This resource represents a successful validation of an ACM certificate in concert with other resources.
Most commonly, this resource is used together with aws_route53_record
and
aws_acm_certificate
to request a DNS validated certificate,
deploy the required validation records and wait for validation to complete.
resource "aws_acm_certificate" "example" {
domain_name = "example.com"
validation_method = "DNS"
}
data "aws_route53_zone" "example" {
name = "example.com"
private_zone = false
}
resource "aws_route53_record" "example" {
for_each = {
for dvo in aws_acm_certificate.example.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = data.aws_route53_zone.example.zone_id
}
resource "aws_acm_certificate_validation" "example" {
certificate_arn = aws_acm_certificate.example.arn
validation_record_fqdns = [for record in aws_route53_record.example : record.fqdn]
}
resource "aws_lb_listener" "example" {
# ... other configuration ...
certificate_arn = aws_acm_certificate_validation.example.certificate_arn
}
resource "aws_acm_certificate" "example" {
domain_name = "example.com"
subject_alternative_names = ["www.example.com", "example.org"]
validation_method = "DNS"
}
data "aws_route53_zone" "example_com" {
name = "example.com"
private_zone = false
}
data "aws_route53_zone" "example_org" {
name = "example.org"
private_zone = false
}
resource "aws_route53_record" "example" {
for_each = {
for dvo in aws_acm_certificate.example.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
zone_id = dvo.domain_name == "example.org" ? data.aws_route53_zone.example_org.zone_id : data.aws_route53_zone.example_com.zone_id
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = each.value.zone_id
}
resource "aws_acm_certificate_validation" "example" {
certificate_arn = aws_acm_certificate.example.arn
validation_record_fqdns = [for record in aws_route53_record.example : record.fqdn]
}
resource "aws_lb_listener" "example" {
# ... other configuration ...
certificate_arn = aws_acm_certificate_validation.example.certificate_arn
}
In this situation, the resource is simply a waiter for manual email approval of ACM certificates.
resource "aws_acm_certificate" "example" {
domain_name = "example.com"
validation_method = "EMAIL"
}
resource "aws_acm_certificate_validation" "example" {
certificate_arn = aws_acm_certificate.example.arn
}
This resource supports the following arguments:
certificate_arn
- (Required) ARN of the certificate that is being validated.validation_record_fqdns
- (Optional) List of FQDNs that implement the validation. Only valid for DNS validation method ACM certificates. If this is set, the resource can implement additional sanity checks and has an explicit dependency on the resource that is implementing the validationThis resource exports the following attributes in addition to the arguments above:
id
- Time at which the certificate was issuedcreate
- (Default 75m
)