diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index 63b3026..4841ee5 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
[bumpversion]
-current_version = 1.0.2
+current_version = 1.1.0
commit = True
message = Bumps version to {new_version}
tag = False
diff --git a/CHANGELOG.md b/CHANGELOG.md
index af2c92b..5316622 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
+### [1.1.0](https://github.com/plus3it/terraform-aws-tardigrade-ec2-account/releases/tag/1.1.0)
+
+**Released**: 2024.09.25
+
+**Summary**:
+
+* Adds the input `create_certificate_validition` to control whether the ACM certificate
+ will be validated at creation time
+* Avoids creating DNS records where the zone is not the same as the zone of the
+ `zone_id` input
+
### 1.0.2
**Commit Delta**: [Change from 1.0.1 release](https://github.com/plus3it/terraform-aws-tardigrade-acm/compare/1.0.1...1.0.2)
diff --git a/README.md b/README.md
index 847c9bd..37d5f0c 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,7 @@ AWS_PROFILE=xxx make terraform/pytest PYTEST_ARGS="-v --nomock"
| Name | Type |
|------|------|
+| [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
## Inputs
@@ -36,6 +37,7 @@ AWS_PROFILE=xxx make terraform/pytest PYTEST_ARGS="-v --nomock"
|------|-------------|------|---------|:--------:|
| [domain\_name](#input\_domain\_name) | Domain name to use for the ACM certificate | `string` | n/a | yes |
| [certificate\_transparency\_logging\_preference](#input\_certificate\_transparency\_logging\_preference) | Value to apply to the certificate transparency logging preference for the ACM certificate | `string` | `"ENABLED"` | no |
+| [create\_certificate\_validation](#input\_create\_certificate\_validation) | Boolean controlling whether to create the ACM certificate validation resource | `bool` | `true` | no |
| [subject\_alternative\_names](#input\_subject\_alternative\_names) | Subject alternative names to associate with the ACM certificate | `list(string)` | `[]` | no |
| [tags](#input\_tags) | Map of tags to apply to all resources that support tags | `map(string)` | `{}` | no |
| [ttl](#input\_ttl) | Time-to-live for the DNS validation records | `number` | `300` | no |
diff --git a/main.tf b/main.tf
index 1e477bc..fdd18e3 100644
--- a/main.tf
+++ b/main.tf
@@ -19,7 +19,10 @@ resource "aws_acm_certificate" "this" {
}
resource "aws_route53_record" "this" {
- for_each = { for record in local.validation_records : record => local.domain_validation_options[record] }
+ for_each = {
+ for record in local.validation_records : record => local.domain_validation_options[record]
+ if endswith(record, data.aws_route53_zone.this.name)
+ }
allow_overwrite = true
name = each.value.resource_record_name
@@ -33,6 +36,8 @@ resource "aws_route53_record" "this" {
}
resource "aws_acm_certificate_validation" "this" {
+ count = var.create_certificate_validation ? 1 : 0
+
certificate_arn = aws_acm_certificate.this.arn
validation_record_fqdns = [for record in aws_route53_record.this : record.fqdn]
}
@@ -53,3 +58,7 @@ locals {
for option in aws_acm_certificate.this.domain_validation_options : option.domain_name => option
}
}
+
+data "aws_route53_zone" "this" {
+ zone_id = var.zone_id
+}
diff --git a/migrations.tf b/migrations.tf
new file mode 100644
index 0000000..0dbd006
--- /dev/null
+++ b/migrations.tf
@@ -0,0 +1,4 @@
+moved {
+ from = aws_acm_certificate_validation.this
+ to = aws_acm_certificate_validation.this[0]
+}
diff --git a/tests/create_certificate/prereq/main.tf b/tests/create_certificate/prereq/main.tf
index 6e11dab..faa44b8 100644
--- a/tests/create_certificate/prereq/main.tf
+++ b/tests/create_certificate/prereq/main.tf
@@ -2,7 +2,7 @@ resource "random_string" "this" {
length = 6
upper = false
special = false
- number = false
+ numeric = false
}
output "random_string" {
diff --git a/tests/no_validation/main.tf b/tests/no_validation/main.tf
new file mode 100644
index 0000000..7ccb429
--- /dev/null
+++ b/tests/no_validation/main.tf
@@ -0,0 +1,42 @@
+module "create_certificate" {
+ source = "../../"
+
+ zone_id = data.aws_route53_zone.this.zone_id
+ domain_name = local.domain_name
+
+ # Disable certificate validation due to the SAN "biz.cloudarmor.io", where the
+ # zone is not the same as the zone of the zone_id, "tardigrade.cloudarmor.io"
+ create_certificate_validation = false
+
+ subject_alternative_names = [
+ "*.${local.domain_name}",
+ "foo.${local.domain_name}",
+ "bar.${local.domain_name}",
+ "baz.${local.domain_name}",
+ "biz.cloudarmor.io",
+ ]
+}
+
+locals {
+ test_id = data.terraform_remote_state.prereq.outputs.random_string.result
+
+ domain_name = "${local.test_id}.test.${local.zone_name}"
+ zone_name = "tardigrade.cloudarmor.io"
+}
+
+data "terraform_remote_state" "prereq" {
+ backend = "local"
+ config = {
+ path = "prereq/terraform.tfstate"
+ }
+}
+
+data "aws_route53_zone" "this" {
+ name = local.zone_name
+ private_zone = false
+}
+
+output "create_certificate" {
+ value = module.create_certificate
+ sensitive = true
+}
diff --git a/tests/no_validation/prereq/main.tf b/tests/no_validation/prereq/main.tf
new file mode 100644
index 0000000..faa44b8
--- /dev/null
+++ b/tests/no_validation/prereq/main.tf
@@ -0,0 +1,10 @@
+resource "random_string" "this" {
+ length = 6
+ upper = false
+ special = false
+ numeric = false
+}
+
+output "random_string" {
+ value = random_string.this
+}
diff --git a/variables.tf b/variables.tf
index 68d678b..2c64bcb 100644
--- a/variables.tf
+++ b/variables.tf
@@ -4,6 +4,13 @@ variable "certificate_transparency_logging_preference" {
default = "ENABLED"
}
+variable "create_certificate_validation" {
+ description = "Boolean controlling whether to create the ACM certificate validation resource"
+ type = bool
+ nullable = false
+ default = true
+}
+
variable "domain_name" {
description = "Domain name to use for the ACM certificate"
type = string