AWS Certificate Manager (ACM) Terraform module
Terraform module which creates ACM certificates and validates them using Route53 DNS (recommended) or e-mail.
Usage with Route53 DNS validation (recommended)
module "acm" {
source = "terraform-aws-modules/acm/aws"
version = "~> 4.0"
domain_name = "my-domain.com"
zone_id = "Z2ES7B9AZ6SHAE"
validation_method = "DNS"
subject_alternative_names = [
"*.my-domain.com",
"app.sub.my-domain.com",
]
wait_for_validation = true
tags = {
Name = "my-domain.com"
}
}
Usage with external DNS validation (e.g. CloudFlare)
module "acm" {
source = "terraform-aws-modules/acm/aws"
version = "~> 4.0"
domain_name = "weekly.tf"
zone_id = "b7d259641bf30b89887c943ffc9d2138"
validation_method = "DNS"
subject_alternative_names = [
"*.weekly.tf",
]
create_route53_records = false
validation_record_fqdns = [
"_689571ee9a5f9ec307c512c5d851e25a.weekly.tf",
]
tags = {
Name = "weekly.tf"
}
}
Usage with CloudFront
# CloudFront supports US East (N. Virginia) Region only.
provider "aws" {
alias = "us-east-1"
region = "us-east-1"
}
module "acm" {
source = "terraform-aws-modules/acm/aws"
providers = {
aws = aws.us-east-1
}
domain_name = "my-domain.com"
zone_id = "Z266PL4W4W6MSG"
validation_method = "DNS"
wait_for_validation = true
tags = {
Name = "my-domain.com"
}
}
Usage with Route53 DNS validation and separate AWS providers
provider "aws" {
alias = "acm"
}
provider "aws" {
alias = "route53"
}
module "acm" {
source = "terraform-aws-modules/acm/aws"
version = "~> 4.0"
providers = {
aws = aws.acm
}
domain_name = "my-domain.com"
subject_alternative_names = [
"*.my-domain.com",
"app.sub.my-domain.com",
]
validation_method = "DNS"
create_route53_records = false
validation_record_fqdns = module.route53_records.validation_route53_record_fqdns
}
module "route53_records" {
source = "terraform-aws-modules/acm/aws"
version = "~> 4.0"
providers = {
aws = aws.route53
}
create_certificate = false
create_route53_records_only = true
validation_method = "DNS"
distinct_domain_names = module.acm.distinct_domain_names
zone_id = "Z266PL4W4W6MSG"
acm_certificate_domain_validation_options = module.acm.acm_certificate_domain_validation_options
}
Examples
- Complete example with DNS validation (recommended)
- Complete example with DNS validation via external DNS provider (CloudFlare)
- Complete example with EMAIL validation
- Complete example with EMAIL validation and validation domain override
Conditional creation and validation
Sometimes you need to have a way to create ACM certificate conditionally but Terraform does not allow to use count inside module block, so the solution is to specify argument create_certificate.
module "acm" {
source = "terraform-aws-modules/acm/aws"
create_certificate = false
# ... omitted
}
Similarly, to disable DNS validation of ACM certificate:
module "acm" {
source = "terraform-aws-modules/acm/aws"
validate_certificate = false
# ... omitted
}
Notes
- For use in an automated pipeline consider setting the
wait_for_validation = falseto avoid waiting for validation to complete or error after a 45 minute timeout. - If you're upgrading to v2.13.0 or above, you might be subject to off-by-one validation record issue. You can solve this without compromising existing validation records by issuing
terraform state rm <your_module_name>.validation[1]where[1]can be a different index # depending on the number of validation records your module creates (you can check this withterraform state list module.<your_module_name>.validation).
Authors
Module is maintained by Anton Babenko with help from these awesome contributors.
License
Apache 2 Licensed. See LICENSE for full details.
Additional information for users from Russia and Belarus
- Russia has illegally annexed Crimea in 2014 and brought the war in Donbas followed by full-scale invasion of Ukraine in 2022.
- Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
- Putin khuylo!