Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Choosing the right zone for each SAN when attaching validation records #62

Open
apanzerj opened this issue Oct 12, 2022 · 9 comments
Open

Choosing the right zone for each SAN when attaching validation records #62

apanzerj opened this issue Oct 12, 2022 · 9 comments
Labels
bug 🐛 An issue with the system

Comments

@apanzerj
Copy link
Sponsor

apanzerj commented Oct 12, 2022
edited by nitrocode

Found a bug? Maybe our Slack Community can help.

Slack Community

Describe the Bug

When you have two SANs that belong to different zones, the module tries to add validation records to the incorrect zone.

Expected Behavior

It should add validation records to zones:

foo.baz.bar.com and bar.com

Steps to Reproduce

Steps to reproduce the behavior:
Say you have these two zones:

zone 1: bar.com
zone 2: foo.baz.bar.com

You want a cert that allows you to use both zones so you do this:

module "acm_request_certificate_east_coast" {
  source = "cloudposse/acm-request-certificate/aws"

  domain_name                       = "foo.baz.bar.com"
  process_domain_validation_options = true
  ttl                               = "300"
  subject_alternative_names         = ["*.foo.baz.bar.com", "*.bar.com"]

  providers = {
    aws = aws.use1
  }
}

When I terraform apply, the module does a data lookup for the zone:

  • baz.bar.com

The expectation is that the zones it should look up:

  • foo.baz.bar.com
  • bar.com

Screenshots

N/A

Environment (please complete the following information):

Mac OS

Additional Notes

In chatting on Slack I suggested this:

Instead of trying to guess what zone to put each SAN in, just have the user specify it manually:

module "cert_request" {
  subject_alternative_names = [
    {
      zone_to_lookup = "foo.baz.com",
      names          = ["a.foo.baz.com", "b.foo.baz.com"]
    },
   {
      zone_to_lookup = "*.baz.com",
      names          = ["bob.baz.com", "alice.baz.com"]
    }
  ]
  # etc etc
@apanzerj apanzerj added the bug 🐛 An issue with the system label Oct 12, 2022
@nitrocode
Copy link
Member

nitrocode commented Oct 12, 2022
edited

For now, you may want to set the zone_id or zone_name to keep all the verification records added to the same zone. This should work for you.

If that doesn't work, you can also set process_domain_validation_options = false and do the validation from outside the module.

@nitrocode
Copy link
Member

Ive been thinking of the interface. How's this one?

cc @apanzerj @jamengual

   domains = [
     {
       domain    = "google.com"
       zone_name = "google.com"
       san       = false
     },
     {
       domain    = "*.xyz.google.com"
       zone_name = "google.com"
       san       = true
     },
     {
       domain    = "*.abc.google.com"
       zone_name = "abc.google.com"
       san       = true
     },
   ]

@jamengual
Copy link

it makes it much easier to read and configure +1

@nitrocode
Copy link
Member

nitrocode commented Oct 20, 2022
edited

Or option 2

  # same interface for these top inputs
  domain_name   = "google.com"
  zone_name     = "google.com"
  # or zone_id
  process_domain_validation_options = true

  ttl = "300"

  # this one can become a list(object)
  subject_alternative_names = [
    {
      domain    = "*.xyz.google.com"
      zone_name = "google.com"
      # or zone_id
    },
    {
      domain    = "*.abc.google.com"
      zone_name = "abc.google.com"
      # or zone_id
    },
  ]

@apanzerj
Copy link
Sponsor Author

Both look good to me. Testing alternative suggestions now

@apanzerj
Copy link
Sponsor Author

What's odd to me is that 0.16.2 worked. It created validation records in all the right places.

@apanzerj apanzerj mentioned this issue Oct 30, 2022
Closed
@vzaitsev77
Copy link

What's the status? 0.17.0 is broken in the multi-domain case (even worse if domains are very different in our case)

@nitrocode
Copy link
Member

@vzaitsev77 @apanzerj @jamengual while we come up with an implementation that works for everyone, have you tried overriding the zone_id or zone_name suggested above?

#62 (comment)

@nitrocode nitrocode mentioned this issue Mar 3, 2023
Merged
@nitrocode
Copy link
Member

nitrocode commented Mar 3, 2023
edited

For now, I've set 0.17.0 as a pre-release until we can validate that zone_id or zone_name can be overridden without reverting the PR or introducing breaking changes.

e.g.

module "acm_request_certificate_east_coast" {
  source = "cloudposse/acm-request-certificate/aws"
  # Cloud Posse recommends pinning every module to a specific version
  version = "0.17.0"

  # explicit zone_name should be applied to each SANs' validation
  zone_name                         = "baz.bar.com"
  domain_name                       = "foo.baz.bar.com"
  process_domain_validation_options = true
  ttl                               = "300"
  subject_alternative_names         = ["*.foo.baz.bar.com", "*.bar.com"]
}

If we cannot verify the above works as expected with 0.17.0,, then we can merge this PR #66 to release 0.18.0 to go back to 0.16.2 release behavior.

@nitrocode nitrocode mentioned this issue Mar 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐛 An issue with the system
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Work in progress ... apanzerj/terraform-aws-acm-request-certificate
4 participants
@apanzerj @jamengual @nitrocode @vzaitsev77