Skip to content

AWS ACM Certificate

udx-github edited this page May 28, 2026 · 1 revision

Creates or reuses an AWS Certificate Manager certificate for a domain.

Use this module when a Rabbit service needs an ACM certificate for CloudFront or another AWS endpoint, with optional DNS validation records in Route53.

Supported Features

  • ACM certificate creation.
  • Existing issued or pending certificate lookup to avoid duplicates.
  • DNS validation through Route53 when a hosted zone ID is provided.
  • Subject alternative names.
  • Certificate key algorithm selection.
  • Certificate tags.

Prerequisites

  • AWS credentials with permission to read and manage ACM certificates.
  • Route53 permissions when DNS validation records should be created.
  • A Route53 hosted zone ID when using DNS validation through this module.
  • For CloudFront custom aliases, the certificate must be created in us-east-1.

Important Notes

  • domain is the primary certificate name.
  • subject_alternative_names is not generated automatically. Add wildcard or alternate names explicitly.
  • validation_method defaults to DNS.
  • When check_existing_certificate is true, the module first looks for the most recent ISSUED or PENDING_VALIDATION certificate for domain.
  • If an existing certificate is found, no new certificate or validation records are created.
  • DNS validation records are created only when a new certificate is created, validation_method is DNS, and route53_zone_id is set.

Minimal Example

services:
  - name: "AWS ACM Certificate"
    module: "aws-acm"
    id: "example-com-certificate"
    deployment_order: 8
    configurations:
      domain: "example.com"
      subject_alternative_names:
        - "*.example.com"
      route53_zone_id: "Z0123456789ABCDEFG"
      check_existing_certificate: true
      tags:
        owner: "#{Owner}"
        lifecycle: "#{Lifecycle}"

Outputs

Output Description
acm_certificate_arn ARN of the existing or newly created certificate.
acm_certificate_validation_arn ARN returned after validation for new certificates, or the existing certificate ARN.
domain_name Primary domain name configured for the certificate.
certificate_status Certificate status. Existing certificates are reported as ISSUED.

Full Configuration Schema

The fields below are public module inputs under configurations.

configurations:
  domain: "example.com"
  subject_alternative_names:
    - "*.example.com"
  validation_method: "DNS"
  key_algorithm: "RSA_2048"
  route53_zone_id: "Z0123456789ABCDEFG"
  check_existing_certificate: true
  tags: {}
Field Type Required Description
domain string Yes Primary certificate domain name.
subject_alternative_names array[string] No Additional certificate names, such as wildcard names. Defaults to an empty list.
validation_method string No ACM validation method. Defaults to DNS.
key_algorithm string No ACM key algorithm. Defaults to RSA_2048.
route53_zone_id string Conditional Hosted zone ID used for DNS validation records. Required when this module should create validation records.
check_existing_certificate boolean No Looks for an existing matching certificate before creating a new one. Defaults to true.
tags map[string] No Tags merged with module-managed certificate tags.

Clone this wiki locally