Validate certificate using new record

2
votes

I am trying to validate ACM certificate in terraform using method outlined here, basically it's a DNS validation using Route53 record. The problem is, as I understand, it needs already existing Route53 record so it can use records property of the resource. But in my case it's a new record being created, so if I try both alias and records properties at the same time, e.g.

resource aws_route53_record wildcard {
  zone_id = var.environment.route53_zone.zone_id
  name    = "*.${local.cname}."
  type    = "A"
  alias {
    name                   = aws_cloudfront_distribution.main.domain_name
    zone_id                = aws_cloudfront_distribution.main.hosted_zone_id
    evaluate_target_health = false
  }
  records = [aws_acm_certificate.wildcard[0].domain_validation_options.0.resource_record_value]
}

I am getting error "alias" conflicts with "records". Is there a way within the same script to create Route53 record and use the same for certificate validation?

2
amazon-web-servicesterraformamazon-route53terraform-provider-awsaws-certificate-manager

2 Answers

4
votes

You need to use the aws_acm_certificate_validation resource, and luckily that page has a great example for how to do this.

resource "aws_acm_certificate" "cert" {
  domain_name       = "example.com"
  validation_method = "DNS"
}

data "aws_route53_zone" "zone" {
  name         = "example.com."
  private_zone = false
}

resource "aws_route53_record" "cert_validation" {
  name    = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
  type    = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
  zone_id = "${data.aws_route53_zone.zone.zone_id}"
  records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
  ttl     = 60
}

resource "aws_acm_certificate_validation" "cert" {
  certificate_arn         = "${aws_acm_certificate.cert.arn}"
  validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}

resource "aws_lb_listener" "front_end" {
  # [...]
  certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}"
}
0
votes

I realized that Route53 record used for certificate validation has nothing to do with Route53 records used for CloudFront distribution. Both have to be created, each serves its separate purpose.