Support different AWS account between ACM and Route53

Author: ringanta

README.md

@@ -12,13 +12,21 @@ The `domain_name` and `subject_alternative_names` variables consist of map (obje
 - The **domain** key contains domain name that will be used in the certificate whether in the domain name or subject alternative names section.
 
 ```terraform
+provider "aws" { }
+
 module "acm" {
     source = "../../"
 
+    providers = {
+        aws.acm = aws
+        aws.route53 = aws
+    }
+
     domain_name = {
         zone = "example.com"
         domain = "example.com"
     }
+
     subject_alternative_names = [
         {
             zone = "example.com"
@@ -54,6 +62,19 @@ Due to the [https://github.com/terraform-providers/terraform-provider-aws/issues
 1. Run `terraform plan -out=tfplan.out` and review the execution plan.
 1. Apply the change using `terraform apply tfplan.out`.
 
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 0.12.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws.acm | n/a |
+| aws.route53 | n/a |
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |

main.tf

@@ -2,62 +2,62 @@ locals {
   all_domains = concat([var.domain_name.domain], [
     for v in var.subject_alternative_names : v.domain
   ])
+
   all_zones = concat([var.domain_name.zone], [
     for v in var.subject_alternative_names : v.zone
   ])
-  distinct_zones      = distinct(local.all_zones)
-  zone_name_to_id_map = zipmap(local.distinct_zones, data.aws_route53_zone.self[*].zone_id)
-  domain_to_zone_map  = zipmap(local.all_domains, local.all_zones)
 
-  cert_san = reverse(sort([
+  domain_zone_mapping = zipmap(local.all_domains, local.all_zones)
+
+  cert_sans = sort([
     for v in var.subject_alternative_names : v.domain
-  ]))
-  cert_validation_domains = [
-    for v in aws_acm_certificate.self.domain_validation_options : tomap(v)
-  ]
+  ])
+
+  default_tags = {
+    ManagedBy = "terraform"
+  }
 }
 
 data "aws_route53_zone" "self" {
-  count = length(local.distinct_zones)
+  provider = aws.route53
+  for_each = toset(local.all_zones)
 
-  name         = local.distinct_zones[count.index]
+  name         = each.value
   private_zone = false
 }
 
 resource "aws_acm_certificate" "self" {
+  provider = aws.acm
+
   domain_name               = var.domain_name.domain
-  subject_alternative_names = local.cert_san
+  subject_alternative_names = local.cert_sans
   validation_method         = "DNS"
 
-  tags = var.tags
-
-  lifecycle {
-    create_before_destroy = true
-    # Workaround for SAN doesn't maintain order
-    # See https://github.com/terraform-providers/terraform-provider-aws/issues/8531
-    ignore_changes = [subject_alternative_names]
-  }
+  tags = merge(local.default_tags, var.tags)
 }
 
 resource "aws_route53_record" "validation" {
-  count = var.validation_set_records ? length(distinct(local.all_domains)) : 0
-
-  zone_id = lookup(local.zone_name_to_id_map, lookup(local.domain_to_zone_map, local.cert_validation_domains[count.index]["domain_name"]))
-  name    = local.cert_validation_domains[count.index]["resource_record_name"]
-  type    = local.cert_validation_domains[count.index]["resource_record_type"]
-  ttl     = 60
-
+  provider = aws.route53
+  for_each = var.validation_set_records ? {
+    for dvo in aws_acm_certificate.self.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  } : {}
+
+  zone_id         = data.aws_route53_zone.self[local.domain_zone_mapping[each.key]].zone_id
+  name            = each.value.name
+  type            = each.value.type
+  records         = [each.value.record]
+  ttl             = 60
   allow_overwrite = var.validation_allow_overwrite_records
-
-  records = [
-    local.cert_validation_domains[count.index]["resource_record_value"]
-  ]
 }
 
 resource "aws_acm_certificate_validation" "self" {
-  count = var.validate_certificate ? 1 : 0
-
-  certificate_arn = aws_acm_certificate.self.arn
+  provider = aws.acm
+  count    = var.validate_certificate ? 1 : 0
 
-  validation_record_fqdns = local.cert_validation_domains[*]["resource_record_name"]
+  certificate_arn         = aws_acm_certificate.self.arn
+  validation_record_fqdns = [for record in aws_route53_record.validation : record.fqdn]
 }

outputs.tf

@@ -5,7 +5,7 @@ output "certificate_arn" {
 
 output "certificate_domains" {
   description = "List of domain names covered by the certificate"
-  value       = concat([aws_acm_certificate.self.domain_name], aws_acm_certificate.self.subject_alternative_names)
+  value       = concat([aws_acm_certificate.self.domain_name], list(aws_acm_certificate.self.subject_alternative_names))
 }
 
 output "certificate_domain_validation_options" {

providers.tf

@@ -0,0 +1,7 @@
+provider "aws" {
+  alias = "route53"
+}
+
+provider "aws" {
+  alias = "acm"
+}

versions.tf

@@ -1,3 +1,7 @@
 terraform {
-  required_version = ">= 0.12.0"
-}
+  required_providers {
+    aws = "~> 3.0"
+  }
+
+  required_version = ">= 0.12.6"
+}