0

I'm trying to create and validate an AWS ACM certificate with Terraform. This is my config:

// not used in this config, but it does exist
resource "aws_route53_zone" "main" {
  name = "mycompany.com"
}

resource "aws_route53_zone" "dev" {
  name = "dev.mycompany.com"
}

resource "aws_acm_certificate" "cert" {
  domain_name       = "*.dev.mycompany.com"
  validation_method = "DNS"
  key_algorithm     = "RSA_2048"
}

resource "aws_route53_record" "records" {
  for_each = {
    for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }
  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 300
  type            = each.value.type
  zone_id         = aws_route53_zone.dev.zone_id
}

resource "aws_acm_certificate_validation" "validation" {
  certificate_arn = aws_acm_certificate.cert.arn
  validation_record_fqdns = [for record in aws_route53_record.records : record.fqdn]
}

But aws_acm_certificate_validation creation takes forever:

aws_acm_certificate_validation.validation: Still creating... [5m30s elapsed]

It never ends.

If I stop the execution with Control + C, I get this:

waiting for ACM Certificate ({arn here}) to be issued: context canceled

What is wrong in my configuration?

Héctor
  • 24,444
  • 35
  • 132
  • 243
  • Do you have `aws_route53_zone.my_zone` defined somewhere in your code? – Marko E Jul 19 '23 at 09:23
  • Yes, I do, but I didn't included it in the example. – Héctor Jul 19 '23 at 09:24
  • I have included zones info. I found it important to include that I have those two zones. – Héctor Jul 19 '23 at 09:36
  • Can you try using `domain_name = "*.${aws_route53_zone.dev.name}"` in the ACM certificate resource? – Marko E Jul 19 '23 at 09:47
  • I just tried. Same happens. – Héctor Jul 19 '23 at 10:05
  • What about leaving the `domain_name = aws_route53_zone.dev.name` and then using `subject_alternative_names = ["*.${aws_route53_zone.dev.name}"]`? – Marko E Jul 19 '23 at 10:08
  • Same happens... – Héctor Jul 19 '23 at 10:28
  • Do you have a domain registered for your company at all in Route53? – Marko E Jul 19 '23 at 10:29
  • Yes, of course. – Héctor Jul 19 '23 at 10:30
  • You should use some sort of DNS lookup tool to verify that the DNS records being created by Terraform for the ACM validation are actually resolvable on the Internet. If not, then you have something wrong with your DNS configuration outside of Terraform. – Mark B Jul 19 '23 at 13:02
  • Last time I checked ACM did not support wildcards, you need to specified each subdomain and domain as alternative names and validate each. Check ```https://renehernandez.io/snippets/terraform-and-aws-wildcard-certificates-validation/``` – victor m Jul 19 '23 at 14:10
  • @victorm As Marko suggested, I tried also with alternative names and it didn't work either. – Héctor Jul 19 '23 at 16:17
  • change the domain name to "dev.mycompany.com" and add "*.dev.mycompany.com" to the alternative names. – victor m Jul 20 '23 at 01:40
  • I already did that. It doesn't work. Is it possible the validation to take more than 30 minutes? – Héctor Jul 20 '23 at 07:05
  • It should not take 30 minutes. Have you check Cloudtrail, to see if a permission is causing the problem. – victor m Jul 20 '23 at 14:08

2 Answers2

0

It could be the DNS propagation delay that's getting you. It might take up to 72 hours.

Also, did you try creating via Console? Does it work?

nickdoesstuff
  • 496
  • 7
0

Solved. Problem was due a hosted zone misconfiguration (I changed NS records manually and they didn't match with SOA record). Nothing related to the certificate itself; code in the question is perfectly valid.

Héctor
  • 24,444
  • 35
  • 132
  • 243