PLT-877 - Improve for single domain

* add cert validation
* fix issue with wrong target_origin_id

README.md

@@ -21,14 +21,15 @@ This module will create cdn endpoint with alias and SSL-certificate and optional
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_certificate"></a> [certificate](#module\_certificate) | github.com/terraform-aws-modules/terraform-aws-acm | v5.0.0 |
-| <a name="module_certificate-validations"></a> [certificate-validations](#module\_certificate-validations) | github.com/terraform-aws-modules/terraform-aws-acm | v5.0.0 |
-| <a name="module_cloudfront"></a> [cloudfront](#module\_cloudfront) | github.com/terraform-aws-modules/terraform-aws-cloudfront | v3.2.1 |
+| <a name="module_certificate"></a> [certificate](#module\_certificate) | github.com/terraform-aws-modules/terraform-aws-acm | v5.0.1 |
+| <a name="module_certificate-validations"></a> [certificate-validations](#module\_certificate-validations) | github.com/terraform-aws-modules/terraform-aws-acm | v5.0.1 |
+| <a name="module_cloudfront"></a> [cloudfront](#module\_cloudfront) | github.com/terraform-aws-modules/terraform-aws-cloudfront | v3.4.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [aws_acm_certificate_validation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
 | [aws_cloudfront_function.functions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_function) | resource |
 | [aws_route53_record.additional_records](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
@@ -58,6 +59,7 @@ This module will create cdn endpoint with alias and SSL-certificate and optional
 | <a name="input_s3_origin_name"></a> [s3\_origin\_name](#input\_s3\_origin\_name) | Name of S3-bucket to be used as origin | `string` | `""` | no |
 | <a name="input_s3_origin_policy_restrict_access"></a> [s3\_origin\_policy\_restrict\_access](#input\_s3\_origin\_policy\_restrict\_access) | Folder/files to add as an condition to the S3-bucket policy resource | `string` | `"/*"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of custom tags for the provisioned resources | `map(string)` | `{}` | no |
+| <a name="input_validation_timeout"></a> [validation\_timeout](#input\_validation\_timeout) | Define maximum timeout to wait for the validation to complete | `string` | `null` | no |
 
 ## Outputs
 

main.tf

@@ -8,6 +8,11 @@ moved {
   to   = aws_route53_record.this[0]
 }
 
+moved {
+  from = module.certificate.aws_acm_certificate_validation.this[0]
+  to   = aws_acm_certificate_validation.this
+}
+
 locals {
   origin_hostname_options = {
     use_host = var.s3_origin_hostname != "" ? var.s3_origin_hostname : null
@@ -73,40 +78,40 @@ data "aws_s3_bucket" "s3_origin" {
 }
 
 module "certificate" {
-  source = "github.com/terraform-aws-modules/terraform-aws-acm?ref=v5.0.0"
-  #for_each = local.r53_map
-  tags = var.tags
+  source = "github.com/terraform-aws-modules/terraform-aws-acm?ref=v5.0.1"
+  tags   = var.tags
 
   domain_name               = local.r53_map["single"].hostname
   zone_id                   = local.r53_map["single"].zone_id
   validation_method         = "DNS"
   subject_alternative_names = [for s in values(local.r53_map) : s.hostname]
   create_route53_records    = false
   create_certificate        = var.create
+  validate_certificate      = false
   providers = {
     aws = aws.us-east-1
   }
 }
 
 module "certificate-validations" {
-  source   = "github.com/terraform-aws-modules/terraform-aws-acm?ref=v5.0.0"
+  source   = "github.com/terraform-aws-modules/terraform-aws-acm?ref=v5.0.1"
   for_each = local.r53_map
   tags     = var.tags
 
-  domain_name       = each.value.hostname
-  zone_id           = each.value.zone_id
-  validation_method = "DNS"
-  #subject_alternative_names = [for k,s in values(var.r53_zone_hostname_map) : s.hostname if k > 0]
+  domain_name                               = each.value.hostname
+  zone_id                                   = each.value.zone_id
+  validation_method                         = "DNS"
   create_route53_records_only               = true && var.create
   create_certificate                        = false
+  validate_certificate                      = false
   acm_certificate_domain_validation_options = [for s in module.certificate.acm_certificate_domain_validation_options : s if s.domain_name == each.value.hostname]
   providers = {
     aws = aws.us-east-1
   }
 }
 
 module "cloudfront" {
-  source  = "github.com/terraform-aws-modules/terraform-aws-cloudfront?ref=v3.2.1"
+  source  = "github.com/terraform-aws-modules/terraform-aws-cloudfront?ref=v3.4.0"
   tags    = var.tags
   aliases = [for s in values(local.r53_map) : s.hostname]
 
@@ -134,7 +139,7 @@ module "cloudfront" {
 
   origin = merge(local.origin_oai, local.origin_oac)
   default_cache_behavior = {
-    target_origin_id       = "s3_origin_oac"
+    target_origin_id       = keys(merge(local.origin_oai, local.origin_oac))[0]
     viewer_protocol_policy = "redirect-to-https"
 
     allowed_methods      = ["GET", "HEAD", "OPTIONS"]
@@ -222,6 +227,18 @@ resource "aws_route53_record" "additional_records" {
   }
 }
 
+resource "aws_acm_certificate_validation" "this" {
+  certificate_arn = module.certificate.acm_certificate_arn
+
+  validation_record_fqdns = flatten([
+    for val in module.certificate-validations : val.validation_route53_record_fqdns
+  ])
+
+  timeouts {
+    create = var.validation_timeout
+  }
+}
+
 resource "aws_cloudfront_function" "functions" {
   for_each = var.cf_functions
 

outputs.tf

@@ -1,6 +1,6 @@
 output "certificate_arn" {
   description = "ARN of ACM SSL certificate created for CloudFront"
-  value       = module.certificate.acm_certificate_arn
+  value       = aws_acm_certificate_validation.this.certificate_arn
 }
 
 output "cloudfront_arn" {
@@ -22,3 +22,8 @@ output "cloudfront_alias" {
   description = "Alias hostname of CloudFront distribution"
   value       = try(aws_route53_record.this[0].fqdn, null)
 }
+
+output "cloudfront_alias_additional_zones" {
+  description = "Alias hostname of CloudFront distribution for additional zones"
+  value       = { for k, v in aws_route53_record.additional_records : k => v.fqdn }
+}

variables.tf

@@ -112,3 +112,9 @@ variable "create" {
   type        = bool
   default     = true
 }
+
+variable "validation_timeout" {
+  description = "Define maximum timeout to wait for the validation to complete"
+  type        = string
+  default     = null
+}