Initial commit

skyfox675 · skyfox675 · commit 58818ceb1682 · 2021-04-19T09:40:38.000-05:00
diff --git a/main.tf b/main.tf
@@ -0,0 +1,54 @@
+data "aws_route53_zone" "parent_zone" {
+  zone_id      = var.r53_zone_id
+  private_zone = false
+}
+
+resource "aws_acm_certificate" "primary" {
+  domain_name       = "${var.tenant_name}.${data.aws_route53_zone.parent_zone.name}"
+  validation_method = "DNS"
+
+  subject_alternative_names = ["origin.${var.tenant_name}.${data.aws_route53_zone.parent_zone.name}"]
+
+  options {
+    certificate_transparency_logging_preference = "ENABLED"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = merge(
+    var.tags,
+    {
+      Name              = "${var.tenant_name}-primary",
+      SaaSResoure       = true,
+      DedicatedToTenant = true,
+    },
+  )
+}
+
+resource "aws_route53_record" "acm_validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.primary.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.r53_zone_id
+}
+
+resource "aws_acm_certificate_validation" "primary" {
+  certificate_arn         = aws_acm_certificate.primary.arn
+  validation_record_fqdns = [for record in aws_route53_record.acm_validation : record.fqdn]
+
+  timeouts {
+    create = "60m"
+  }
+}
diff --git a/output.tf b/output.tf
@@ -0,0 +1,11 @@
+output "cert_arn" {
+  value = aws_acm_certificate.this.arn
+}
+
+output "cert_status" {
+  value = aws_acm_certificate.this.status
+}
+
+output "domain_name" {
+  value = aws_acm_certificate.this.domain_name
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,27 @@
+variable "domain_name" {
+  description = "The domain name to be used for the certificate"
+  type        = string
+}
+
+variable "r53_zone_id" {
+  description = "Parent zone_id the certificate should be created for"
+  type        = string
+}
+
+variable "subject_alternative_names" {
+  description = "List of SANs to include on the certificate, changing this after create forces a re-create"
+  type        = list(string)
+  default     = []
+}
+
+variable "tags" {
+  description = "Map of tags to provide to created resources"
+  type        = map(string)
+  default     = {}
+}
+
+variable "ttl" {
+  description = "TTL to use for R53 verification records, defaults to a short time to allow quick re-create if needed"
+  type        = number
+  default     = 60
+}
diff --git a/versions.tf b/versions.tf
