Adding conditional validation creation

Lupus-Metallum · Feb 16, 2023 · 5713a7c · 5713a7c
1 parent e3608ae
commit 5713a7c
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -27,6 +27,7 @@ Used to create a DNS verified ACM certificate by R53 Zone name
 |------|-------------|------|---------|:--------:|
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | The domain name to be used for the certificate | `string` | n/a | yes |
 | <a name="input_r53_zone_id"></a> [r53\_zone\_id](#input\_r53\_zone\_id) | Parent zone\_id the certificate should be created for | `string` | n/a | yes |
+| <a name="input_create_validation_records"></a> [create\_validation\_records](#input\_create\_validation\_records) | Should this module auto-create the needed ACM validation records? | `bool` | `true` | no |
 | <a name="input_subject_alternative_names"></a> [subject\_alternative\_names](#input\_subject\_alternative\_names) | List of SANs to include on the certificate, changing this after create forces a re-create | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to provide to created resources | `map(string)` | `{}` | no |
 | <a name="input_ttl"></a> [ttl](#input\_ttl) | TTL to use for R53 verification records, defaults to a short time to allow quick re-create if needed | `number` | `60` | no |
@@ -38,4 +39,5 @@ Used to create a DNS verified ACM certificate by R53 Zone name
 | <a name="output_cert_arn"></a> [cert\_arn](#output\_cert\_arn) | n/a |
 | <a name="output_cert_status"></a> [cert\_status](#output\_cert\_status) | n/a |
 | <a name="output_domain_name"></a> [domain\_name](#output\_domain\_name) | n/a |
+| <a name="output_validation_records"></a> [validation\_records](#output\_validation\_records) | n/a |
 <!-- END_TF_DOCS -->
diff --git a/main.tf b/main.tf
@@ -16,13 +16,13 @@ resource "aws_acm_certificate" "this" {
 }
 
 resource "aws_route53_record" "this" {
-  for_each = {
+  for_each = var.create_validation_records ? {
     for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => {
       name   = dvo.resource_record_name
       record = dvo.resource_record_value
       type   = dvo.resource_record_type
     }
-  }
+  } : {}
 
   allow_overwrite = true
   name            = each.value.name
@@ -37,6 +37,8 @@ resource "aws_route53_record" "this" {
 }
 
 resource "aws_acm_certificate_validation" "this" {
+  for_each = var.create_validation_records ? toset(["enable"]) : toset([])
+
   certificate_arn         = aws_acm_certificate.this.arn
   validation_record_fqdns = [for record in aws_route53_record.this : record.fqdn]
 

diff --git a/output.tf b/output.tf
@@ -8,4 +8,14 @@ output "cert_status" {
 
 output "domain_name" {
   value = aws_acm_certificate.this.domain_name
+}
+
+output "validation_records" {
+  value = {
+    for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
 }
diff --git a/variables.tf b/variables.tf
@@ -25,3 +25,9 @@ variable "ttl" {
   type        = number
   default     = 60
 }
+
+variable "create_validation_records" {
+  description = "Should this module auto-create the needed ACM validation records?"
+  type        = bool
+  default     = true
+}