ugns · jbouse · Feb 5, 2021 · Feb 5, 2021 · Feb 5, 2021 · Feb 9, 2021
diff --git a/main.tf b/main.tf
@@ -1,9 +1,19 @@
 locals {
   # Get distinct list of domains and SANs
-  distinct_domain_names = distinct(concat([var.domain_name], [for s in var.subject_alternative_names : replace(s, "*.", "")]))
+  distinct_domain_names = distinct(concat([replace(var.domain_name, "*.", "")], [for s in var.subject_alternative_names : replace(s, "*.", "")]))
 
   # Copy domain_validation_options for the distinct domain names
-  validation_domains = var.create_certificate ? [for k, v in aws_acm_certificate.this[0].domain_validation_options : tomap(v) if contains(local.distinct_domain_names, replace(v.domain_name, "*.", ""))] : []
+  validation_domains = var.create_certificate ? [for k, v in aws_acm_certificate.this[0].domain_validation_options : tomap(v) if contains(local.distinct_domain_names, replace(v.domain_name, "\\*\\.", ""))] : []
+
+  host_to_zone_regex = "/^(?:.*\\.)?([^.]+\\.[^.]+)$/"
+  zone_id_map        = var.validate_certificate ? zipmap(local.distinct_domain_names, data.aws_route53_zone.parent.*.zone_id) : {}
+}
+
+data "aws_route53_zone" "parent" {
+  count = var.create_certificate && var.validation_method == "DNS" && var.validate_certificate ? length(local.distinct_domain_names) : 0
+
+  name         = replace(local.distinct_domain_names[count.index], local.host_to_zone_regex, "$1")
+  private_zone = false
 }
 
 resource "aws_acm_certificate" "this" {
@@ -25,9 +35,9 @@ resource "aws_acm_certificate" "this" {
 }
 
 resource "aws_route53_record" "validation" {
-  count = var.create_certificate && var.validation_method == "DNS" && var.validate_certificate ? length(local.distinct_domain_names) + 1 : 0
+  count = var.create_certificate && var.validation_method == "DNS" && var.validate_certificate ? length(local.distinct_domain_names) : 0
 
-  zone_id = var.zone_id
+  zone_id = lookup(local.zone_id_map, element(local.validation_domains, count.index)["domain_name"], var.zone_id)
   name    = element(local.validation_domains, count.index)["resource_record_name"]
   type    = element(local.validation_domains, count.index)["resource_record_type"]
   ttl     = var.dns_ttl

diff --git a/outputs.tf b/outputs.tf
@@ -27,3 +27,8 @@ output "validation_domains" {
   description = "List of distinct domain validation options. This is useful if subject alternative names contain wildcards."
   value       = local.validation_domains
 }
+
+output "zone_id_map" {
+  description = "List of distinct domains to hosted zone id."
+  value       = local.zone_id_map
+}
diff --git a/versions.tf b/versions.tf
@@ -2,6 +2,6 @@ terraform {
   required_version = ">= 0.12.6"
 
   required_providers {
-    aws = ">= 2.53"
+    aws = ">= 3.0"
   }
 }