[Question] Using AWS ACM with DNS validation

[DXTimer]

I am trying to create multiple AWS certificates, but when I tried to create zone records it ended up with

│ A matching record already exists for this zone, Another record already exists
│ for _12ee1d57338f45a0e6ef43cxxx.example.com, cannot add a CNAME, A
│ CNAME record exists for _12ee1d57338f45a0e6ef43xxx.example.com,
│ cannot add another record

Any way to perform the update in place?

resource "dnsimple_zone_record" "dnsrecord" {
   for_each = {
    for dvo in aws_acm_certificate.certificate.domain_validation_options : dvo.domain_name => {
      record_name   = dvo.resource_record_name
      record_value = dvo.resource_record_value
      type   = dvo.resource_record_type
      domain_name = dvo.domain_name
    }
  }
  zone_name = var.dnsimple_domain
  name   = each.value.record_name
  value  = each.value.record_value
  type   = each.value.type
  ttl    = 3600
}

resource "aws_acm_certificate" "certificate" {
  domain_name               = var.domain_name
  validation_method         = "DNS"
  subject_alternative_names = var.hosts
  tags = {
    Environment = var.environment
    Terraform   = "true"
  }
}

Originally posted by @adiii717 in #25 (comment)

[DXTimer]

@adiii717 I can see that you are providing subject alternative names (SAN), in the certificate request. The code sample works with the example that AWS has provided using Route53 since they have an allow_overwrite flag.

Based on AWS documentation we know that the validation record name and value will be identical when requesting a wildcard and root certificate source.

One option you have is use the recourse_record_name attribute as key when converting the list of domain_validation_options to map to ensure uniqueness.

for_each = {
    for dvo in aws_acm_certificate.certificate.domain_validation_options : dvo.resource_record_name => {
      record_name   = dvo.resource_record_name
      record_value = dvo.resource_record_value
      type   = dvo.resource_record_type
      domain_name = dvo.domain_name
    }
  }

[adiii717]

Based on AWS documentation we know that the validation record name and value will be identical when requesting a wildcard and root certificate source.

yes it's identical, but we have different load balancers which use their own wildcard certificates with minor variation, the minor variation work like a charm, but as soon as it tries to create the wildcard it failed because the record already exists.

btw same behaviour with the above changes

[adiii717]

for now, I just skip the wildcard and just keep the variation, but it would be great if we cloud flag override or ignore if already exist

   for_each = {
    for dvo in aws_acm_certificate.certificate.domain_validation_options : dvo.resource_record_name  => {
      record_name   = dvo.resource_record_name
      record_value = dvo.resource_record_value
      type   = dvo.resource_record_type
      domain_name = dvo.domain_name
    }
    if contains(var.hosts, var.domain_name)
  }

[DXTimer]

Thanks for sharing your approach. We will definitely consider adding support for overrides when creating a record via the API.