Terraform module to help with ACM.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Christophe van de Kerchove 9c7cc7e6ed
feat: Allow for route53 and ACM to use different providers
8 months ago
.chglog [ci skip] Create ".chglog/CHANGELOG.tpl.md". 8 months ago
examples feat: Allow for route53 and ACM to use different providers 8 months ago
.editorconfig Create ".editorconfig". 8 months ago
.gitignore Initial commit with all the code 2 years ago
.pre-commit-config.yaml [ci skip] Update ".pre-commit-config.yaml". 8 months ago
CHANGELOG.md Updated CHANGELOG 11 months ago
LICENSE Initial commit with all the code 2 years ago
Makefile Terraform.012 upgrade (#9) 1 year ago
README.md feat: Allow for route53 and ACM to use different providers 8 months ago
main.tf feat: Allow for route53 and ACM to use different providers 8 months ago
outputs.tf Terraform.012 upgrade (#9) 1 year ago
variables.tf Terraform.012 upgrade (#9) 1 year ago
versions.tf feat: Allow for route53 and ACM to use different providers 8 months ago

README.md

AWS Certificate Manager (ACM) Terraform module

Terraform module which creates ACM certificates and validates them using Route53 DNS (recommended) or e-mail.

Terraform versions

Terraform 0.12. Pin module version to ~> v2.0. Submit pull-requests to master branch.

Terraform 0.11. Pin module version to ~> v1.0. Submit pull-requests to terraform011 branch.

module "acm" {
  source  = "terraform-aws-modules/acm/aws"
  version = "~> v2.0"

  domain_name  = "my-domain.com"
  zone_id      = "Z2ES7B9AZ6SHAE"

  subject_alternative_names = [
    "*.my-domain.com",
    "app.sub.my-domain.com",
  ]

  tags = {
    Name = "my-domain.com"
  }
}

Examples

Conditional creation and validation

Sometimes you need to have a way to create ACM certificate conditionally but Terraform does not allow to use count inside module block, so the solution is to specify argument create_certificate.

module "acm" {
  source = "terraform-aws-modules/acm/aws"

  create_certificate = false
  # ... omitted
}

Similarly, to disable DNS validation of ACM certificate:

module "acm" {
  source = "terraform-aws-modules/acm/aws"

  validate_certificate = false
  # ... omitted
}

Notes

  • For use in an automated pipeline consider setting the wait_for_validation = false to avoid waiting for validation to complete or error after a 45 minute timeout.
  • domain_name can not be wildcard, but subject_alternative_names can include wildcards.
  • This module allows to use multiple providers. This feature brings the module the ability to be used in an AWS multi-account environment but bring the caveat of forcing its user to explicitly declare the provider to use.

Requirements

Name Version
terraform >= 0.12
aws >= 2.24.0

Providers

Name Version
aws.acm >= 2.24.0
aws.dns >= 2.24.0

Inputs

Name Description Type Default Required
create_certificate Whether to create ACM certificate bool true no
domain_name A domain name for which the certificate should be issued string "" no
subject_alternative_names A list of domains that should be SANs in the issued certificate list(string) [] no
tags A mapping of tags to assign to the resource map(string) {} no
validate_certificate Whether to validate certificate by creating Route53 record bool true no
validation_allow_overwrite_records Whether to allow overwrite of Route53 records bool true no
validation_method Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into Terraform. string "DNS" no
wait_for_validation Whether to wait for the validation to complete bool true no
zone_id The ID of the hosted zone to contain this record. string "" no

Outputs

Name Description
distinct_domain_names List of distinct domains names used for the validation.
this_acm_certificate_arn The ARN of the certificate
this_acm_certificate_domain_validation_options A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used.
this_acm_certificate_validation_emails A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.
validation_domains List of distinct domain validation options. This is useful if subject alternative names contain wildcards.
validation_route53_record_fqdns List of FQDNs built using the zone domain and name.

Authors

Module managed by Anton Babenko.

License

Apache 2 Licensed. See LICENSE for full details.