Does not work if Route53 Zone is not created yet and no depends_on strategy implemented - Error: no matching Route53Zone found

[abdennour]

The module works fine after having route53 zone created.
Switching now to a new/fresh workspace, and I get the error

Error: no matching Route53Zone found

  on .terraform/modules/dns.public_acm_request_certificate/main.tf line 19, in data "aws_route53_zone" "default":
  19: data "aws_route53_zone" "default" {

This snippet of my TF plan :

resource "aws_route53_zone" "publiczone" {
  lifecycle {
    prevent_destroy = true
  }
  count     = length(var.public_zone_name) > 0 ? 1 : 0
  comment   = "Public Hosted Zone for ${terraform.workspace} environment"
  name      = var.public_zone_name
  tags      = {
    Environment = terraform.workspace
  }
}

module "public_acm_request_certificate" {
  source                                                         = "git::https://github.com/cloudposse/terraform-aws-acm-request-certificate.git?ref=0.4.0"
  domain_name                                           = var.public_zone_name
  process_domain_validation_options = true
  ttl                                                                  = "300"
  subject_alternative_names                   = ["*.${var.public_zone_name}"]
  tags = {
      ZoneId                                                   = join("", aws_route53_zone.publiczone.*.zone_id)
  }
}

As workaround, and as you can see in the snippet, I tried to link the module with the zone by assigning the zone_id attribute as value for tags (module variable).. But the same issue , the same error.

[jwstric2]

So it appears this issue may be "hard" to fix with the current code. It appears the problem stems from a data lookup of the zone. https://github.com/cloudposse/terraform-aws-acm-request-certificate/blob/master/main.tf#L19 .. There are ways it appears to not have it create the resource; thus the less desireable workaround is to create the zone as being shown above then do a seperate PR after the zone creation to create the certificate with this module.

I believe if the terraform team was willing to accept a bit of a change, you could have the callee pass in the zone_id explicitly and not do the lookup. This would require a couple areas of code changes to make this work but again it looks possible.

[pjaudiomv]

with terraform 0.13.x and up you can now use depends_on with a module

[nitrocode]

If you cannot use the module depends on argument, you can also create an implicit dependency like we have in our example.

terraform-aws-acm-request-certificate/examples/complete/main.tf

Line 16 in 8832316

domain_name = module.zone.zone_name

From the code shared above, you're using the resource directly which doesn't have an output for the zone name which is odd... so I see why you are using the same input var.public_zone_name. The problem is that the module seems like it's instantiated before the zone finishes it's creation.

Our example isn't affected because it's using a module to create the zone and the acm module depends on the former module to complete.

[nitrocode]

Actually, it's undocumented but you can actually use this to create an implicit dependency

  domain_name = aws_route53_zone.publiczone.name