Allow domains to belong to different Route53 zones

[joshuaspence]

Currently this module assumes that all domains (domain_name and subject_alternative_names) belong to the same Route53 zone. I have an alias domain that has its own Route53 zone (it is a completely different top-level domain) that lives on the same certificate as my primary domain but I am unable to use this module at the moment due to this assumption

[antonbabenko]

Hi @joshuaspence !

Indeed, this sounds like a good feature request to support but I don't have time to work on this in the near future.

Meanwhile, you should be able to create an ACM certificate without validating it (validate_certificate = false) and create the required aws_route53_record and aws_acm_certificate_validation resources accordingly outside of this module.

I will keep this issue open in case someone has a similar need and want to implement the support for this in this module.

[mironov]

@joshuaspence Looks like the ringanta/acm-multiple-hosted-zone/aws module supports different hosted zones for different domains:
https://registry.terraform.io/modules/ringanta/acm-multiple-hosted-zone/aws/1.0.0

[jbouse]

I also ran into this as I have a couple of certificates that have SANs from 3-5 different domains that I was attempting to perform the route53 validation with. Working with the assumption that the zones were in the same AWS account so that it could be looked up easily enough I made use of an aws_route53_zone data block to look up the parent zones. I ended up making a zipmap of domains from this data in a local and then referenced it for the zone_id of the aws_route53_record using the domain_name from the domain_validation_options. Probably could use some refactoring to make it cleaner as I wrote it early in my TerraForm usage.

locals {
  hostnames          = reverse(sort(flatten(concat([var.domain_name], var.subject_alternative_names))))
  zone_mapping       = zipmap(local.hostnames, data.aws_route53_zone.parent.*.zone_id)
  host_to_zone_regex = "/^(?:.*\\.)?([^.]+\\.[^.]+)$/"
}

data "aws_route53_zone" "parent" {
  count = length(local.hostnames)

  name         = replace(local.hostnames[count.index], local.host_to_zone_regex, "$1")
  private_zone = false
}

...

resource "aws_route53_record" "validation" {
  count = length(local.hostnames)

  zone_id         = local.zone_mapping[aws_acm_certificate.this.domain_validation_options[count.index]["domain_name"]]
  name            = aws_acm_certificate.this.domain_validation_options[count.index]["resource_record_name"]
  type            = aws_acm_certificate.this.domain_validation_options[count.index]["resource_record_type"]
  records         = [aws_acm_certificate.this.domain_validation_options[count.index]["resource_record_value"]]
  ttl             = 60
  allow_overwrite = var.validation_allow_overwrite_records
}

That was the relevant logic I was using. I'd rather not have to keep maintaining but this is a key reason why I can't use the module as-is.

[jbouse]

Would welcome comments/suggestions but I forked and created a feature branch to work on adding support. I've created a draft PR (ugns#2) as a discussion point. While I hate to hear it myself... "It works for me" but I think there are a few caveats to what I have that could probably be improved with more input.

[stephgosling]

@jbouse I've tried you branch and it also worked for me with the primary and then 5 different domains and wildcards within them

[wreiske]

This is something that is needed for GovCloud deployments since there is no public DNS available for GovCloud.

https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/setting-up-route53.html

To use Route 53 public DNS to respond to internet DNS queries for resources that you created using a GovCloud account, you must create a public hosted zone using a global AWS account, and create records in the hosted zone that specify the GovCloud resources.

The public DNS must be created with a normal AWS account.

I think this issue may be related, but I'm not 100% certain. New to terraform. :)

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[jbouse]

@stephgosling run into any issues I should look into for improvement?

[stephgosling]

I have a feeling that there was a problem but it's so long ago now I don't remember exactly what it was :( I've just been through my code and I think it might have broken with more than 5 SANs as I have a couple of wildcard definitions that logically should be together but are in two different states, each with 5 SANs so it might have been that, but as I say it works fine for me with 5 or less.

[jbouse]

Okay, I'll take another look at it with that in mind. I didn't think that there would be any limit restrictions except for ACM SANs limits which as I recall is 10 by default but can be modified by quota request. That may have been what you encountered if it those 5 SANs were both wildcard (*.domain.tld) and domain (domain.tld) as that would be a total of 10.

[stephgosling]

yeah am familiar with the 10 SAN limit but this must have been something else. I have two (terragrunt) files that are:

    domain_name         = local.domain_name
    zone_id             = dependency.dns.outputs.this_route53_zone_zone_id
    wait_for_validation = true

    subject_alternative_names = [
      "*.${local.domain_name}",
      "somedomain.org",
      "*.somedomain.org",
      "anotherdomain.com",
      "*.anotherdomain.com",
    ]

and

    domain_name         = local.domain_name
    zone_id             = dependency.dns.outputs.this_route53_zone_zone_id
    wait_for_validation = true

    subject_alternative_names = [
      "*.${local.domain_name}",
      "yetanotherdomain.com",
      "*.yetanotherdomain.com",
      "thisistedious.com",
      "*.thisistedious.com",
      "domain.io",
      "*.domain.io"
    ]

in both cases the domain_name is the same. Actually, looking at that second one there are 6 SAN so maybe I'm completely misremembering and it just works. Sorry this isn't much help

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.