feat: Cross-account DNS and ACM resource creation #108
Conversation
yordaa-me
changed the title
yordaa-me
changed the title
yordaa-me
changed the title
BREAKING CHANGE
add changes made from the pre-commit and the recommended PR guidelines
yordaa-me
force-pushed
the
patch-cross-account-provider
branch
from
9f012f7 to
632029f
Compare
yordaa-me
changed the title
yordaa-me
changed the title
the coniguration_aliases is enough to make this work without the default provider blocks
|
This PR has been automatically marked as stale because it has been open 30 days |
|
Any chance this can be looked at |
|
Would be great to see this one merged! How does it handle the case of using single account? Does the user still need to path 2 providers even if it's the same one? |
|
@antonbabenko any chance this can be merged? |
antonbabenko
left a comment
antonbabenko
left a comment
There was a problem hiding this comment.
I am afraid there is no chance that this PR can be merged as it is now because it breaks one of the requirement for the resource module.
To achieve the same behavior we need to have some changes to the code:
- Module should be updated to create either ACM certificate (and validation resources) or Route53 records.
- Module should use a single/standard AWS provider passed into it (explicitly or implicitly).
- To achieve cross-account resource creation, there should be two
modulecalls. - By default, when not using cross-account resource creation, one provider is required, and the module should be backward compatible.
The example code (taken from examples/complete-dns-validation) shows this feature:
provider "aws" {
alias = "route53"
}
provider "aws" {
alias = "acm"
}
module "acm" {
source = "../../"
providers = {
aws = aws.acm
}
domain_name = local.domain_name
zone_id = coalescelist(data.aws_route53_zone.this.*.zone_id, aws_route53_zone.this.*.zone_id)[0]
subject_alternative_names = [
"*.alerts.${local.domain_name}",
"new.sub.${local.domain_name}",
"*.${local.domain_name}",
"alerts.${local.domain_name}",
]
wait_for_validation = true
create_route53_records = false
validation_record_fqdns = module.route53_records.validation_route53_record_fqdns
tags = {
Name = local.domain_name
}
}
# AWS provider that is allowed to manage Route53 records required by the ACM module
module "route53_records" {
source = "../../"
providers = {
aws = aws.route53
}
domain_name = module.acm.domain_name # TODO
zone_id = module.acm.zone_id # TODO
create_certificate = false
acm_certificate_domain_validation_options = module.acm.acm_certificate_domain_validation_options # TODO
}PS: I made a live stream today where I started looking into it (see from 41:43). Hopefully, it helps to understand the background and the solution.
|
This issue has been resolved in version 4.1.0 🎉 |
|
Thanks for the feature! Already updated our code - works like a charm. No need to create validation records manually anymore. |
|
Thank you for the confirmation, @mputilin ! |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
5 participants
Description
The proposed changes will allow both cross-account and single account ACM creation with DNS validation.
Motivation and Context
I needed to create my ACM certificates in account B but my hosted zone belongs to Account A. These changes allowed me to meet this requirement.
Breaking Changes
I believe the two providers will now always be required and need to be explicitly passed down.
In the module call, people will now need to pass the providers block with the two required providers.
or if they use a single account then the following block should still work
How Has This Been Tested?
I have tested by calling the fork with my branch
examples/*to demonstrate and validate my change(s)examples/*projectspre-commit run -aon my pull request