2

I using https://github.com/cloudposse/terraform-aws-acm-request-certificate to generate certificate using terraform and aws.

I want to run this module on serval domains: "example.com", "cdn.example.com"...

I don't want to use subject_alternative_names for cdn.example.com because it will be appear on the subject field inside the certificate, and when everyone open the certificate I don't want to him to see cdn domain.

For cdn.example.com I want a new certificate.

So I try to run terraform apply with my code below but I getting errors:

Error: no matching Route53Zone found

on .terraform\modules\acm_request_certificate_example\main.tf line 19, in data "aws_route53_zone" "default": 19: data "aws_route53_zone" "default" {

Error: no matching Route53Zone found

on .terraform\modules\acm_request_certificate_cdn_example\main.tf line 19, in data "aws_route53_zone" "default": 19: data "aws_route53_zone" "default" {

I can't run more than more module? How to solve it anyway?

main.tf

terraform {
  required_version = "~> 0.12.0"
}

provider "aws" {
  version = "~> 2.12.0"
  region  = "us-east-1"
}
module "acm_request_certificate_example" {
  source                            = "git::https://github.com/cloudposse/terraform-aws-acm-request-certificate.git?ref=master"
  domain_name                       = "example.com"
  process_domain_validation_options = true
  ttl                               = "300"
}

module "acm_request_certificate_cdn_example" {
  source                            = "git::https://github.com/cloudposse/terraform-aws-acm-request-certificate.git?ref=master"
  domain_name                       = "cdn.example.com"
  process_domain_validation_options = true
  ttl                               = "300"
}

I only have example.com in the hosted zone.

Old Pro
  • 24,624
  • 7
  • 58
  • 106
Jon Sud
  • 10,211
  • 17
  • 76
  • 174
  • Do you have corresponding hosted zones in route53 for these domains? – Marcin Sep 20 '20 at 04:41
  • The error is because terrafom can't find hosted zone titled `otherexample.com` (or what ever you are passing). Can you go to your Route53 and check the name of the hosted zone? – Marcin Sep 20 '20 at 04:50
  • I edit my question. see the different now please. – Jon Sud Sep 20 '20 at 05:08
  • 1
    You can try with `process_domain_validation_options = false`, but then you have to manually validate the domains for the SSL cert to be issued. – Marcin Sep 20 '20 at 05:15
  • 1
    Yes this is works. but as you say I have to manually validate the domains for the SSL cert to be issued. if you have any idea how to make it works anyway without me setting `process_domain_validation_options`, it will help a lot. thanks :) – Jon Sud Sep 20 '20 at 05:50
  • 1
    Glad to hear. If you don't mind I will provide an answer based on our discussion. – Marcin Sep 20 '20 at 05:51
  • Yes Sure. Thanks :) – Jon Sud Sep 20 '20 at 05:51

1 Answers1

1

Based on the comments.

The issue was caused by using process_domain_validation_options = true. This checks if the hosted zone exists in Roure53 prior requesting a certificate. This is done to enable automated validation of the SSL certificate to be issued.

Since in the OP's case SSL certificates are requested for domains without corresponding zones, the terraform was erroring out.

The solution was to use process_domain_validation_options = false, but this requires manual validation procedure for the SSL to be issued. To automation of this procedure must be done through a custom solution. In very broad terms, such solution could involve created required record for the validation using aws_route53_record, a lambda function or local-exec provisioner to created needed records.

Marcin
  • 215,873
  • 14
  • 235
  • 294