From 7c4c378c0d61a471e327387982b2adfed2890dbd Mon Sep 17 00:00:00 2001
From: Loren Gordon <lorengordon@users.noreply.github.com>
Date: Wed, 25 Sep 2024 11:40:47 -0700
Subject: [PATCH 1/2] Supports creating cert when SAN is outside the zone of
 zone_id

---
 README.md                               |  2 ++
 main.tf                                 | 11 ++++++-
 migrations.tf                           |  4 +++
 tests/create_certificate/prereq/main.tf |  2 +-
 tests/no_validation/main.tf             | 42 +++++++++++++++++++++++++
 tests/no_validation/prereq/main.tf      | 10 ++++++
 variables.tf                            |  7 +++++
 7 files changed, 76 insertions(+), 2 deletions(-)
 create mode 100644 migrations.tf
 create mode 100644 tests/no_validation/main.tf
 create mode 100644 tests/no_validation/prereq/main.tf

diff --git a/README.md b/README.md
index 847c9bd..37d5f0c 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,7 @@ AWS_PROFILE=xxx make terraform/pytest PYTEST_ARGS="-v --nomock"
 
 | Name | Type |
 |------|------|
+| [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 
 ## Inputs
 
@@ -36,6 +37,7 @@ AWS_PROFILE=xxx make terraform/pytest PYTEST_ARGS="-v --nomock"
 |------|-------------|------|---------|:--------:|
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Domain name to use for the ACM certificate | `string` | n/a | yes |
 | <a name="input_certificate_transparency_logging_preference"></a> [certificate\_transparency\_logging\_preference](#input\_certificate\_transparency\_logging\_preference) | Value to apply to the certificate transparency logging preference for the ACM certificate | `string` | `"ENABLED"` | no |
+| <a name="input_create_certificate_validation"></a> [create\_certificate\_validation](#input\_create\_certificate\_validation) | Boolean controlling whether to create the ACM certificate validation resource | `bool` | `true` | no |
 | <a name="input_subject_alternative_names"></a> [subject\_alternative\_names](#input\_subject\_alternative\_names) | Subject alternative names to associate with the ACM certificate | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to apply to all resources that support tags | `map(string)` | `{}` | no |
 | <a name="input_ttl"></a> [ttl](#input\_ttl) | Time-to-live for the DNS validation records | `number` | `300` | no |
diff --git a/main.tf b/main.tf
index 1e477bc..fdd18e3 100644
--- a/main.tf
+++ b/main.tf
@@ -19,7 +19,10 @@ resource "aws_acm_certificate" "this" {
 }
 
 resource "aws_route53_record" "this" {
-  for_each = { for record in local.validation_records : record => local.domain_validation_options[record] }
+  for_each = {
+    for record in local.validation_records : record => local.domain_validation_options[record]
+    if endswith(record, data.aws_route53_zone.this.name)
+  }
 
   allow_overwrite = true
   name            = each.value.resource_record_name
@@ -33,6 +36,8 @@ resource "aws_route53_record" "this" {
 }
 
 resource "aws_acm_certificate_validation" "this" {
+  count = var.create_certificate_validation ? 1 : 0
+
   certificate_arn         = aws_acm_certificate.this.arn
   validation_record_fqdns = [for record in aws_route53_record.this : record.fqdn]
 }
@@ -53,3 +58,7 @@ locals {
     for option in aws_acm_certificate.this.domain_validation_options : option.domain_name => option
   }
 }
+
+data "aws_route53_zone" "this" {
+  zone_id = var.zone_id
+}
diff --git a/migrations.tf b/migrations.tf
new file mode 100644
index 0000000..0dbd006
--- /dev/null
+++ b/migrations.tf
@@ -0,0 +1,4 @@
+moved {
+  from = aws_acm_certificate_validation.this
+  to   = aws_acm_certificate_validation.this[0]
+}
diff --git a/tests/create_certificate/prereq/main.tf b/tests/create_certificate/prereq/main.tf
index 6e11dab..faa44b8 100644
--- a/tests/create_certificate/prereq/main.tf
+++ b/tests/create_certificate/prereq/main.tf
@@ -2,7 +2,7 @@ resource "random_string" "this" {
   length  = 6
   upper   = false
   special = false
-  number  = false
+  numeric = false
 }
 
