feat!: acm certificate validation

BREAKING CHANGE: The `acm` sub-module creates single ACM certificate henceforth.

Author: saumitra-dev

examples/complete/README.md

@@ -5,7 +5,7 @@ Configuration in this directory creates:
 
 - ECS Service in a pre-configured ECS Cluster and corresponding ECS Capacity Providers
 - Internet-facing Application Load Balancer to access the deployed services, and
-- ACM to generate an Amazon-issued certificate for a base domain, and then create a Route53 A-type record with an endpoint
+- ACM to generate an Amazon-issued certificate for a base domain, set up Route53 Records for Certificate validation, and then create a Route53 A-type record with an endpoint
 
 ## Usage
 

examples/complete/main.tf

@@ -84,10 +84,11 @@ module "ecs_deployment" {
 
   # Amazon Certificates Manager
   create_acm = true
-  acm_amazon_issued_certificates = {
+  acm_certificates = {
     base_domain = {
-      domain_name       = var.base_domain
+      domain_name       = var.domain_name
       validation_method = local.acm_validation_method
+      record_zone_id    = data.aws_route53_zone.base_domain.zone_id
     }
   }
 
@@ -132,24 +133,7 @@ module "ecs_deployment" {
 ################################################################################
 
 data "aws_route53_zone" "base_domain" {
-  name = var.base_domain
-}
-
-resource "aws_route53_record" "endpoint" {
-  zone_id = data.aws_route53_zone.base_domain.zone_id
-  name    = var.endpoint
-  type    = "A"
-
-  alias {
-    name                   = module.ecs_deployment.alb_dns_name
-    zone_id                = module.ecs_deployment.alb_zone_id
-    evaluate_target_health = true
-  }
-}
-
-resource "aws_acm_certificate_validation" "base_domain_certificate" {
-  certificate_arn         = module.ecs_deployment.amazon_issued_acm_certificates_arns["base_domain"]
-  validation_record_fqdns = [aws_route53_record.endpoint.fqdn]
+  name = var.domain_name
 }
 
 ################################################################################

examples/complete/outputs.tf

@@ -66,7 +66,7 @@ output "listener_arn" {
 
 output "acm_amazon_issued_certificate_arn" {
   description = "ARN of the ACM Amazon-issued certificate for the base domain"
-  value       = module.ecs_deployment.amazon_issued_acm_certificates_arns["base_domain"]
+  value       = module.ecs_deployment.acm_certificates_arns["base_domain"]
 }
 
 ################################################################################

examples/complete/variables.tf

@@ -118,12 +118,7 @@ variable "security_group_alb" {
   type        = string
 }
 
-variable "base_domain" {
-  description = "Base domain name for ACM"
-  type        = string
-}
-
-variable "endpoint" {
-  description = "DNS endpoint for the application"
+variable "domain_name" {
+  description = "Domain name for ACM"
   type        = string
 }

main.tf

@@ -1,7 +1,4 @@
 locals {
-  # ACM
-  acm_certificates_arns = var.create_acm ? module.acm[0].amazon_issued_acm_certificates_arns : {}
-
   # ALB
   alb_target_groups = {
     for k, v in try(var.load_balancer.target_groups, {}) :
@@ -17,10 +14,10 @@ locals {
     k => merge(
       {
         certificate_arn = lookup(
-          local.acm_certificates_arns,
+          var.acm_certificates,
           try(v.certificate, null) != null ? try(v.certificate, "") : "",
           null
-        ) != null ? local.acm_certificates_arns[try(v.certificate, null)] : try(v.certificate_arn, null)
+        ) != null ? module.acm[try(v.certificate, null)].acm_certificate_arn : try(v.certificate_arn, null)
       },
       v
     )
@@ -259,6 +256,8 @@ module "alb" {
   listener_rules = try(var.load_balancer.listener_rules, {})
 
   tags = try(var.load_balancer.tags, {})
+
+  depends_on = [module.acm]
 }
 
 ################################################################################
@@ -268,7 +267,16 @@ module "alb" {
 module "acm" {
   source = "./modules/acm"
 
