Fix missing certificate domain validation

Author: ringanta

main.tf

@@ -1,36 +1,33 @@
 locals {
   all_domains = concat([var.domain_name.domain], [
-    for v in var.subject_alternative_names: v.domain
+    for v in var.subject_alternative_names : v.domain
   ])
   all_zones = concat([var.domain_name.zone], [
-    for v in var.subject_alternative_names: v.zone
-  ])
-  distinct_zones = distinct(local.all_zones)
-  distinct_domains = distinct([
-    for domain in local.all_domains: replace(domain, "*.", "")
+    for v in var.subject_alternative_names : v.zone
   ])
+  distinct_zones      = distinct(local.all_zones)
   zone_name_to_id_map = zipmap(local.distinct_zones, data.aws_route53_zone.self[*].zone_id)
-  domain_to_zone_map = zipmap(local.all_domains, local.all_zones)
+  domain_to_zone_map  = zipmap(local.all_domains, local.all_zones)
 
   cert_san = reverse(sort([
-    for v in var.subject_alternative_names: v.domain
+    for v in var.subject_alternative_names : v.domain
   ]))
   cert_validation_domains = [
-    for v in aws_acm_certificate.self.domain_validation_options: tomap(v) if contains(local.distinct_domains, replace(v.domain_name, "*.", ""))
+    for v in aws_acm_certificate.self.domain_validation_options : tomap(v)
   ]
 }
 
 data "aws_route53_zone" "self" {
   count = length(local.distinct_zones)
 
-  name = local.distinct_zones[count.index]
+  name         = local.distinct_zones[count.index]
   private_zone = false
 }
 
 resource "aws_acm_certificate" "self" {
-  domain_name = var.domain_name.domain
+  domain_name               = var.domain_name.domain
   subject_alternative_names = local.cert_san
-  validation_method = "DNS"
+  validation_method         = "DNS"
 
   tags = var.tags
 
@@ -43,8 +40,8 @@ resource "aws_acm_certificate" "self" {
 }
 
 resource "aws_route53_record" "validation" {
-  count = var.validation_set_records ? length(local.distinct_domains) : 0
-  
+  count = var.validation_set_records ? length(local.cert_validation_domains) : 0
+
   zone_id = lookup(local.zone_name_to_id_map, lookup(local.domain_to_zone_map, local.cert_validation_domains[count.index]["domain_name"]))
   name    = local.cert_validation_domains[count.index]["resource_record_name"]
   type    = local.cert_validation_domains[count.index]["resource_record_type"]

outputs.tf

@@ -4,8 +4,8 @@ output "certificate_arn" {
 }
 
 output "certificate_domains" {
-    description = "List of domain names covered by the certificate"
-    value = concat([aws_acm_certificate.self.domain_name], aws_acm_certificate.self.subject_alternative_names)
+  description = "List of domain names covered by the certificate"
+  value       = concat([aws_acm_certificate.self.domain_name], aws_acm_certificate.self.subject_alternative_names)
 }
 
 output "certificate_domain_validation_options" {

variables.tf

@@ -1,17 +1,17 @@
 variable "domain_name" {
   description = "Domain name for the ACM certificate"
-  type = map(string)
+  type        = map(string)
 }
 
 variable "subject_alternative_names" {
   description = "List of subject alternative names for the ACM certificate"
-  type = list(map(string))
+  type        = list(map(string))
 }
 
 variable "tags" {
   description = "Key and value pair that will be added as tag"
-  type = map(string)
-  default = {}
+  type        = map(string)
+  default     = {}
 }
 
 variable "validate_certificate" {
@@ -22,8 +22,8 @@ variable "validate_certificate" {
 
 variable "validation_set_records" {
   description = "Whether to configure Route53 records for validation"
-  type = bool
-  default = true
+  type        = bool
+  default     = true
 }
 
 variable "validation_allow_overwrite_records" {

versions.tf

@@ -1,3 +1,3 @@
 terraform {
-    required_version = ">= 0.12.0"
+  required_version = ">= 0.12.0"
 }