 output "random_string" {
diff --git a/tests/no_validation/main.tf b/tests/no_validation/main.tf
new file mode 100644
index 0000000..7ccb429
--- /dev/null
+++ b/tests/no_validation/main.tf
@@ -0,0 +1,42 @@
+module "create_certificate" {
+  source = "../../"
+
+  zone_id     = data.aws_route53_zone.this.zone_id
+  domain_name = local.domain_name
+
+  # Disable certificate validation due to the SAN "biz.cloudarmor.io", where the
+  # zone is not the same as the zone of the zone_id, "tardigrade.cloudarmor.io"
+  create_certificate_validation = false
+
+  subject_alternative_names = [
+    "*.${local.domain_name}",
+    "foo.${local.domain_name}",
+    "bar.${local.domain_name}",
+    "baz.${local.domain_name}",
+    "biz.cloudarmor.io",
+  ]
+}
+
+locals {
+  test_id = data.terraform_remote_state.prereq.outputs.random_string.result
+
+  domain_name = "${local.test_id}.test.${local.zone_name}"
+  zone_name   = "tardigrade.cloudarmor.io"
+}
+
+data "terraform_remote_state" "prereq" {
+  backend = "local"
+  config = {
+    path = "prereq/terraform.tfstate"
+  }
+}
+
+data "aws_route53_zone" "this" {
+  name         = local.zone_name
+  private_zone = false
+}
+
+output "create_certificate" {
+  value     = module.create_certificate
+  sensitive = true
+}
diff --git a/tests/no_validation/prereq/main.tf b/tests/no_validation/prereq/main.tf
new file mode 100644
index 0000000..faa44b8
--- /dev/null
+++ b/tests/no_validation/prereq/main.tf
@@ -0,0 +1,10 @@
+resource "random_string" "this" {
+  length  = 6
+  upper   = false
+  special = false
+  numeric = false
+}
+
+output "random_string" {
+  value = random_string.this
+}
diff --git a/variables.tf b/variables.tf
index 68d678b..2c64bcb 100644
--- a/variables.tf
+++ b/variables.tf
@@ -4,6 +4,13 @@ variable "certificate_transparency_logging_preference" {
   default     = "ENABLED"
 }
 
+variable "create_certificate_validation" {
+  description = "Boolean controlling whether to create the ACM certificate validation resource"
+  type        = bool
+  nullable    = false
+  default     = true
+}
+
 variable "domain_name" {
   description = "Domain name to use for the ACM certificate"
   type        = string

From fbf734e269e00e1c9c4c25125482b167722cd11a Mon Sep 17 00:00:00 2001
From: Loren Gordon <lorengordon@users.noreply.github.com>
Date: Wed, 25 Sep 2024 11:43:40 -0700
Subject: [PATCH 2/2] Bumps version to 1.1.0

---
 .bumpversion.cfg |  2 +-
 CHANGELOG.md     | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index 63b3026..4841ee5 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.0.2
+current_version = 1.1.0
 commit = True
 message = Bumps version to {new_version}
 tag = False
diff --git a/CHANGELOG.md b/CHANGELOG.md
index af2c92b..5316622 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### [1.1.0](https://github.com/plus3it/terraform-aws-tardigrade-ec2-account/releases/tag/1.1.0)
+
+**Released**: 2024.09.25
+
+**Summary**:
+
+*   Adds the input `create_certificate_validition` to control whether the ACM certificate
+    will be validated at creation time
+*   Avoids creating DNS records where the zone is not the same as the zone of the
+    `zone_id` input
+
 ### 1.0.2
 
 **Commit Delta**: [Change from 1.0.1 release](https://github.com/plus3it/terraform-aws-tardigrade-acm/compare/1.0.1...1.0.2)