add domain validation options parameter to aws_acm_certificate

[telepath]

Terraform Version

Terraform v0.10.4

Affected Resource(s)

• aws_acm_certificate

Terraform Configuration Files

resource "aws_acm_certificate" "cluster_internal" {
  domain_name = "www.domain.com"
  subject_alternative_names = ["app1.domain.com", "app2.domain.com", "app3.domain.com", "app4.domain.com", "app5.domain.com", "app6.domain.com", "app7.domain.com", "app8.domain.com", "app9.domain.com", "app10.domain.com", "app11.domain.com", "app12.domain.com", "app13.domain.com", "app14.domain.com", "app15.domain.com"]
  validation_method = "EMAIL"
  lifecycle {
    create_before_destroy = true
  }
}

Expected Behavior

The certificate is requested and email validations are sent out to the email adresses in whois and some generic adresses.

Actual Behavior

AWS sometimes uses the correct mail adresses from whois and derived from the second level domain, and sometimes only the mail adresses derived from the third level domain (e.g. "[email protected]" instead of something like "[email protected]"). This can vary between additional names for one certificate, so that some subdomains can be validated, others not.

This can be avoided by setting the ValidationDomain option for each DomainName to the second level domain. By doing this, all validation mails are sent to the domain owner configured in whois.

Steps to Reproduce

1. request a certificate with a long list of alternative names using terraform
2. select EMAIL validation
3. check the email adresses used for validation. sometimes, the mails are not sent to the domain owner configured in whois, but only to the generic adresses derived directly from the subdomain
4. request the same certificate via cli, e.g.:

aws acm request-certificate --domain-name www.domain.com --validation-method EMAIL --subject-alternative-names app1.domain.com app2.domain.com app3.domain.com app4.domain.com app5.domain.com app6.domain.com app7.domain.com app8.domain.com app9.domain.com app10.domain.com app11.domain.com app12.domain.com app13.domain.com app14.domain.com app15.domain.com --domain-validation-options DomainName=www.domain.com,ValidationDomain=domain.com DomainName=app1.domain.com,ValidationDomain=domain.com DomainName=app2.domain.com,ValidationDomain=domain.com DomainName=app3.domain.com,ValidationDomain=domain.com DomainName=app4.domain.com,ValidationDomain=domain.com DomainName=app5.domain.com,ValidationDomain=domain.com DomainName=app6.domain.com,ValidationDomain=domain.com DomainName=app7.domain.com,ValidationDomain=domain.com DomainName=app8.domain.com,ValidationDomain=domain.com DomainName=app9.domain.com,ValidationDomain=domain.com DomainName=app10.domain.com,ValidationDomain=domain.com DomainName=app11.domain.com,ValidationDomain=domain.com DomainName=app12.domain.com,ValidationDomain=domain.com DomainName=app13.domain.com,ValidationDomain=domain.com DomainName=app14.domain.com,ValidationDomain=domain.com DomainName=app15.domain.com,ValidationDomain=domain.com 

5. check the email adresses used for validation. All mails are sent to the domain owner.

Important Factoids

I want to request a certificate for several subdomains, but I need to set the validation domain parameter.
See https://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html and https://docs.aws.amazon.com/acm/latest/APIReference/API_DomainValidationOption.html

I have no control over the DNS for the domains, therefore I cannot use DNS validation or make whois entries.
I need to request these certificates and notify the domain owner so he can do the validations.

[scottwinkler]

I had the same problem so I made a pull request to fix this: #3853.

[mrl045]

The addition of validation options for validation method EMAIL would be very appreciated!
Any idea when this feature will be released officially?

[scottwinkler]

No idea, not sure why this is getting ignored

[mrl045]

Okay, thanks for your response @scottwinkler . Looking through this ticket submission I noticed that @bflad (member of Terraform) added some tags like 27 days ago. I think your pull request to add this capability will hopefully not be ignored.

[scottwinkler]

For those people looking for a temporary workaround, I have open sourced a solution I developed for my company to solve this problem a few months ago. https://github.com/scottwinkler/terraform-acm-quick_certificate. You use is like the following:

module "certificate" {
  source                    = "github.com/scottwinkler/terraform-acm-quick_certificate"
  project_name              = "${var.project_name}"
  domain_name               = "${var.domain_name}"
  subject_alternative_names = ["sub1.example.publiccloud.rd.elliemae.io", "sub2.example.publiccloud.rd.elliemae.io"]
}

you can get the arn of the certificate: ${module.certificate.arn}

[bflad]

The maintainers do not actively ignore PRs. Generally its based on 👍 upvotes on the original issue/PR comment or some other factors including whether its a bug/crash fix, which will take priority.

#3853 as currently written will break backwards compatibility for a lot of people. It will need to be reworked if it is to get merged.

[joshuabaird]

Is there any update to this? This issue is affecting us as well.

[gotttlieb]

Same problem here!

[benh57]

Same problem here. Still broken, it seems.

[gjambet]

+1 still missing the

--domain-validation-options DomainName=www.domain.com,ValidationDomain=domain.com

from CLI :/

[intxEmeka]

work around for those who need this (only for email):

Create ACM cert and Validate through email

resource "aws_acm_certificate" "main" {
domain_name = var.domain_name
subject_alternative_names = ["${var.subject_alternative_name}"]
validation_method = "EMAIL"
tags = {
Name = "${var.certificate_name}"
}

lifecycle {
create_before_destroy = true
}
}

resource "aws_acm_certificate_validation" "main" {
certificate_arn = aws_acm_certificate.main.arn
depends_on = [null_resource.certificate]
}

Force ACM to resend email correctly.

resource "null_resource" "certificate" {
provisioner "local-exec" {
command = "aws acm resend-validation-email --certificate-arn ${aws_acm_certificate.main.arn} --domain ${var.domain_name} --validation-domain example.com --profile test --region us-east-1"
}
}

[telepath]

I noticed that the acm resource has been redesigned in aws provider 3.0.0, but this still is not implemented.
Any chance we can get this?
The workaround works, but it has the drawback of duplicating a lot of validation mails.

[relnetops]

@bflad What's the status of resolving this issue?

[jfletcher93]

I noticed a lot of people chasing for updates on this, it's a shame nothing has progressed as we have just run into this exact same issue as well.

@bflad should anyone be doing anything to get this moving?

[breathingdust]

Hi all 👋 Just letting you know that this is issue is featured on this quarters roadmap. If a PR exists to close the issue a maintainer will review and either make changes directly, or work with the original author to get the contribution merged. If you have written a PR to resolve the issue please ensure the "Allow edits from maintainers" box is checked. Thanks for your patience and we are looking forward to getting this merged soon!

[github-actions]

This functionality has been released in v4.12.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.