after apply)
      ~ renewal_eligibility       = "ELIGIBLE" -> (known after apply)
      ~ renewal_summary           = [] -> (known after apply)
      ~ status                    = "ISSUED" -> (known after apply)
      ~ subject_alternative_names = [ # forces replacement
          - "cdn.qa.olcs.dev-dvsacloud.uk",
          + "int-cdn.dev-dvsacloud.uk",
        ]
      - tags                      = {} -> null
      ~ tags_all                  = {} -> (known after apply)
      ~ type                      = "AMAZON_ISSUED" -> (known after apply)
      ~ validation_emails         = [] -> (known after apply)
        # (3 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.service.module.acm.aws_acm_certificate_validation.this[0] must be replaced
+/- resource "aws_acm_certificate_validation" "this" {
      ~ certificate_arn         = "arn:aws:acm:us-east-1:054614622558:certificate/099135b7-9801-4bc5-be75-e44ba35acb89" # forces replacement -> (known after apply) # forces replacement
      ~ id                      = "2024-08-05 16:24:29.759 +0000 UTC" -> (known after apply)
      ~ validation_record_fqdns = [ # forces replacement
          - "_62b2b0011199059d98266e7f730f9bf6.cdn.qa.olcs.dev-dvsacloud.uk",
        ] -> (known after apply) # forces replacement

        # (1 unchanged block hidden)
    }

  # module.service.module.cloudfront.aws_cloudfront_distribution.this[0] will be updated in-place
  ~ resource "aws_cloudfront_distribution" "this" {
      ~ aliases                         = [
          - "cdn.qa.olcs.dev-dvsacloud.uk",
          + "int-cdn.dev-dvsacloud.uk",
        ]
        id                              = "E1GZYPKGUFNMP4"
        tags                            = {}
        # (21 unchanged attributes hidden)

      ~ viewer_certificate {
          ~ acm_certificate_arn            = "arn:aws:acm:us-east-1:054614622558:certificate/099135b7-9801-4bc5-be75-e44ba35acb89" -> (known after apply)
            # (4 unchanged attributes hidden)
        }

        # (5 unchanged blocks hidden)
    }

  # module.service.module.records.aws_route53_record.this["cdn A"] will be destroyed
  # (because key ["cdn A"] is not in for_each map)
  - resource "aws_route53_record" "this" {
      - allow_overwrite                  = false -> null
      - fqdn                             = "cdn.qa.olcs.dev-dvsacloud.uk" -> null
      - id                               = "Z0166940UDRFAPSBXLNO_cdn.qa.olcs.dev-dvsacloud.uk_A" -> null
      - multivalue_answer_routing_policy = false -> null
      - name                             = "cdn.qa.olcs.dev-dvsacloud.uk" -> null
      - records                          = [] -> null
      - ttl                              = 0 -> null
      - type                             = "A" -> null
      - zone_id                          = "Z0166940UDRFAPSBXLNO" -> null
        # (2 unchanged attributes hidden)

      - alias {
          - evaluate_target_health = false -> null
          - name                   = "d36shynblr0xo9.cloudfront.net" -> null
          - zone_id                = "Z2FDTNDATAQYW2" -> null
        }
    }

  # module.service.module.records.aws_route53_record.this["int-cdn A"] will be created
  + resource "aws_route53_record" "this" {
      + allow_overwrite = false
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "int-cdn.dev-dvsacloud.uk"
      + type            = "A"
      + zone_id         = "Z2SWYZKLX99WDO"

      + alias {
          + evaluate_target_health = false
          + name                   = "d36shynblr0xo9.cloudfront.net"
          + zone_id                = "Z2FDTNDATAQYW2"
        }
    }

