From b14090e31de51b77b28ad7a77cafb36f7ed2b87c Mon Sep 17 00:00:00 2001 From: Vladimir Blaskov Date: Thu, 19 Mar 2020 17:16:37 +0200 Subject: [PATCH] Fix an off-by-one error with validation records PR #32 introduces an obscure off-by-one error that leads to a duplicated validation record because of a wrap-around in `distinct_domain_names`. I assume this hasn't been spotted until now mainly because the duplicated record gets silently overwritten when `validation_allow_overwrite_records` is set to `true` (as it is by default). I tried to identify a corner case when this `+ 1` is required, but couldn't find any so far. Please let me know if you are aware why it may be needed. --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index b10548c..539d6a3 100644 --- a/main.tf +++ b/main.tf @@ -21,7 +21,7 @@ resource "aws_acm_certificate" "this" { } resource "aws_route53_record" "validation" { - count = var.create_certificate && var.validation_method == "DNS" && var.validate_certificate ? length(local.distinct_domain_names) + 1 : 0 + count = var.create_certificate && var.validation_method == "DNS" && var.validate_certificate ? length(local.distinct_domain_names) : 0 zone_id = var.zone_id name = element(local.validation_domains, count.index)["resource_record_name"]