Can't access `domain_validation_options` for ACM cert in Terraform

Question

I'm trying to use an existing ACM cert in my terraform and I'm having issues accessing the domain_validation_options. I'm newish to TF so maybe it has something to do with data vs resource that I don't fully understand?

My impression was that data "aws_acm_certificate" "my_app" would grab the existing cert (created outside TF) for "*.foobar.com" and provide the resource's data to be available in the module, but apparently I'm missing something.

data "aws_acm_certificate" "my_app" {
  domain   = "*.foobar.com"
  statuses = ["ISSUED"]
}

# ...

resource "aws_route53_record" "cert_validation" {
  allow_overwrite = true
  name            = tolist(data.aws_acm_certificate.my_app.domain_validation_options)[0].resource_record_name
  records         = [ tolist(data.aws_acm_certificate.my_app.domain_validation_options)[0].resource_record_value ]
  type            = tolist(data.aws_acm_certificate.my_app.domain_validation_options)[0].resource_record_type
  zone_id  = aws_route53_zone.public.id
  ttl      = 60
}

In app.terraform.io this leads to the error:

Error: Unsupported attribute
on modules/dns_and_ssl/main.tf line 37, in resource "aws_route53_record" "cert_validation":
  name            = tolist(data.aws_acm_certificate.my_app.domain_validation_options)[0].resource_record_name
This object has no argument, nested block, or exported attribute named "domain_validation_options".

The data source simply does not have such an attribute: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/acm_certificate. — Marko E, Nov 25 '22 at 21:24
Ah, thanks @MarkoE. Do you have any suggestion on how to achieve the larger goal of "use the cert to make the `aws_route53_record` with the existing cert" or is this somehow not feasible? — BWStearns, Nov 25 '22 at 21:31
Not sure, I haven't really worked on something like that. Maybe there's something for AWS CLI but probably there is not. This is an AWS issued public cert we are talking about? — Marko E, Nov 25 '22 at 21:38
It's a AWS ACM certificate. We have the domain hosted elsewhere so at some point I need to point to something outside terraform since afaik TF doesn't have a godaddy provider. — BWStearns, Nov 25 '22 at 22:34
What is the actual problem you are trying to solve here? You are querying for an AWS ACM certificate that is already in the `ISSUED` state. So the certificate has already been validated. Why do you need the domain validation values again, after the certificate has already been validated? Your comments about "use the cert to make the aws_route53_record with the existing cert" and "We have the domain hosted elsewhere so at some point I need to point to something outside terraform" make absolutely no sense. What **specific** thing are you trying to do with this ACM Cert? — Mark B, Nov 27 '22 at 15:06

score 0 · Answer 1 · answered Nov 25 '22 at 22:17

0

You can use External Data Source to fetch any data that is not supported natively by TF. For that you would have to develop some script that would actually fetch data that you are after and return it to TF for further use.

answered Nov 25 '22 at 22:17

Marcin

215,873
14
235
294

Can't access `domain_validation_options` for ACM cert in Terraform

1 Answers1