Skip to content
Terraform module which creates and validates ACM certificate
HCL Makefile
Branch: master
Clone or download
Latest commit 795a690 Dec 19, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.chglog Terraform.012 upgrade (#9) Jun 5, 2019
examples Updated example with multiple SANs after PR #32 Dec 19, 2019
.editorconfig Initial commit with all the code Dec 13, 2018
.gitignore
.pre-commit-config.yaml Updated example with multiple SANs after PR #32 Dec 19, 2019
CHANGELOG.md Updated CHANGELOG Dec 19, 2019
LICENSE Initial commit with all the code Dec 13, 2018
Makefile Terraform.012 upgrade (#9) Jun 5, 2019
README.md Updated pre-commit-terraform to support terraform-docs and Terraform … Jun 17, 2019
main.tf Updated example with multiple SANs after PR #32 Dec 19, 2019
outputs.tf Terraform.012 upgrade (#9) Jun 5, 2019
variables.tf Terraform.012 upgrade (#9) Jun 5, 2019

README.md

AWS Certificate Manager (ACM) Terraform module

Terraform module which creates ACM certificates and validates them using Route53 DNS (recommended) or e-mail.

Terraform versions

Terraform 0.12. Pin module version to ~> v2.0. Submit pull-requests to master branch.

Terraform 0.11. Pin module version to ~> v1.0. Submit pull-requests to terraform011 branch.

Usage with Route53 DNS validation (recommended)

module "acm" {
  source  = "terraform-aws-modules/acm/aws"
  version = "~> v2.0"

  domain_name  = "my-domain.com"
  zone_id      = "Z2ES7B9AZ6SHAE"

  subject_alternative_names = [
    "*.my-domain.com",
    "app.sub.my-domain.com",
  ]

  tags = {
    Name = "my-domain.com"
  }
}

Examples

Conditional creation and validation

Sometimes you need to have a way to create ACM certificate conditionally but Terraform does not allow to use count inside module block, so the solution is to specify argument create_certificate.

module "acm" {
  source = "terraform-aws-modules/acm/aws"

  create_certificate = false
  # ... omitted
}

Similarly, to disable DNS validation of ACM certificate:

module "acm" {
  source = "terraform-aws-modules/acm/aws"

  validate_certificate = false
  # ... omitted
}

Notes

  • For use in an automated pipeline consider setting the wait_for_validation = false to avoid waiting for validation to complete or error after a 45 minute timeout.
  • domain_name can not be wildcard, but subject_alternative_names can include wildcards.

Inputs

Name Description Type Default Required
create_certificate Whether to create ACM certificate bool "true" no
domain_name A domain name for which the certificate should be issued string "" no
subject_alternative_names A list of domains that should be SANs in the issued certificate list(string) [] no
tags A mapping of tags to assign to the resource map(string) {} no
validate_certificate Whether to validate certificate by creating Route53 record bool "true" no
validation_allow_overwrite_records Whether to allow overwrite of Route53 records bool "true" no
validation_method Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into Terraform. string "DNS" no
wait_for_validation Whether to wait for the validation to complete bool "true" no
zone_id The ID of the hosted zone to contain this record. string "" no

Outputs

Name Description
distinct_domain_names List of distinct domains names used for the validation.
this_acm_certificate_arn The ARN of the certificate
this_acm_certificate_domain_validation_options A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used.
this_acm_certificate_validation_emails A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used.
validation_domains List of distinct domain validation options. This is useful if subject alternative names contain wildcards.
validation_route53_record_fqdns List of FQDNs built using the zone domain and name.

Authors

Module managed by Anton Babenko.

License

Apache 2 Licensed. See LICENSE for full details.

You can’t perform that action at this time.