Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validation records are not created for alternative domains with wildcard #27

Closed
ElenaForester opened this issue Nov 6, 2019 · 3 comments
Closed

Validation records are not created for alternative domains with wildcard #27

ElenaForester opened this issue Nov 6, 2019 · 3 comments

Comments

@ElenaForester
Copy link

ElenaForester commented Nov 6, 2019
edited
Loading

Hi, there,

I have these configs

module "acm" {
  source = "terraform-aws-modules/acm/aws"
  version = "~> v2.0"
  providers = {
    aws = aws.useast1
  }

  domain_name = var.domain
  zone_id     = var.zone_id

  subject_alternative_names = compact(
    [
      "*.alerts.${var.domain}",
      "*.info.${var.domain}",
      "*.news.${var.domain}",
      "*.${var.domain}",
    ],
  )

  wait_for_validation = true #have to wait for validation process since further I use acm cert in CF distribution creation

  tags = {
    Name = "${var.domain}"
  }
}

When I'll apply it will fail with error about missing validation records for all alternative names.
If I change wait_for_validation to false I can see outputs like:


distinct_domain_names = [
  "mydomain.com",
  "alerts.mydomain.com",
  "info.mydomain.com",
  "news.mydomain.com",
]
this_acm_certificate_arn = arn:aws:acm:us-east-1:XXXXXXXXXXXXX:certificate/xxxxxxxxxxxxxxx
this_acm_certificate_domain_validation_options = [
  {
    "domain_name" = "mydomain.com"
    "resource_record_name" = "12345.mydomain.com."
    "resource_record_type" = "CNAME"
    "resource_record_value" = "y12345.acm-validations.aws."
  },
  {
    "domain_name" = "*.mydomain.com"
    "resource_record_name" = "12345.mydomain.com."
    "resource_record_type" = "CNAME"
    "resource_record_value" = "y12345.acm-validations.aws."
  },
  {
    "domain_name" = "*.alerts.mydomain.com"
    "resource_record_name" = "xxxxxxxxxxxxxxxxxxxx1.alerts.mydomain.com."
    "resource_record_type" = "CNAME"
    "resource_record_value" = "yyyyyyyyyyyyyyyyyyyy1.acm-validations.aws."
  },
  {
    "domain_name" = "*.info.mydomain.com"
    "resource_record_name" = "xxxxxxxxxxxxxxxxxxxx2.info.mydomain.com."
    "resource_record_type" = "CNAME"
    "resource_record_value" = "yyyyyyyyyyyyyyyyyyyy2.acm-validations.aws."
  },
  {
    "domain_name" = "*.news.mydomain.com"
    "resource_record_name" = "xxxxxxxxxxxxxxxxxxxx3.news.mydomain.com."
    "resource_record_type" = "CNAME"
    "resource_record_value" = "yyyyyyyyyyyyyyyyyyyy3.acm-validations.aws."
  },
]
validation_domains = [
  {
    "domain_name" = "mydomain.com"
    "resource_record_name" = "12345.mydomain.com."
    "resource_record_type" = "CNAME"
    "resource_record_value" = "y12345.acm-validations.aws."
  },
]
validation_route53_record_fqdns = [
  "12345.mydomain.com",
  "12345.mydomain.com",
  "12345.mydomain.com",
  "12345.mydomain.com",
]

As you can see validation_domains contains only main domain but not alternative names.

Further investigations brought me to

terraform-aws-acm/main.tf

Line 6 in 1d8e823

validation_domains = [for k, v in aws_acm_certificate.this[0].domain_validation_options : tomap(v) if contains(local.distinct_domain_names, v.domain_name)]

The contains function will return false for everything except main domain since the domain names in this_acm_certificate_domain_validation_options have a wildcard and in local.distinct_domain_names it's replaced.
When I changed it to
validation_domains = [for k, v in aws_acm_certificate.this[0].domain_validation_options : tomap(v) if contains(local.distinct_domain_names, replace(v.domain_name, "*.", ""))]
everything seems created correctly.

Do I do something wrong or is it an issue?

Thanks!

UPD:
And also change in

terraform-aws-acm/main.tf

Line 24 in 1d8e823

count = var.create_certificate && var.validation_method == "DNS" && var.validate_certificate ? length(local.distinct_domain_names) : 0

length(local.distinct_domain_names)+1
@mmiranda mmiranda mentioned this issue Nov 28, 2019
Merged
@mmiranda
Copy link
Contributor

This is happening for me as well.
I just opened a PR with the changes proposed: #32

@antonbabenko
Copy link
Member

Thanks @ElenaForester for opening this issue! I updated the example code to make sure that this is now working as expected.

#32 is merged and v2.5.0 of this module has been just released.

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 15, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@antonbabenko @mmiranda @ElenaForester