Supports creating cert when SAN is outside the zone of zone_id

plus3it · Sep 25, 2024 · 7c4c378 · 7c4c378
1 parent 873f4b1
commit 7c4c378
Show file tree

Hide file tree

Showing 7 changed files with 76 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -29,13 +29,15 @@ AWS_PROFILE=xxx make terraform/pytest PYTEST_ARGS="-v --nomock"
 
 | Name | Type |
 |------|------|
+| [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Domain name to use for the ACM certificate | `string` | n/a | yes |
 | <a name="input_certificate_transparency_logging_preference"></a> [certificate\_transparency\_logging\_preference](#input\_certificate\_transparency\_logging\_preference) | Value to apply to the certificate transparency logging preference for the ACM certificate | `string` | `"ENABLED"` | no |
+| <a name="input_create_certificate_validation"></a> [create\_certificate\_validation](#input\_create\_certificate\_validation) | Boolean controlling whether to create the ACM certificate validation resource | `bool` | `true` | no |
 | <a name="input_subject_alternative_names"></a> [subject\_alternative\_names](#input\_subject\_alternative\_names) | Subject alternative names to associate with the ACM certificate | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to apply to all resources that support tags | `map(string)` | `{}` | no |
 | <a name="input_ttl"></a> [ttl](#input\_ttl) | Time-to-live for the DNS validation records | `number` | `300` | no |

diff --git a/main.tf b/main.tf
@@ -19,7 +19,10 @@ resource "aws_acm_certificate" "this" {
 }
 
 resource "aws_route53_record" "this" {
-  for_each = { for record in local.validation_records : record => local.domain_validation_options[record] }
+  for_each = {
+    for record in local.validation_records : record => local.domain_validation_options[record]
+    if endswith(record, data.aws_route53_zone.this.name)
+  }
 
   allow_overwrite = true
   name            = each.value.resource_record_name
@@ -33,6 +36,8 @@ resource "aws_route53_record" "this" {
 }
 
 resource "aws_acm_certificate_validation" "this" {
+  count = var.create_certificate_validation ? 1 : 0
+
   certificate_arn         = aws_acm_certificate.this.arn
   validation_record_fqdns = [for record in aws_route53_record.this : record.fqdn]
 }
@@ -53,3 +58,7 @@ locals {
     for option in aws_acm_certificate.this.domain_validation_options : option.domain_name => option
   }
 }
+
+data "aws_route53_zone" "this" {
+  zone_id = var.zone_id
+}
diff --git a/migrations.tf b/migrations.tf
@@ -0,0 +1,4 @@
+moved {
+  from = aws_acm_certificate_validation.this
+  to   = aws_acm_certificate_validation.this[0]
+}
diff --git a/tests/create_certificate/prereq/main.tf b/tests/create_certificate/prereq/main.tf
@@ -2,7 +2,7 @@ resource "random_string" "this" {
   length  = 6
   upper   = false
   special = false
-  number  = false
+  numeric = false
 }
 
 output "random_string" {

diff --git a/tests/no_validation/main.tf b/tests/no_validation/main.tf
@@ -0,0 +1,42 @@
+module "create_certificate" {
+  source = "../../"
+
+  zone_id     = data.aws_route53_zone.this.zone_id
+  domain_name = local.domain_name
+
+  # Disable certificate validation due to the SAN "biz.cloudarmor.io", where the
+  # zone is not the same as the zone of the zone_id, "tardigrade.cloudarmor.io"
+  create_certificate_validation = false
+
+  subject_alternative_names = [
+    "*.${local.domain_name}",
+    "foo.${local.domain_name}",
+    "bar.${local.domain_name}",
+    "baz.${local.domain_name}",
+    "biz.cloudarmor.io",
+  ]
+}
+
+locals {
+  test_id = data.terraform_remote_state.prereq.outputs.random_string.result
+
+  domain_name = "${local.test_id}.test.${local.zone_name}"
+  zone_name   = "tardigrade.cloudarmor.io"
+}
+
+data "terraform_remote_state" "prereq" {
+  backend = "local"
+  config = {
+    path = "prereq/terraform.tfstate"
+  }
+}
+
+data "aws_route53_zone" "this" {
+  name         = local.zone_name
+  private_zone = false
+}
+
+output "create_certificate" {
+  value     = module.create_certificate
+  sensitive = true
+}
diff --git a/tests/no_validation/prereq/main.tf b/tests/no_validation/prereq/main.tf
@@ -0,0 +1,10 @@
+resource "random_string" "this" {
+  length  = 6
+  upper   = false
+  special = false
+  numeric = false
+}
+
+output "random_string" {
+  value = random_string.this
+}
diff --git a/variables.tf b/variables.tf
@@ -4,6 +4,13 @@ variable "certificate_transparency_logging_preference" {
   default     = "ENABLED"
 }
 
+variable "create_certificate_validation" {
+  description = "Boolean controlling whether to create the ACM certificate validation resource"
+  type        = bool
+  nullable    = false
+  default     = true
+}
+
 variable "domain_name" {
   description = "Domain name to use for the ACM certificate"
   type        = string