feat: Remove NONE validation method and set default to null

README.md

@@ -13,6 +13,8 @@ module "acm" {
 
   domain_name  = "my-domain.com"
   zone_id      = "Z2ES7B9AZ6SHAE"
+
+  validation_method = "DNS"
 
   subject_alternative_names = [
     "*.my-domain.com",
@@ -37,6 +39,8 @@ module "acm" {
   domain_name = "weekly.tf"
   zone_id     = "b7d259641bf30b89887c943ffc9d2138"
 
+  validation_method = "DNS"
+
   subject_alternative_names = [
     "*.weekly.tf",
   ]
@@ -72,6 +76,8 @@ module "acm" {
   domain_name = "my-domain.com"
   zone_id     = "Z266PL4W4W6MSG"
 
+  validation_method = "DNS"
+
   wait_for_validation = true
 
   tags = {
@@ -106,6 +112,8 @@ module "acm" {
     "app.sub.my-domain.com",
   ]
 
+  validation_method = "DNS"
+
   create_route53_records  = false
   validation_record_fqdns = module.route53_records.validation_route53_record_fqdns
 }
@@ -121,6 +129,8 @@ module "route53_records" {
   create_certificate          = false
   create_route53_records_only = true
 
+  validation_method = "DNS"
+
   distinct_domain_names = module.acm.distinct_domain_names
   zone_id               = "Z266PL4W4W6MSG"
 
@@ -208,7 +218,7 @@ No modules.
 | <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to the resource | `map(string)` | `{}` | no |
 | <a name="input_validate_certificate"></a> [validate\_certificate](#input\_validate\_certificate) | Whether to validate certificate by creating Route53 record | `bool` | `true` | no |
 | <a name="input_validation_allow_overwrite_records"></a> [validation\_allow\_overwrite\_records](#input\_validation\_allow\_overwrite\_records) | Whether to allow overwrite of Route53 records | `bool` | `true` | no |
-| <a name="input_validation_method"></a> [validation\_method](#input\_validation\_method) | Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into Terraform. | `string` | `"DNS"` | no |
+| <a name="input_validation_method"></a> [validation\_method](#input\_validation\_method) | Which method to use for validation. DNS or EMAIL are valid. This parameter must not be set for certificates that were imported into ACM and then into Terraform. | `string` | `null` | no |
 | <a name="input_validation_option"></a> [validation\_option](#input\_validation\_option) | The domain name that you want ACM to use to send you validation emails. This domain name is the suffix of the email addresses that you want ACM to use. | `any` | `{}` | no |
 | <a name="input_validation_record_fqdns"></a> [validation\_record\_fqdns](#input\_validation\_record\_fqdns) | When validation is set to DNS and the DNS validation records are set externally, provide the fqdns for the validation | `list(string)` | `[]` | no |
 | <a name="input_validation_timeout"></a> [validation\_timeout](#input\_validation\_timeout) | Define maximum timeout to wait for the validation to complete | `string` | `null` | no |

examples/complete-dns-validation-with-cloudflare/README.md

@@ -25,13 +25,13 @@ Note that this example may create resources which cost money. Run `terraform des
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.40 |
-| <a name="requirement_cloudflare"></a> [cloudflare](#requirement\_cloudflare) | >= 3.4 |
+| <a name="requirement_cloudflare"></a> [cloudflare](#requirement\_cloudflare) | >= 3.4, <=3.32 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_cloudflare"></a> [cloudflare](#provider\_cloudflare) | >= 3.4 |
+| <a name="provider_cloudflare"></a> [cloudflare](#provider\_cloudflare) | >= 3.4, <=3.32 |
 
 ## Modules
 

examples/complete-dns-validation-with-cloudflare/main.tf

@@ -24,6 +24,7 @@ module "acm" {
   ]
 
   create_route53_records  = false
+  validation_method       = "DNS"
   validation_record_fqdns = cloudflare_record.validation[*].hostname
 
   tags = {

examples/complete-dns-validation-with-cloudflare/versions.tf

@@ -6,9 +6,14 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 4.40"
     }
+    # Terraform v1.0.0 only functional with cloudflare versions less than or equal to 3.33.0
+    # https://github.com/cloudflare/terraform-provider-cloudflare/issues/2340
+    # Cloudflare provider version 3.33.0 introduced a regression which produced errors when
+    # passing credentials via environment variables
+    # https://github.com/cloudflare/terraform-provider-cloudflare/issues/2184
     cloudflare = {
       source  = "cloudflare/cloudflare"
-      version = ">= 3.4"
+      version = ">= 3.4, <=3.32"
     }
   }
 }

examples/complete-dns-validation/main.tf

@@ -46,6 +46,8 @@ module "acm" {
     "alerts.${local.domain_name}",
   ]
 
+  validation_method = "DNS"
+
   tags = {
     Name = local.domain_name
   }
@@ -81,6 +83,7 @@ module "acm_only" {
   ]
 
   create_route53_records  = false
+  validation_method       = "DNS"
   validation_record_fqdns = module.route53_records_only.validation_route53_record_fqdns
 }
 
@@ -93,6 +96,7 @@ module "route53_records_only" {
 
   create_certificate          = false
   create_route53_records_only = true
+  validation_method           = "DNS"
 
   zone_id               = local.zone_id
   distinct_domain_names = module.acm_only.distinct_domain_names

main.tf

@@ -62,7 +62,7 @@ resource "aws_route53_record" "validation" {
 }
 
 resource "aws_acm_certificate_validation" "this" {
-  count = local.create_certificate && var.validation_method != "NONE" && var.validate_certificate && var.wait_for_validation ? 1 : 0
+  count = local.create_certificate && var.validation_method != null && var.validate_certificate && var.wait_for_validation ? 1 : 0
 
   certificate_arn = aws_acm_certificate.this[0].arn
 

variables.tf

@@ -53,13 +53,13 @@ variable "subject_alternative_names" {
 }
 
 variable "validation_method" {
-  description = "Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into Terraform."
+  description = "Which method to use for validation. DNS or EMAIL are valid. This parameter must not be set for certificates that were imported into ACM and then into Terraform."
   type        = string
-  default     = "DNS"
+  default     = null
 
   validation {
-    condition     = contains(["DNS", "EMAIL", "NONE"], var.validation_method)
-    error_message = "Valid values are DNS, EMAIL or NONE."
+    condition     = var.validation_method == null || contains(["DNS", "EMAIL"], coalesce(var.validation_method, 0))
+    error_message = "This variable is optional. Valid values are DNS, EMAIL, or null."
   }
 }
 

wrappers/main.tf

@@ -12,7 +12,7 @@ module "wrapper" {
   certificate_transparency_logging_preference = try(each.value.certificate_transparency_logging_preference, var.defaults.certificate_transparency_logging_preference, true)
   domain_name                                 = try(each.value.domain_name, var.defaults.domain_name, "")
   subject_alternative_names                   = try(each.value.subject_alternative_names, var.defaults.subject_alternative_names, [])
-  validation_method                           = try(each.value.validation_method, var.defaults.validation_method, "DNS")
+  validation_method                           = try(each.value.validation_method, var.defaults.validation_method, null)
   validation_option                           = try(each.value.validation_option, var.defaults.validation_option, {})
   create_route53_records                      = try(each.value.create_route53_records, var.defaults.create_route53_records, true)
   validation_record_fqdns                     = try(each.value.validation_record_fqdns, var.defaults.validation_record_fqdns, [])