-  count = var.create_acm ? 1 : 0
+  for_each = var.create_acm ? var.acm_certificates : {}
+
+  certificate_domain_name               = each.value.domain_name
+  certificate_subject_alternative_names = try(each.value.subject_alternative_names, null)
+  certificate_validation_method         = try(each.value.validation_method, null)
+  certificate_key_algorithm             = try(each.value.key_algorithm, null)
+  certificate_validation_option         = try(each.value.validation_option, null)
+
+  record_zone_id         = try(each.value.record_zone_id, null)
+  record_allow_overwrite = try(each.value.record_allow_overwrite, null)
 
-  amazon_issued_certificates = try(var.acm_amazon_issued_certificates, {})
+  tags = try(each.value.tags, {})
 }

modules/acm/.header.md

@@ -1,12 +1,17 @@
 # acm
 
-This sub-module creates the Amazon-issued certificates for given domains with `validation_option` configuration.
+This sub-module creates the Amazon-issued certificate for a given domain with `validation_option` configuration.
 
 ## Presets
 
+### ACM Certificate
+
 - The `validation_method` is set to `DNS` as the recommended method, and can be overridden to use `EMAIL` method if required.
 
+### Route53 Record
+
+- The `allow_override` is set to `true` as the default option, and can be overridden to `false` if required.
+
 ## Notes
 
-- ACM certificates are created before destroying existing ones (to update the configuration), which is the recommended practice.
-- The sub-module outputs the corresponding validation records for every Amazon-issued ACM certificate created. This can be further used to complete the validation by creating the Route53 DNS records.
+- ACM certificate is created before destroying the existing one (to update the configuration), which is the recommended practice.

modules/acm/main.tf

@@ -1,27 +1,57 @@
+locals {
+  acm_certificate_validation_records = [
+    for record in aws_acm_certificate.this.domain_validation_options :
+    {
+      name   = record.resource_record_name
+      type   = record.resource_record_type
+      value  = record.resource_record_value
+      domain = record.domain_name
+    }
+  ]
+}
+
 ################################################################################
-# ACM Amazon issued certificates
+# ACM Certificate
 ################################################################################
 
-resource "aws_acm_certificate" "amazon_issued" {
-  for_each = var.amazon_issued_certificates
-
-  domain_name               = try(each.value.domain_name, null)
-  subject_alternative_names = try(each.value.subject_alternative_names, null)
-  validation_method         = try(each.value.validation_method, null)
-  key_algorithm             = try(each.value.key_algorithm, null)
+resource "aws_acm_certificate" "this" {
+  domain_name               = var.certificate_domain_name
+  subject_alternative_names = try(var.certificate_subject_alternative_names, null)
+  validation_method         = try(var.certificate_validation_method, null)
+  key_algorithm             = try(var.certificate_key_algorithm, null)
 
   dynamic "validation_option" {
-    for_each = try(each.value.validation_option, null) != null ? [1] : []
+    for_each = try(var.certificate_validation_option, null) != null ? [1] : []
 
     content {
-      domain_name       = each.value.validation_option.domain_name
-      validation_domain = each.value.validation_option.validation_domain
+      domain_name       = var.certificate_validation_option.domain_name
+      validation_domain = var.certificate_validation_option.validation_domain
     }
   }
 
   lifecycle {
     create_before_destroy = true
   }
 
-  tags = merge(var.tags, each.value.tags)
+  tags = var.tags
+}
+
+################################################################################
+# ACM Validation
+################################################################################
+
+resource "aws_route53_record" "this" {
+  for_each = local.acm_certificate_validation_records
+
+  zone_id         = var.record_zone_id
+  name            = each.value.name
+  type            = each.value.type
+  records         = [each.value.value]
+  ttl             = 60
+  allow_overwrite = var.record_allow_overwrite
+}
+
+resource "aws_acm_certificate_validation" "this" {
+  certificate_arn         = aws_acm_certificate.this.arn
+  validation_record_fqdns = [for route53_record in aws_route53_record.this : route53_record.fqdn]
 }

modules/acm/outputs.tf

@@ -1,24 +1,31 @@
 ################################################################################
-# ACM Amazon issued certificates
+# ACM Certificate
 ################################################################################
 
-output "amazon_issued_acm_certificates_arns" {
-  description = "ARNs of the Amazon issued ACM certificates."
-  value       = { for k, v in aws_acm_certificate.amazon_issued : k => v.arn }
+output "acm_certificate_id" {
+  description = "ARN of the ACM certificate."
+  value       = aws_acm_certificate.this.id
 }
 
