fix: creation of route53 validation records when the main domain name starts with star

[michelzanini]

Description

Consider an example where we use star (*) as prefix for domain_name:

module "example" {
  source  = "terraform-aws-modules/acm/aws"
  version = "~> v2.0"

  domain_name  = "*.api.example.com"
  zone_id      = aws_route53_zone.main.zone_id
}

This should work correctly but it fails building the validation records for route 53.
The reason why is a piece of code on locals:

locals {
  // Get distinct list of domains and SANs
  distinct_domain_names = distinct(concat([var.domain_name], [for s in var.subject_alternative_names : replace(s, "*.", "")]))

  // Copy domain_validation_options for the distinct domain names
  validation_domains = var.create_certificate ? [for k, v in aws_acm_certificate.this[0].domain_validation_options : tomap(v) if contains(local.distinct_domain_names, replace(v.domain_name, "*.", ""))] : []
}

The problem here is that domain_name has a star but when comparing it on the validation_domains for-loop the star is removed there on comparison and they will never match.

A simple fix is to consider domain name can also have star and strip it like done on this PR.

Breaking Changes

No breaking changes.

How Has This Been Tested?

I have run the example above after doing the fix and it worked.

Workaround while this is not fixed

To workaround I have setup it like this:

module "example" {
  source  = "terraform-aws-modules/acm/aws"
  version = "~> v2.0"

  domain_name  = "api.example.com"
  zone_id      = aws_route53_zone.main.zone_id

  subject_alternative_names = [
    "*.api.example.com"
  ]
}

[Chili-Man]

@michelzanini any chance you can update the branch with master? If not I can carry the pr forward

[michelzanini]

@Chili-Man done, but the PR it's missing reviewers...

[Chili-Man]

@michelzanini thanks; @antonbabenko @DrFaust92

[zswanson]

Would be great to get this merged in, the workaround mentioned will create the cert, but you can only do data lookups of records by the domain name itself. So if you have some other terraform resources looking for a wildcard domain ACM, they have no way to find it from the subject_alternative_names.
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/acm_certificate

[aknirak]

I am running into the same issue when trying to setup a wildcard cert. Any idea when this PR will be merged with the master ?

module.example.aws_acm_certificate.this[0]: Creating...
module.example.aws_acm_certificate.this[0]: Creating...
module.example.aws_acm_certificate.this[0]: Creation complete after 7s [id=arn:aws:acm:us-east-1:xxxx:certificate/xxxxxx]
module.example.aws_route53_record.validation[0]: Creating...
module.example.aws_route53_record.validation[1]: Creating...
module.example.aws_route53_record.validation[2]: Creating...
module.example.aws_route53_record.validation[2]: Still creating... [10s elapsed]
module.example.aws_route53_record.validation[1]: Still creating... [10s elapsed]
module.example.aws_route53_record.validation[0]: Still creating... [10s elapsed]
module.example.aws_route53_record.validation[2]: Still creating... [20s elapsed]
module.example.aws_route53_record.validation[0]: Still creating... [20s elapsed]
module.example.aws_route53_record.validation[1]: Still creating... [20s elapsed]
module.example.aws_route53_record.validation[0]: Still creating... [30s elapsed]
module.example.aws_route53_record.validation[2]: Still creating... [30s elapsed]
module.example.aws_route53_record.validation[1]: Still creating... [30s elapsed]
module.example.aws_route53_record.validation[0]: Creation complete after 31s [id=Z0796745AI0GK0FIACAE__73d3d63cdaad5079d79bc7fe90a35bc8.ref.d.microservices.com._CNAME]
module.example.aws_route53_record.validation[2]: Creation complete after 31s [id=Z0796745AI0GK0FIACAE__73d3d63cdaad5079d79bc7fe90a35bc8.ref.d.microservices.com._CNAME]
module.example.aws_route53_record.validation[1]: Creation complete after 33s [id=Z0796745AI0GK0FIACAE__73d3d63cdaad5079d79bc7fe90a35bc8.ref.d.microservices.com._CNAME]
module.example.aws_acm_certificate_validation.this[0]: Creating...

Error: 1 error occurred:
* missing *.d.microservices.com DNS validation record: _a136df759401b2ae67926e1ff6b96af8.d.microservices.com

[aknirak]

any update on this ?

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.