Terraform version: Terraform v0.13.0
Operating System: Ubuntu 18.04.4 LTS
Issue
The entire terraform plan seems to execute fine until the very end of the run, I receive the following error:
Error: no matching Route53Zone found
The ACME certificates & registration url (in the format https://acme-v02.api.letsencrypt.org/acme/cert/<cert_id) are output (so I’m assuming the TXT challenge completed?) in the tfstate under the module instances for create-cert-dns module (outlined below).
Code
I am trying to use the “acme_certificate” resource in conjunction with Route53 dns provider to generate certificates. The calling parent module calls the child acme module as follows:
variable "domain-mappings" {
type = list
default = [
"fake.domain.com",
]
}
provider "aws" {}
provider "acme" {
server_url = lookup(var.acme_server_urls, var.acme_server_type)
}
module "create_certs" {
source = "./modules/letsencrypt/create-cert-dns"
domain = var.domain-mappings[count.index]
count = var.amount
subject_alternative_names = {
"${var.domain-mappings[count.index]}" = ["*.${var.domain-mappings[count.index]}"]
}
#tld based email
reg_email = "admin@${join(".",tolist([reverse(split(".",var.domain-mappings[count.index]))[1],reverse(split(".",var.domain-mappings[count.index]))[0]]))}"
dns_provider = "route53"
}
The first create-cert-dns module is as follows, which attempts to select the zone_id programmatically:
terraform { required_version = ">= 0.13.0" }
# Create the private key for the registration (not the certificate)
resource "tls_private_key" "private_key" {
count = var.amount
algorithm = "RSA"
rsa_bits = var.key_type
}
# Set up a registration using a private key from tls_private_key
resource "acme_registration" "reg" {
count = var.amount
account_key_pem = element(tls_private_key.private_key[*].private_key_pem,count.index)
email_address = var.reg_email
}
data "aws_region" "current" {}
data "aws_route53_zone" "selected" {
#tld
name = join(".",tolist([reverse(split(".",var.domain))[1],reverse(split(".",var.domain))[0]]))
}
# Create a certificate
resource "acme_certificate" "certificate" {
count = var.amount
account_key_pem = element(acme_registration.reg[*].account_key_pem, count.index)
common_name = var.domain
subject_alternative_names = var.subject_alternative_names[var.domain]
dns_challenge {
provider = var.dns_provider
config ={ AWS_HOSTED_ZONE_ID = data.aws_route53_zone.selected.zone_id }
}
provisioner "local-exec" {
command = "echo \"${self.private_key_pem}\" > ./data/certificates/${self.common_name}_privkey.pem && echo \"${self.certificate_pem}\" > ./data/certificates/${self.common_name}_cert.pem"
}
provisioner "local-exec" {
when = destroy
command = "rm ./data/certificates/${self.common_name}*"
}
}
The second attempt to make the create-cert-dns module work, with a hard-coded zone_id is as follows:
terraform { required_version = ">= 0.13.0" }
# Create the private key for the registration (not the certificate)
resource "tls_private_key" "private_key" {
count = var.amount
algorithm = "RSA"
rsa_bits = var.key_type
}
# Set up a registration using a private key from tls_private_key
resource "acme_registration" "reg" {
count = var.amount
account_key_pem = element(tls_private_key.private_key[*].private_key_pem,count.index)
email_address = var.reg_email
}
data "aws_region" "current" {}
data "aws_route53_zone" "selected" {
name = join(".",tolist([reverse(split(".",var.domain))[1],reverse(split(".",var.domain))[0]]))
}
variable "zone_id"{
type = string
default = "<REDACTED>"
}
# Create a certificate
resource "acme_certificate" "certificate" {
count = var.amount
account_key_pem = element(acme_registration.reg[*].account_key_pem, count.index)
common_name = var.domain
subject_alternative_names = var.subject_alternative_names[var.domain]
dns_challenge {
provider = var.dns_provider
config ={ AWS_HOSTED_ZONE_ID = var.zone_id }
}
provisioner "local-exec" {
command = "echo \"${self.private_key_pem}\" > ./data/certificates/${self.common_name}_privkey.pem && echo \"${self.certificate_pem}\" > ./data/certificates/${self.common_name}_cert.pem"
}
provisioner "local-exec" {
when = destroy
command = "rm ./data/certificates/${self.common_name}*"
}
}
Closing Thoughts
How can I get rid of this error?
Thank you kindly for your time!