Allow management of ACM certs with SANs in multiple zones (#61)

* Allow multiple zones * Auto Format * Fix syntax error * Use local.all_domains instead of unused locals * test: use domain without subdomain * Use parent_zone_name and prefix zone name instead * Remove multiple zone names from test * Update main.tf * Use zone_name Co-authored-by: cloudpossebot <[email protected]>
cloudposse · Sep 21, 2022 · 2eec7e5 · 2eec7e5
1 parent 32f16fe
commit 2eec7e5
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/main.tf b/main.tf
@@ -1,10 +1,19 @@
 locals {
   enabled                           = module.this.enabled
-  zone_name                         = var.zone_name == "" ? "${var.domain_name}." : var.zone_name
   process_domain_validation_options = local.enabled && var.process_domain_validation_options && var.validation_method == "DNS"
   domain_validation_options_set     = local.process_domain_validation_options ? aws_acm_certificate.default.0.domain_validation_options : toset([])
   public_enabled                    = var.certificate_authority_arn == null
   private_enabled                   = ! local.public_enabled
+
+  all_domains = concat(
+    [var.domain_name],
+    var.subject_alternative_names
+  )
+  domain_to_zone = {
+    for domain in local.all_domains :
+    domain => join(".", slice(split(".", domain), 1, length(split(".", domain))))
+  }
+  unique_zones = distinct(values(local.domain_to_zone))
 }
 
 resource "aws_acm_certificate" "default" {
@@ -27,9 +36,9 @@ resource "aws_acm_certificate" "default" {
 }
 
 data "aws_route53_zone" "default" {
-  count        = local.process_domain_validation_options ? 1 : 0
+  for_each     = local.process_domain_validation_options ? toset(local.unique_zones) : toset([])
   zone_id      = var.zone_id
-  name         = try(length(var.zone_id), 0) == 0 ? local.zone_name : null
+  name         = try(length(var.zone_id), 0) == 0 ? (var.zone_name == "" ? each.key : var.zone_name) : null
   private_zone = local.private_enabled
 }
 
@@ -41,7 +50,7 @@ resource "aws_route53_record" "default" {
       type   = dvo.resource_record_type
     }
   }
-  zone_id         = join("", data.aws_route53_zone.default.*.zone_id)
+  zone_id         = data.aws_route53_zone.default[local.domain_to_zone[each.key]].id
   ttl             = var.ttl
   allow_overwrite = true
   name            = each.value.name