How to handle SSL certs where domain validation is cross account

I have a simple module which handles validating a primary, and secondary name. This works great, when the zones are in the same account. The problem I’m having now, is how do I handle when this is cross account? As far as I’m aware, you can’t do conditionals on providers. What other options do I have? Am I stuck duplicating the aws_route_53 record resource? If so, how can I address a specific response from aws_acm_certificate?

Module in question:

 resource "aws_acm_certificate" "cert" {
  domain_name               = var.domain_name
  validation_method         = "DNS"
  subject_alternative_names = [var.secondary_domain_name]

resource "aws_route53_record" "cert_validation" {
  for_each = {
    for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
      zone_id = dvo.domain_name == var.domain_name ? var.zone_id : var.secondary_zone_id
      name    = dvo.resource_record_name
      type    = dvo.resource_record_type
      record  = dvo.resource_record_value
      ttl     = 60

  zone_id         = each.value.zone_id
  name            =
  type            = each.value.type
  records         = [each.value.record]
  ttl             = 60
  allow_overwrite = true

resource "aws_acm_certificate_validation" "cert" {
  certificate_arn = aws_acm_certificate.cert.arn

  validation_record_fqdns = [
    for record in aws_route53_record.cert_validation : record.fqdn


You are hitting a requirement of the AWS Route53 API. You can only manipulate r53 resources in the owning account. I usually work around this with a zone delegation certificate or 2 aws providers instances.



You’re aware you can pass different providers, right? The issue in this case is that you can’t conditionally use providers.

I think I can use the optional if clause, so I can loop just twice, to support a list of domains on either provider. Going to be today’s attempt, anyway.


Yes this is an option. I do use multiple providers for cross account AWS Transit Gateway attachments and VPC peering. I pass to provider reference to a submodule but the provider block itself, as you mentionned, can’t be conditionnal

The problem with multiple instance of a provider is that it makes things a little more complicated and I try to stay away from it. It is not supported by a lot of wrappers either. I prefer the trade off of zone delegation so DNS entry and ACM can be fully delegated to a third party account. That’s just my preference, not the only option.