jorke/acm_dns.tf

## acm_dns.tf
terraform {
  required_version = ">= 0.12"
}

# default region required.
provider "aws" {
  region = "us-east-1"
}

provider "aws" {
  alias  = "useast"
  region = "us-east-1"
}

variable "domain" {
  default = "domain.duh"
}

variable "site" {
  default = "muppet"
}

# for creating a.site.domain.duh
variable "domain_shards" {
  default = ["a"]
}

variable "tags" {
  default = {
    Name = "mysite"
  }
}

# create root domain entry
resource "aws_route53_zone" "site_zone" {
  name = var.domain
  tags = var.tags
}

# request the cert NOTE using DNS
resource "aws_acm_certificate" "cert" {
  provider    = aws.useast
  domain_name = "${var.site}.${var.domain}"
  subject_alternative_names = [
    for d in var.domain_shards :
    "${d}.${var.site}.${var.domain}"
  ]

  validation_method = "DNS"
  tags              = var.tags
  lifecycle {
    create_before_destroy = true
    //ignore_changes        = ["subject_alternative_names"]
  }
}

# create the validation DNS entries in the above zone
resource "aws_route53_record" "cert_validation_0" {
  name    = aws_acm_certificate.cert.domain_validation_options[0].resource_record_name
  type    = aws_acm_certificate.cert.domain_validation_options[0].resource_record_type
  records = [aws_acm_certificate.cert.domain_validation_options[0].resource_record_value]

  zone_id         = aws_route53_zone.site_zone.id
  ttl             = 60
  allow_overwrite = true
  depends_on = [
    aws_acm_certificate.cert
  ]
}

resource "aws_route53_record" "cert_validation_1" {
  name    = aws_acm_certificate.cert.domain_validation_options[1].resource_record_name
  type    = aws_acm_certificate.cert.domain_validation_options[1].resource_record_type
  records = [aws_acm_certificate.cert.domain_validation_options[1].resource_record_value]

  zone_id         = aws_route53_zone.site_zone.id
  ttl             = 60
  allow_overwrite = true
  depends_on = [
    aws_acm_certificate.cert
  ]
}

# another option
# resource "aws_route53_record" "cert_validation" {
#   for_each = { for obj in aws_acm_certificate.cert.domain_validation_options : obj.domain_name => obj }
#   name    = each.value.resource_record_name
#   type    = each.value.resource_record_type
#   records = [each.value.resource_record_value]
#   zone_id         = aws_route53_zone.site_zone.id
#   ttl             = 60
#   allow_overwrite = true
# }


# validate the cert - this checks for the DNS to be REAL WORLD
# if your domain is in another account, you can add the entries from aws_acm_certificate.cert.domain_validation_options
# or create a delegate NS entry in the other account to the zone above.
#
# this will timeout after about 45 mins..

resource "aws_acm_certificate_validation" "cert" {
  provider        = aws.useast
  certificate_arn = aws_acm_certificate.cert.arn
  validation_record_fqdns = [
    aws_route53_record.cert_validation_0.fqdn,
    aws_route53_record.cert_validation_1.fqdn
    # for r in aws_route53_record.cert_validation :
    # r.fqdn

  ]
}
	terraform {
	required_version = ">= 0.12"
	}

	# default region required.
	provider "aws" {
	region = "us-east-1"
	}

	provider "aws" {
	alias = "useast"
	region = "us-east-1"
	}

	variable "domain" {
	default = "domain.duh"
	}

	variable "site" {
	default = "muppet"
	}

	# for creating a.site.domain.duh
	variable "domain_shards" {
	default = ["a"]
	}

	variable "tags" {
	default = {
	Name = "mysite"
	}
	}

	# create root domain entry
	resource "aws_route53_zone" "site_zone" {
	name = var.domain
	tags = var.tags
	}

	# request the cert NOTE using DNS
	resource "aws_acm_certificate" "cert" {
	provider = aws.useast
	domain_name = "${var.site}.${var.domain}"
	subject_alternative_names = [
	for d in var.domain_shards :
	"${d}.${var.site}.${var.domain}"
	]

	validation_method = "DNS"
	tags = var.tags
	lifecycle {
	create_before_destroy = true
	//ignore_changes = ["subject_alternative_names"]
	}
	}

	# create the validation DNS entries in the above zone
	resource "aws_route53_record" "cert_validation_0" {
	name = aws_acm_certificate.cert.domain_validation_options[0].resource_record_name
	type = aws_acm_certificate.cert.domain_validation_options[0].resource_record_type
	records = [aws_acm_certificate.cert.domain_validation_options[0].resource_record_value]

	zone_id = aws_route53_zone.site_zone.id
	ttl = 60
	allow_overwrite = true
	depends_on = [
	aws_acm_certificate.cert
	]
	}

	resource "aws_route53_record" "cert_validation_1" {
	name = aws_acm_certificate.cert.domain_validation_options[1].resource_record_name
	type = aws_acm_certificate.cert.domain_validation_options[1].resource_record_type
	records = [aws_acm_certificate.cert.domain_validation_options[1].resource_record_value]

	zone_id = aws_route53_zone.site_zone.id
	ttl = 60
	allow_overwrite = true
	depends_on = [
	aws_acm_certificate.cert
	]
	}

	# another option
	# resource "aws_route53_record" "cert_validation" {
	# for_each = { for obj in aws_acm_certificate.cert.domain_validation_options : obj.domain_name => obj }
	# name = each.value.resource_record_name
	# type = each.value.resource_record_type
	# records = [each.value.resource_record_value]
	# zone_id = aws_route53_zone.site_zone.id
	# ttl = 60
	# allow_overwrite = true
	# }


	# validate the cert - this checks for the DNS to be REAL WORLD
	# if your domain is in another account, you can add the entries from aws_acm_certificate.cert.domain_validation_options
	# or create a delegate NS entry in the other account to the zone above.
	#
	# this will timeout after about 45 mins..

	resource "aws_acm_certificate_validation" "cert" {
	provider = aws.useast
	certificate_arn = aws_acm_certificate.cert.arn
	validation_record_fqdns = [
	aws_route53_record.cert_validation_0.fqdn,
	aws_route53_record.cert_validation_1.fqdn
	# for r in aws_route53_record.cert_validation :
	# r.fqdn

	]
	}