Single record from aws_acm_certificate

Hello,

I am trying to set up certificate validation with AWS Certificate Manager using DNS method and then adding required record to Azure DNS Zone. I want to choose single output from AWS CM and create record based on it. Let me elaborate:

This is what I currently have and it works:

resource "aws_acm_certificate" "ingress" {
  domain_name = var.dns_zone
  subject_alternative_names = ["*.${var.dns_zone}"]
  validation_method = "DNS"

  tags = var.tags
}

resource azurerm_dns_cname_record "ingress_cert_valid" {
  depends_on = [
    azurerm_dns_zone.ingress,
    aws_acm_certificate.ingress,
  ]

  for_each = {
    for dvo in aws_acm_certificate.ingress.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
    }
  }
  
  name = trimsuffix(each.value.name, ".${var.dns_zone}.")
  resource_group_name = "test-rg"
  zone_name = azurerm_dns_zone.ingress.name
  ttl = 3600
  record = each.value.record
}

As you can see, I am using subject_alternative_names, which means that I get 2 outputs using aws_acm_certificate.ingress.domain_validation_options (one for inital domain and one for SAN). Thing is that resource_record_name. and resource_record_value are exactly the same.

When I create a CNAME in Azure, this is not a problem, as it just overwrites it, but I have problem when running terraform destroy, as 1 of them is of course not found.

Any idea how to specify it that it would try to create only one record?

Best regards,
Bostjan

I got this sorted. If someone finds this useful, what I did was changed set to list and then used that one:

resource azurerm_dns_cname_record "ingress_cert_valid" {
  depends_on = [
    azurerm_dns_zone.ingress,
    aws_acm_certificate.ingress,
  ]

  for_each = {
    for dvo in aws_acm_certificate.ingress.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
    }
  }
  
  name = trimsuffix(tolist(aws_acm_certificate.ingress.domain_validation_options)[0].resource_record_name, ".${var.dns_zone}.")
  resource_group_name = "test-rg"
  zone_name = azurerm_dns_zone.ingress.name
  ttl = 3600
  record = tolist(aws_acm_certificate.ingress.domain_validation_options)[0].resource_record_value
}

In this case I do not care in which order records are returned, as I receive same values from both of them.

Best regards,
Bostjan