terraform-aws-acm-request-certificate icon indicating copy to clipboard operation
terraform-aws-acm-request-certificate copied to clipboard

Published 20 hours ago verified publisher icon cloudposse

process_domain_validation_options breaks with complex subject_alternative_names

Open kevcube opened this issue 2 years ago • 1 comments

Found a bug? Maybe our Slack Community can help.

Slack Community

Describe the Bug

I am using distinct domains in my subject_alternative_names variable...

  domain_name                       = "website.foundation"
  process_domain_validation_options = true
  subject_alternative_names         = [
    "*.website.foundation",
    "websitefoundation.org",
    "*.websitefoundation.org",
  ]

Expected Behavior

It would be nice to process domain validation options across multiple hosted zones.

Steps to Reproduce

See ## Describe the Bug

kevcube avatar Mar 24 '22 05:03 kevcube

For now I will just set process_domain_validation_options = false and handle the r53 records elsewhere.

kevcube avatar Mar 24 '22 05:03 kevcube

This may be tricky. You'd have to either explicitly set the zone_id per SAN or somehow figure out if each SAN is associated to a different zone id.

Perhaps, we could create a map of SAN => zone_id implicitly

  1. Loop through all the SANs
  2. Remove any subdomains by split(".") and get all the items after the first one, leaving the domain
  3. Make sure each item in the list is distinct
  4. Pass in this list of unique domain we could add a for_each into the aws_route53_zone data source
  5. Create each record for the SAN and associate each record to the corresponding zone

https://github.com/cloudposse/terraform-aws-acm-request-certificate/blob/8eae0d82fe01ceed96ac881322aebbfbf4564ab7/main.tf#L26-L31

nitrocode avatar Sep 13 '22 00:09 nitrocode