Validate certificate using new record

Question

I am trying to validate ACM certificate in terraform using method outlined here, basically it's a DNS validation using Route53 record. The problem is, as I understand, it needs already existing Route53 record so it can use records property of the resource. But in my case it's a new record being created, so if I try both alias and records properties at the same time, e.g.

resource aws_route53_record wildcard {
  zone_id = var.environment.route53_zone.zone_id
  name    = "*.${local.cname}."
  type    = "A"
  alias {
    name                   = aws_cloudfront_distribution.main.domain_name
    zone_id                = aws_cloudfront_distribution.main.hosted_zone_id
    evaluate_target_health = false
  }
  records = [aws_acm_certificate.wildcard[0].domain_validation_options.0.resource_record_value]
}

I am getting error "alias" conflicts with "records". Is there a way within the same script to create Route53 record and use the same for certificate validation?

score 4 · Answer 1 · answered Jun 16 '20 at 00:53

You need to use the aws_acm_certificate_validation resource, and luckily that page has a great example for how to do this.

resource "aws_acm_certificate" "cert" {
  domain_name       = "example.com"
  validation_method = "DNS"
}

data "aws_route53_zone" "zone" {
  name         = "example.com."
  private_zone = false
}

resource "aws_route53_record" "cert_validation" {
  name    = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_name}"
  type    = "${aws_acm_certificate.cert.domain_validation_options.0.resource_record_type}"
  zone_id = "${data.aws_route53_zone.zone.zone_id}"
  records = ["${aws_acm_certificate.cert.domain_validation_options.0.resource_record_value}"]
  ttl     = 60
}

resource "aws_acm_certificate_validation" "cert" {
  certificate_arn         = "${aws_acm_certificate.cert.arn}"
  validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}

resource "aws_lb_listener" "front_end" {
  # [...]
  certificate_arn = "${aws_acm_certificate_validation.cert.certificate_arn}"
}

Yes, I am doing something similar. My problem is with `resource "aws_route53_record" `. This record is created for CloudFront distribution, so it uses `alias` property. Which conflicts with `records` property — Yuriy Galanter, Jun 16 '20 at 00:58

score 0 · Answer 2 · answered Jun 16 '20 at 01:33

0

I realized that Route53 record used for certificate validation has nothing to do with Route53 records used for CloudFront distribution. Both have to be created, each serves its separate purpose.

answered Jun 16 '20 at 01:33

Yuriy Galanter

38,833
15
69
136

Validate certificate using new record

2 Answers2