terraform-aws-acm-request-certificate

• Bump minimum Terraform version form 0.13 to 0.14
• Revert changes in pre-release version 0.17
• Update tests
• Add ability to specify key_algorithm closes #69 by @joke in https://github.com/cloudposse/terraform-aws-acm-request-certificate/pull/74

what

• Allow management of ACM certs with SANs in multiple zones
• Add versions.tf to examples/complete

why

• This is useful for more complex certificates and validation of those certificates
• Workaround without this is to manage validation records outside of the module

resource "aws_route53_record" "default" {
  for_each = {
    for dvo in module.acm_certificate.domain_validation_options[0] : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  name    = each.value.name
  records = [each.value.record]
  type    = each.value.type
  zone_id = data.aws_route53_zone.default[local.domain_to_zone[each.key]].id
  ttl     = 300
}

references

• Closes https://github.com/cloudposse/terraform-aws-acm-request-certificate/issues/55
• Closes https://github.com/cloudposse/terraform-aws-acm-request-certificate/pull/60
• https://github.com/cloudposse/terraform-aws-route53-cluster-zone

🚀 Enhancements

what

This fixes what was mentioned in - https://github.com/cloudposse/terraform-aws-acm-request-certificate/pull/66

why

Adding a simple length check to where domains get update in an array fixes the mentioned issue.

  Error: no matching Route53Zone found
  
    with module.acm_request_certificate.data.aws_route53_zone.default["io"],
    on .terraform/modules/acm_request_certificate/main.tf line 38, in data "aws_route53_zone" "default":
    38: data "aws_route53_zone" "default" {

references

• https://github.com/cloudposse/terraform-aws-acm-request-certificate/pull/66

This is a pre-release due to https://github.com/cloudposse/terraform-aws-acm-request-certificate/issues/62

NOTE: This feature requires that the zone to use for validation is the immediate parent of the name in the SAN. See #62.

what

• Allow management of ACM certs with SANs in multiple zones
• Add versions.tf to examples/complete

why

• This is useful for more complex certificates and validation of those certificates
• Workaround without this is to manage validation records outside of the module

resource "aws_route53_record" "default" {
  for_each = {
    for dvo in module.acm_certificate.domain_validation_options[0] : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  name    = each.value.name
  records = [each.value.record]
  type    = each.value.type
  zone_id = data.aws_route53_zone.default[local.domain_to_zone[each.key]].id
  ttl     = 300
}

references

• Closes https://github.com/cloudposse/terraform-aws-acm-request-certificate/issues/55
• Closes https://github.com/cloudposse/terraform-aws-acm-request-certificate/pull/60
• https://github.com/cloudposse/terraform-aws-route53-cluster-zone

🚀 Enhancements

what

• Skip validation method, correct data source input

why

• Validation method is only applicable for public hosted zone acm certs
• Use correct private_zone input for route53 zone data source

references

• N/A

what and why

Change all references to git.io/build-harness into cloudposse.tools/build-harness, since git.io redirects will stop working on April 29th, 2022.

References

• DEV-143

🚀 Enhancements

what

• added acm_certificate_validation.certification_arn output

why

• to avoid alb module can't create listener because of not validated cert
• use this output as certification arn in alb module

references

• #58
• closes #58

what

• Add certificate_authority_arn
• Add validation id output
• Add verification of lowercase sans and domain names

why

• For private CAs

references

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate
• Thanks to @razorsedge this PR closes https://github.com/cloudposse/terraform-aws-acm-request-certificate/pull/37
• Thanks to @alexjurkiewicz this PR closes https://github.com/cloudposse/terraform-aws-acm-request-certificate/pull/46

🤖 Automatic Updates

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

🚀 Enhancements

what

• Update context.tf.
• Update build-harness assets by running make github/init.
• Clean up unused providers.
• Drop Terraform support prior to 0.13.

why

• The latest version of context.tf (null-label:0.25.0), contains new labels. A module instantiating this module with version 0.25.0 of null-label and making use of new labels will not be able to use this module.
• Running make github/init updates build-harness assets, which includes GitHub Actions Workflows and related files.
• The latest distribution of context.tf (null-label:0.25.0) is not compatible with Terraform 0.12.* because it makes use of validation blocks.

references

• https://github.com/cloudposse/terraform-null-label/releases/tag/0.25.0
• closes #41

what

• Add zone_id

why

• Create an implicit link between zone creation and acm creation
• This gives the consumer the option to use domain name, zone name, or zone id to use the data source to retrieve the existing hosted zone

references

• Closes https://github.com/cloudposse/terraform-aws-acm-request-certificate/issues/24
• Previous PR https://github.com/cloudposse/terraform-aws-acm-request-certificate/pull/45
  • Did not see this PR unfortunately. It does not update the failing test so if this gets merged, I'll close the other PR.

what

• Add the option to DISABLE or ENABLE certificate_transparency_logging_preference parameter when creating the certificate

why

• Some cases you don't want to disclose certificate names, as also this may leak internal information when you use this module for internal domains ACM generation in a split horizon dns configuration.

references

🤖 Automatic Updates

what

This is an auto-generated PR that updates the README.md and docs

why

To have most recent changes of README.md and doc from origin templates

what

• Upgrade to support Terraform 0.14 and bring up to current Cloud Posse standard

why

• Support Terraform 0.14

what

there is no need to convert to a list anymore as its a set

why

fixes bug introduced by me :)

references

• issue from slack thread https://sweetops.slack.com/archives/CB6GHNLG0/p1609784495001600

what

• Upgrade to support Terraform 0.14 and bring up to current Cloud Posse standard

why

• Support Terraform 0.14
• Support AWS Provider >= 3.x

references

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-3-upgrade#domain_validation_options-changed-from-list-to-set
• closes #26 #27

Previously, the domain_validation_options attribute was a list type and completely unknown until after an initial terraform apply. This generally required complicated configuration workarounds to properly create DNS validation records since referencing this attribute directly could produce errors similar to the below:

Error: Invalid for_each argument

  on main.tf line 16, in resource "aws_route53_record" "existing":
  16:   for_each = aws_acm_certificate.existing.domain_validation_options

The "for_each" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the for_each depends on.

The domain_validation_options attribute is now a set type and the resource will attempt to populate the information necessary during the planning phase to handle the above situation in most environments without workarounds. This change also prevents Terraform from showing unexpected differences if the API returns the results in varying order.

what

• Update to context.tf and other current standards

why

• Ensure compatibility with our other modules and components

what

• Fix dns validation processing

why

• Allow the DNS processing to work with wildcard certificates

what

• Updated the required provider versions to get this module working with the latest terraform 0.13 release

why

• Without this patch this module does not work with terraform 0.13.4

What

• Fixes a bug with an extra dot when using var.zone_name > var.domain_name

Why

• The appending of the dot breaks the search of the zone when referencing the name from an existing aws_route53_zone resource because the name property already contains the dot.