-output "amazon_issued_acm_certificates_validation_records" {
-  description = "Validation Records of the Amazon issued ACM certificates."
-  value = {
-    for k, v in aws_acm_certificate.amazon_issued :
-    k => [
-      for record in v.domain_validation_options :
-      {
-        name   = record.resource_record_name
-        type   = record.resource_record_type
-        value  = record.resource_record_value
-        domain = record.domain_name
-      }
-    ]
-  }
+output "acm_certificate_arn" {
+  description = "ARN of the ACM certificate."
+  value       = aws_acm_certificate.this.arn
+}
+
+################################################################################
+# Route53 Record
+################################################################################
+
+output "route53_records_ids" {
+  description = "Identifiers of the Validation Records of the ACM certificate."
+  value       = [for record in aws_route53_record.this : record.id]
+}
+
+################################################################################
+# ACM Certificate Validation
+################################################################################
+
+output "acm_certificate_validation_id" {
+  description = "Identifier of the ACM certificate validation resource."
+  value       = aws_acm_certificate_validation.this.id
 }

modules/acm/variables.tf

@@ -2,24 +2,55 @@
 # ACM Certificate
 ################################################################################
 
-variable "amazon_issued_certificates" {
-  description = "List of Amazon-issued certificates to ACM create."
-  type = map(object({
-    domain_name               = string
-    subject_alternative_names = optional(list(string), [])
-    validation_method         = optional(string, "DNS")
-    key_algorithm             = optional(string, null)
-    validation_option = optional(object({
-      domain_name       = string
-      validation_domain = string
-    }))
-    tags = optional(map(string), {})
-  }))
-  default = {}
+variable "certificate_domain_name" {
+  description = "(Required) Domain name for which the certificate should be issued."
+  type        = string
+}
+
+variable "certificate_subject_alternative_names" {
+  description = "(Optional) Set of domains that should be SANs in the issued certificate."
+  type        = list(string)
+  default     = []
+}
+
+variable "certificate_validation_method" {
+  description = "(Optional) Which method to use for validation. DNS or EMAIL are valid."
+  type        = string
+  default     = "DNS"
+}
+
+variable "certificate_key_algorithm" {
+  description = "(Optional) Specifies the algorithm of the public and private key pair that your Amazon issued certificate uses to encrypt data."
+  type        = string
+  default     = null
+}
+
+variable "certificate_validation_option" {
+  description = "(Optional) Configuration block used to specify information about the initial validation of each domain name."
+  type = object({
+    domain_name       = string
+    validation_domain = string
+  })
+  default = null
 }
 
 variable "tags" {
   description = "(Optional) Map of tags to assign to the resource."
   type        = map(string)
   default     = {}
 }
+
+################################################################################
+# Route53 Record
+################################################################################
+
+variable "record_zone_id" {
+  description = "(Required) Hosted zone ID for a CloudFront distribution, S3 bucket, ELB, or Route 53 hosted zone."
+  type        = string
+}
+
+variable "record_allow_overwrite" {
+  description = "(Optional) Allow creation of this record in Terraform to overwrite an existing record, if any."
+  type        = bool
+  default     = true
+}

outputs.tf

@@ -20,14 +20,14 @@ output "ecs_task_definition_arn" {
 # Amazon Certificates Manager
 ################################################################################
 
-output "amazon_issued_acm_certificates_arns" {
-  description = "ARNs of the Amazon issued ACM certificates."
-  value       = try(module.acm[0].amazon_issued_acm_certificates_arns, null)
+output "acm_certificates_ids" {
+  description = "Identifiers of the ACM certificates."
+  value       = try({ for k, v in module.acm : k => v.acm_certificate_id }, null)
 }
 
-output "amazon_issued_acm_certificates_validation_records" {
-  description = "Validation Records of the Amazon issued ACM certificates."
-  value       = try(module.acm[0].amazon_issued_acm_certificates_validation_records, null)
+output "acm_certificates_arns" {
+  description = "ARNs of the ACM certificates."
+  value       = try({ for k, v in module.acm : k => v.acm_certificate_arn }, null)
 }
 
 ################################################################################