aws_acm_certificate_validation fails if certificate already exists in another region

[guigo2k]

When trying to issue a certificate for a domain which already exists in another AWS region, the validation fails because the CNAME record used for the validation already exists.

resource "aws_acm_certificate" "cert" {
  domain_name               = var.domain
  validation_method         = "DNS"
}

resource "cloudflare_record" "cert_validation" {
  zone_id  = var.zone_id
  name     = aws_acm_certificate.cert.domain_validation_options.0.resource_record_name
  type     = aws_acm_certificate.cert.domain_validation_options.0.resource_record_type
  value    = aws_acm_certificate.cert.domain_validation_options.0.resource_record_value
  ttl      = 3600
  proxied  = true
}

resource "aws_acm_certificate_validation" "cert" {
  certificate_arn         = aws_acm_certificate.cert.arn
  validation_record_fqdns = [cloudflare_record.cert_validation.hostname]
}

Error: Failed to create record: error from makeRequest: HTTP status 400: content "{\"result\":null,\"success\":false,\"errors\":[{\"code\":81053,\"message\":\"An A, AAAA or CNAME record already exists with that host.\"}],\"messages\":[]}"

Expected behaviour:

The validation process should create unique CNAME records for each certificate.

[bflad]

Hi @guigo2k 👋 Thank you for submitting this and sorry you ran into trouble here.

The DNS validation record values are assigned by the ACM API and unfortunately out of Terraform's control in this situation. We already pass a unique token value with each request, which is the only available API option from a caller's perspective.

While the maintainers here are not experts with CloudFlare or its Terraform provider which is where the error is being thrown in this case, there are few things you can do in this situation:

• Potentially rework your multiple region configuration to funnel the DNS record handling to a single cloudflare_record for management of it
• Potentially use the cloudflare_record resource import support to manually workaround Terraform attempting to create a record that already exists (although this leaves multiple configurations managing the same record.
• Potentially report a feature request in the Terraform CloudFlare Provider that they implement an "overwrite" argument for the resource. We implemented a similar feature in the aws_route53_record resource allow_overwrite argument as a pragmatic workaround for this more common overlapping management situation.
• Potentially submitting an AWS Support case as a feature request to have multiple region certificates use unique DNS validation records.

Hope this helps. 👍

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!