  # module.service.module.route53_records.aws_route53_record.validation[0] must be replaced
+/- resource "aws_route53_record" "validation" {
      ~ fqdn                             = "_62b2b0011199059d98266e7f730f9bf6.cdn.qa.olcs.dev-dvsacloud.uk" -> (known after apply)
      ~ id                               = "Z045942513LY7A2KL1LQR__62b2b0011199059d98266e7f730f9bf6.cdn.qa.olcs.dev-dvsacloud.uk._CNAME" -> (known after apply)
      - multivalue_answer_routing_policy = false -> null
      ~ name                             = "_62b2b0011199059d98266e7f730f9bf6.cdn.qa.olcs.dev-dvsacloud.uk" # forces replacement -> (known after apply) # forces replacement
      ~ records                          = [
          - "_71a60b0d1781bd2c65e1a261d9dac565.sdgjtdhdhz.acm-validations.aws.",
        ] -> (known after apply)
      ~ type                             = "CNAME" -> (known after apply)
      ~ zone_id                          = "Z045942513LY7A2KL1LQR" # forces replacement -> (known after apply) # forces replacement
        # (4 unchanged attributes hidden)
    }

Plan: 4 to add, 1 to change, 4 to destroy.

[github-actions]

Terraform plan for environment: dev

Commit: 7356525

API version: 2791b9c
CLI version: 2791b9c
Selfserve version: 20df1db
Internal version: 20df1db

Plan summary

4 to add, 1 to change, 1 to destroy

🆕 Creates

module.service.module.acm.aws_acm_certificate.this[0]
module.service.module.acm.aws_acm_certificate_validation.this[0]
module.service.module.records.aws_route53_record.this["dev-cdn A"]
module.service.module.route53_records.aws_route53_record.validation[0]

🗑️ Deletes

module.service.module.records.aws_route53_record.this["cdn A"]

🔄 Updates

module.service.module.cloudfront.aws_cloudfront_distribution.this[0]

---

Show full plan

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy
+/- create replacement and then destroy

Terraform will perform the following actions:

  # module.service.module.acm.aws_acm_certificate.this[0] must be replaced
+/- resource "aws_acm_certificate" "this" {
      ~ arn                       = "arn:aws:acm:us-east-1:054614622558:certificate/048d342e-5c72-41c7-b3c4-0bf330cfe440" -> (known after apply)
      ~ domain_name               = "cdn.dev.olcs.dev-dvsacloud.uk" -> "dev-cdn.dev-dvsacloud.uk" # forces replacement
      ~ domain_validation_options = [
          - {
              - domain_name           = "cdn.dev.olcs.dev-dvsacloud.uk"
              - resource_record_name  = "_0d3055aa026ee1f6286634291294568d.cdn.dev.olcs.dev-dvsacloud.uk."
              - resource_record_type  = "CNAME"
              - resource_record_value = "_6d18f06c971bcc44b0fac38ca6874d7a.mhbtsbpdnt.acm-validations.aws."
            },
          + {
              + domain_name           = "dev-cdn.dev-dvsacloud.uk"
              + resource_record_name  = (known after apply)
              + resource_record_type  = (known after apply)
              + resource_record_value = (known after apply)
            },
        ]
      ~ id                        = "arn:aws:acm:us-east-1:054614622558:certificate/048d342e-5c72-41c7-b3c4-0bf330cfe440" -> (known after apply)
      ~ key_algorithm             = "RSA_2048" -> (known after apply)
      ~ not_after                 = "2025-05-23T23:59:59Z" -> (known after apply)
      ~ not_before                = "2024-04-24T00:00:00Z" -> (known after apply)
      ~ pending_renewal           = false -> (known after apply)
      ~ renewal_eligibility       = "ELIGIBLE" -> (known after apply)
      ~ renewal_summary           = [] -> (known after apply)
      ~ status                    = "ISSUED" -> (known after apply)
      ~ subject_alternative_names = [ # forces replacement
          - "cdn.dev.olcs.dev-dvsacloud.uk",
          + "dev-cdn.dev-dvsacloud.uk",
        ]
      - tags                      = {} -> null
      ~ tags_all                  = {} -> (known after apply)
      ~ type                      = "AMAZON_ISSUED" -> (known after apply)
      ~ validation_emails         = [] -> (known after apply)
        # (3 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.service.module.acm.aws_acm_certificate_validation.this[0] must be replaced
+/- resource "aws_acm_certificate_validation" "this" {
      ~ certificate_arn         = "arn:aws:acm:us-east-1:054614622558:certificate/048d342e-5c72-41c7-b3c4-0bf330cfe440" # forces replacement -> (known after apply) # forces replacement
      ~ id                      = "2024-04-24 12:29:12.671 +0000 UTC" -> (known after apply)
      ~ validation_record_fqdns = [ # forces replacement
          - "_0d3055aa026ee1f6286634291294568d.cdn.dev.olcs.dev-dvsacloud.uk",
        ] -> (known after apply) # forces replacement

