DEVHIDE
Login Or Sign up

ACM certificates cross account DNS validation

2k Views Asked by At

I have 2 AWS accounts: dev and prod.

In the prod account, I setup a DNS domain (example.com), as well as 2 public Hosted Zone: example.com and prod.example.com. 2 ACM certificates are also issued for these domains internal.prod.example.com and eks.prod.example.com. Those certificates are correctly validated by DNS.

In the dev account, I have created 2 public Hosted Zones: dev.example.com and example.com. I issued 2 ACM certificates for internal.dev.example.com and eks.dev.example.com which, as far as I understand need to be validated with the DNS in the prod account.

These certificated are in pending state.

How can I validate them?

What I did so far:

  • I added a NS record called dev.example.com in the prod account for the example.com Hosted Zone. The value of the NS record are the ones of the dev.example.com Hosted Zone created in the dev account. This is to delegate the ownership of the R53 Hosted Zone in prod. See here.

  • In the dev account, the CNAME of the requested domain from ACM have been added in the dev.example.com Hosted Zone for validation.

The following code is how it's been done (and working) on the prod account.

Note - this is a code that I took over, so I'm not aware if any manual steps have been taken.

data "aws_route53_zone" "dns-zone" {
  name = "${var.environment}.${var.zone_name}"
}

resource "aws_acm_certificate" "cert" {
  domain_name       = "*.${var.environment}.${var.zone_name}"
  validation_method = "DNS"
  subject_alternative_names = list("*.internal.${var.environment}.${var.zone_name}", "*.eks.${var.environment}.${var.zone_name}")

  lifecycle {
    create_before_destroy = true
    prevent_destroy = true
  }
}

resource "aws_route53_record" "cert_validation" {
  for_each = {
    for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
      name    = dvo.resource_record_name
      record  = dvo.resource_record_value
      type    = dvo.resource_record_type
      zone_id = data.aws_route53_zone.dns-zone.zone_id
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = each.value.zone_id
}


resource "aws_acm_certificate_validation" "cert" {
  certificate_arn         = aws_acm_certificate.cert.arn
  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
}

Ps - Should you need more clarification, please let me know.

amazon-web-services ssl dns terraform amazon-certificate-manager
Original Q&A
1

There are 1 best solutions below

0
paulg On BEST ANSWER

dev & prod account you have example.com? Only 1 can be used properly. Wherever the registrar is for example.com ... that registrar can only use the name servers from 1 of those hosted zones.

You mentioned you have 2 ACM certs for internal.dev.example.com & eks.dev.example.com ... those should be validated in the DEV Account if that's where their domains are created.

Also I recommend you just create 1 wild card cert in ACM for *.dev.example.com & validate that 1 in the DEV account. Any subdomains such as eks.dev.example.com will be able to use it.

Related Questions in AMAZON-WEB-SERVICES

Related Questions in SSL

Related Questions in DNS

Related Questions in TERRAFORM

Related Questions in AMAZON-CERTIFICATE-MANAGER

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.