[aws_acm_info] DomainValidationOptions.ResourceRecord not Available in Response

[muya]

SUMMARY

When requesting for a certificate using the acm AWS module, there's an option to use either email validation or DNS validation.

When the DNS option is chosen, the describe certificate response is expected to have a ResourceRecord field, which has details of what to configure to allow domain validation (see "ResourceRecord" in the official AWS documentation).

However, this field is not available in the response from the community.aws.aws_acm_info module.

ISSUE TYPE

• ~Bug Report~ Documentation Report (Ref to comment below: https://github.com/ansible-collections/community.aws/issues/321#issuecomment-740442194)

COMPONENT NAME

community.aws.aws_acm_info

ANSIBLE VERSION

ansible 2.10.3
  config file = None
  configured module search path = ['/path/to/home/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/2.10.3/libexec/lib/python3.9/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.9.0 (default, Nov 14 2020, 10:50:03) [Clang 12.0.0 (clang-1200.0.32.27)]

CONFIGURATION

(empty output)

OS / ENVIRONMENT

• Running on macOS 11.0.1.
• Using local connection

STEPS TO REPRODUCE

• Request for a certificate from AWS ACM, and note the ARN (you may have to create this outside of this Ansible, using the aws CLI.
• Use the ARN from step 1 to fetch information using community.aws.aws_acm_info module, and output it

# Task to request certificate via shell command (requires `aws` CLI)
- name: "Request for Certificate on ACM"
  shell: |
     aws acm request-certificate --domain-name "{{ domain_name }}" --validation-method "DNS"
  environment:
    AWS_ACCESS_KEY_ID: "{{ acm_aws_access_key }}"
    AWS_SECRET_ACCESS_KEY: "{{ acm_aws_secret_key }}"
    AWS_REGION: "{{ aws_default_region }}"
  register: request_cert_result

# Inspect successful result
- name: "Inspect successful certificate result"
  set_fact:
    request_certificate_output: "{{ request_cert_result['stdout'] | from_json }}"
  when:
    request_cert_result is not failed

# Fetch certificate info
- name: "Fetch Certificate Information"
  community.aws.aws_acm_info:
    aws_access_key: "{{ acm_aws_access_key }}"
    aws_secret_key: "{{ acm_aws_secret_key }}"
    aws_region: "{{ aws_default_region }}"
    certificate_arn: "{{ request_certificate_output.CertificateArn }}"

EXPECTED RESULTS

• Expected the output of "Fetch Certificate Information" to have a Resource Record field (similar to what's there for the aws describe-certificate command. (See aws describe-certificate response in screenshot below):

ACTUAL RESULTS

• Output did not have Resource Record field

See output in screenshot

[muya]

Update: Noticed that the resource_record value becomes available in the response if the query is ran a few seconds later (possible because AWS takes some time to create the DNS record required for validation?)

We may only need to update the documentation for this module to:

• Include details about the resource record field
• Note that the resource_record field may not be available immediately after creating a certificate

[goneri]

Hi @muya,

Would you like to push a PR to improve the documentation as you suggested? Otherwise can we close the issue?

[muya]

Hi @muya,

Would you like to push a PR to improve the documentation as you suggested? Otherwise can we close the issue?

@goneri I'm definitely up for doing this when I get some time ✅