        # (1 unchanged block hidden)
    }

  # module.service.module.cloudfront.aws_cloudfront_distribution.this[0] will be updated in-place
  ~ resource "aws_cloudfront_distribution" "this" {
      ~ aliases                         = [
          - "cdn.dev.olcs.dev-dvsacloud.uk",
          + "dev-cdn.dev-dvsacloud.uk",
        ]
        id                              = "E3R9S2AKJG4ZTR"
        tags                            = {}
        # (21 unchanged attributes hidden)

      ~ viewer_certificate {
          ~ acm_certificate_arn            = "arn:aws:acm:us-east-1:054614622558:certificate/048d342e-5c72-41c7-b3c4-0bf330cfe440" -> (known after apply)
            # (4 unchanged attributes hidden)
        }

        # (5 unchanged blocks hidden)
    }

  # module.service.module.records.aws_route53_record.this["cdn A"] will be destroyed
  # (because key ["cdn A"] is not in for_each map)
  - resource "aws_route53_record" "this" {
      - allow_overwrite                  = false -> null
      - fqdn                             = "cdn.dev.olcs.dev-dvsacloud.uk" -> null
      - id                               = "Z06327482M90P8E4J6Z9P_cdn.dev.olcs.dev-dvsacloud.uk_A" -> null
      - multivalue_answer_routing_policy = false -> null
      - name                             = "cdn.dev.olcs.dev-dvsacloud.uk" -> null
      - records                          = [] -> null
      - ttl                              = 0 -> null
      - type                             = "A" -> null
      - zone_id                          = "Z06327482M90P8E4J6Z9P" -> null
        # (2 unchanged attributes hidden)

      - alias {
          - evaluate_target_health = false -> null
          - name                   = "d23zgifomtl7hu.cloudfront.net" -> null
          - zone_id                = "Z2FDTNDATAQYW2" -> null
        }
    }

  # module.service.module.records.aws_route53_record.this["dev-cdn A"] will be created
  + resource "aws_route53_record" "this" {
      + allow_overwrite = false
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "dev-cdn.dev-dvsacloud.uk"
      + type            = "A"
      + zone_id         = "Z2SWYZKLX99WDO"

      + alias {
          + evaluate_target_health = false
          + name                   = "d23zgifomtl7hu.cloudfront.net"
          + zone_id                = "Z2FDTNDATAQYW2"
        }
    }

  # module.service.module.route53_records.aws_route53_record.validation[0] must be replaced
+/- resource "aws_route53_record" "validation" {
      ~ fqdn                             = "_0d3055aa026ee1f6286634291294568d.cdn.dev.olcs.dev-dvsacloud.uk" -> (known after apply)
      ~ id                               = "Z086652433MVY3YKRJJ6T__0d3055aa026ee1f6286634291294568d.cdn.dev.olcs.dev-dvsacloud.uk._CNAME" -> (known after apply)
      - multivalue_answer_routing_policy = false -> null
      ~ name                             = "_0d3055aa026ee1f6286634291294568d.cdn.dev.olcs.dev-dvsacloud.uk" # forces replacement -> (known after apply) # forces replacement
      ~ records                          = [
          - "_6d18f06c971bcc44b0fac38ca6874d7a.mhbtsbpdnt.acm-validations.aws.",
        ] -> (known after apply)
      ~ type                             = "CNAME" -> (known after apply)
      ~ zone_id                          = "Z086652433MVY3YKRJJ6T" # forces replacement -> (known after apply) # forces replacement
        # (4 unchanged attributes hidden)
    }

Plan: 4 to add, 1 to change, 4 to destroy.