Setting up ssl cert for load balancer terraform

Question

I have a cert setup in the London region and attached to a load balancer listener which works perfectly. I am attempting to create another cert from the same Route53 domain and attach it to a listener but this time in the Ireland region.

My terraform looks like

resource "aws_acm_certificate" "default" {
  count       = var.prod ? 1 : 0
  domain_name = "www.example.uk"
  subject_alternative_names = [
    "example.uk",
  ]
  validation_method = "DNS"
}

resource "aws_route53_record" "validation" {
  count   = var.prod ? 1 : 0
  name    = aws_acm_certificate.default[count.index].domain_validation_options[count.index].resource_record_name
  type    = aws_acm_certificate.default[count.index].domain_validation_options[count.index].resource_record_type
  zone_id = "Z0725470IF9R8J77LPTU"
  records = [
  aws_acm_certificate.default[count.index].domain_validation_options[count.index].resource_record_value]
  ttl = "60"
}

resource "aws_route53_record" "validation_alt1" {
  count   = var.prod ? 1 : 0
  name    = aws_acm_certificate.default[count.index].domain_validation_options[count.index + 1].resource_record_name
  type    = aws_acm_certificate.default[count.index].domain_validation_options[count.index + 1].resource_record_type
  zone_id = "Z0725470IF9R8J77LPTU"
  records = [
  aws_acm_certificate.default[count.index].domain_validation_options[count.index + 1].resource_record_value]
  ttl = 60
}

resource "aws_acm_certificate_validation" "default" {
  count           = var.prod ? 1 : 0
  certificate_arn = aws_acm_certificate.default[count.index].arn
  validation_record_fqdns = [
    aws_route53_record.validation[count.index].fqdn,
    aws_route53_record.validation_alt1[count.index].fqdn,
  ]
}

This worked perfectly the first time I set this up in the London region, when I try and run it in the Ireland region on AWS I get the following errors:

I'm not 100% on why the cert validation seems to bring back no records.

Answer 1

There is a change in domain_validation_options attribute with aws provider version 3. Previously it was list type and now it's changed to set type. So you have 2 options:

1. Version lock aws provider to version 2

provider "aws" {
  version = "~>2"
}

2. Update code to work with new provider version. For that you need to update count with for_each and make similar updates as shown below.

resource "aws_route53_record" "existing" {
  for_each = {
    for dvo in aws_acm_certificate.existing.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = data.aws_route53_zone.public_root_domain.zone_id
}
    
resource "aws_acm_certificate_validation" "existing" {
  certificate_arn         = aws_acm_certificate.existing.arn
  validation_record_fqdns = [for record in aws_route53_record.existing : record.fqdn]
}

You can check this for more details: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-3-upgrade#resource-aws_acm_certificate

Answer 2

It looks like the validation record is no longer an array. I'm guessing you upgraded the AWS Terraform provider at some point since you ran this last (if you don't have the version pinned it could have updated automatically). There have been some breaking changes to the aws_acm_certificate_validation Terraform resource. I suggest you look at the latest example usage in the documentation and refactor your Terraform.