fix: Fixed wildcard in domain names (#71)

antonbabenko · web-flow · commit 3af7bf2434fd · 2021-02-19T13:06:11.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,4 @@
 terraform.tfstate
 *.tfstate*
 terraform.tfvars
+.terraform.lock.hcl
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.44.0
+    rev: v1.45.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
@@ -21,6 +21,6 @@ repos:
           - '--args=--only=terraform_standard_module_structure'
           - '--args=--only=terraform_workspace_remote'
   - repo: git://github.com/pre-commit/pre-commit-hooks
-    rev: v3.3.0
+    rev: v3.4.0
     hooks:
       - id: check-merge-conflict
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ Terraform module which creates ACM certificates and validates them using Route53
 
 Terraform 0.12. Pin module version to `~> v2.0`. Submit pull-requests to `master` branch.
 
-Terraform 0.11. Pin module version to `~> v1.0`. Submit pull-requests to `terraform011` branch.
+Terraform 0.11. Pin module version to `~> v1.0`.
 
 ## Usage with Route53 DNS validation (recommended)
 
@@ -61,7 +61,6 @@ module "acm" {
 ## Notes
 
 * For use in an automated pipeline consider setting the `wait_for_validation = false` to avoid waiting for validation to complete or error after a 45 minute timeout.
-* `domain_name` can not be wildcard, but `subject_alternative_names` can include wildcards.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
@@ -77,6 +76,18 @@ module "acm" {
 |------|---------|
 | aws | >= 2.53 |
 
+## Modules
+
+No Modules.
+
+## Resources
+
+| Name |
+|------|
+| [aws_acm_certificate_validation](https://registry.terraform.io/providers/hashicorp/aws/2.53/docs/resources/acm_certificate_validation) |
+| [aws_acm_certificate](https://registry.terraform.io/providers/hashicorp/aws/2.53/docs/resources/acm_certificate) |
+| [aws_route53_record](https://registry.terraform.io/providers/hashicorp/aws/2.53/docs/resources/route53_record) |
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -103,7 +114,6 @@ module "acm" {
 | this\_acm\_certificate\_validation\_emails | A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used. |
 | validation\_domains | List of distinct domain validation options. This is useful if subject alternative names contain wildcards. |
 | validation\_route53\_record\_fqdns | List of FQDNs built using the zone domain and name. |
-
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Authors
diff --git a/examples/complete-dns-validation/README.md b/examples/complete-dns-validation/README.md
@@ -32,6 +32,19 @@ Note that this example may create resources which cost money. Run `terraform des
 |------|---------|
 | aws | >= 2.53 |
 
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| acm | ../../ |  |
+
+## Resources
+
+| Name |
+|------|
+| [aws_route53_zone](https://registry.terraform.io/providers/hashicorp/aws/2.53/docs/data-sources/route53_zone) |
+| [aws_route53_zone](https://registry.terraform.io/providers/hashicorp/aws/2.53/docs/resources/route53_zone) |
+
 ## Inputs
 
 No input.
@@ -46,5 +59,4 @@ No input.
 | this\_acm\_certificate\_validation\_emails | A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used. |
 | validation\_domains | List of distinct domain validation options. This is useful if subject alternative names contain wildcards. |
 | validation\_route53\_record\_fqdns | List of FQDNs built using the zone domain and name. |
-
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/complete-dns-validation/main.tf b/examples/complete-dns-validation/main.tf
@@ -16,7 +16,7 @@ data "aws_route53_zone" "this" {
 }
 
 resource "aws_route53_zone" "this" {
-  count = ! local.use_existing_route53_zone ? 1 : 0
+  count = !local.use_existing_route53_zone ? 1 : 0
   name  = local.domain_name
 }
 
@@ -28,10 +28,8 @@ module "acm" {
 
   subject_alternative_names = [
     "*.alerts.${local.domain_name}",
-    "*.something.${local.domain_name}",
-    "*.news.${local.domain_name}",
-    "*.info.${local.domain_name}",
     "new.sub.${local.domain_name}",
+    "*.${local.domain_name}",
   ]
 
   wait_for_validation = true
diff --git a/examples/complete-email-validation/README.md b/examples/complete-email-validation/README.md
@@ -45,6 +45,18 @@ Note that this example may create resources which cost money. Run `terraform des
 |------|---------|
 | aws | >= 2.53 |
 
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| acm | ../../ |  |
+
+## Resources
+
+| Name |
+|------|
+| [aws_route53_zone](https://registry.terraform.io/providers/hashicorp/aws/2.53/docs/resources/route53_zone) |
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -58,5 +70,4 @@ Note that this example may create resources which cost money. Run `terraform des
 | this\_acm\_certificate\_arn | The ARN of the certificate |
 | this\_acm\_certificate\_domain\_validation\_options | A list of attributes to feed into other resources to complete certificate validation. Can have more than one element, e.g. if SANs are defined. Only set if DNS-validation was used. |
 | this\_acm\_certificate\_validation\_emails | A list of addresses that received a validation E-Mail. Only set if EMAIL-validation was used. |
-
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/main.tf b/main.tf
@@ -1,6 +1,8 @@
 locals {
   # Get distinct list of domains and SANs
-  distinct_domain_names = distinct(concat([var.domain_name], [for s in var.subject_alternative_names : replace(s, "*.", "")]))
+  distinct_domain_names = distinct(
+    [for s in concat([var.domain_name], var.subject_alternative_names) : replace(s, "*.", "")]
+  )
 
   # Copy domain_validation_options for the distinct domain names
   validation_domains = var.create_certificate ? [for k, v in aws_acm_certificate.this[0].domain_validation_options : tomap(v) if contains(local.distinct_domain_names, replace(v.domain_name, "*.", ""))] : []
@@ -25,7 +27,7 @@ resource "aws_acm_certificate" "this" {
 }
 
 resource "aws_route53_record" "validation" {
-  count = var.create_certificate && var.validation_method == "DNS" && var.validate_certificate ? length(local.distinct_domain_names) + 1 : 0
+  count = var.create_certificate && var.validation_method == "DNS" && var.validate_certificate ? length(local.distinct_domain_names) : 0
 
   zone_id = var.zone_id
   name    = element(local.validation_domains, count.index)["resource_record_name"]

Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ data "aws_route53_zone" "this" {`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`resource "aws_route53_zone" "this" {`
`19`		`- count = ! local.use_existing_route53_zone ? 1 : 0`
	`19`	`+ count = !local.use_existing_route53_zone ? 1 : 0`
`20`	`20`	`name = local.domain_name`
`21`	`21`	`}`
`22`	`22`
`@@ -28,10 +28,8 @@ module "acm" {`
`28`	`28`
`29`	`29`	`subject_alternative_names = [`
`30`	`30`	`"*.alerts.${local.domain_name}",`
`31`		`- "*.something.${local.domain_name}",`
`32`		`- "*.news.${local.domain_name}",`
`33`		`- "*.info.${local.domain_name}",`
`34`	`31`	`"new.sub.${local.domain_name}",`
	`32`	`+ "*.${local.domain_name}",`
`35`	`33`	`]`
`36`	`34`
`37`	`35`	`wait_for_validation = true`