How to Terraform Create and Validate AWS Certificate

Question

I am attempting to create and validate an AWS Certificate using Terraform by following the example from the Terraform documentation here: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation#dns-validation-with-route-53

My Terraform file looks like:

resource "aws_acm_certificate" "vpn_server" {
  domain_name = "stuff.mine.com"
  
  validation_method = "DNS"

  tags = {
    Name = "certificate"
    Scope = "vpn_server"
    Environment = "vpn"
  }
}

resource "aws_acm_certificate_validation" "vpn_server" {
  certificate_arn = aws_acm_certificate.vpn_server.arn

  validation_record_fqdns = [for record in aws_route53_record.my_dns_record_vpn_server : record.fqdn]

  timeouts {
    create = "2m"
  }
}

resource "aws_route53_zone" "my_dns" {
  name = "stuff.mine.com"

  tags = {
    name = "dns_zone"
  }
}


resource "aws_route53_record" "my_dns_record_vpn_server" {
  for_each = {
    for dvo in aws_acm_certificate.vpn_server.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = resource.aws_route53_zone.my_dns.zone_id
}

The problem is that when running terraform apply the Validation always reaches the time-out and fails with the error messages:

aws_acm_certificate.vpn_server: Creating...
aws_acm_certificate.vpn_server: Creation complete after 8s [id=arn:aws:acm:eu-west-2:320289993971:certificate/7e859491-141f-49d5-b50e-c44cf4e1db4e]
aws_route53_zone.my_dns: Creating...
aws_route53_zone.my_dns: Still creating... [10s elapsed]
aws_route53_zone.my_dns: Creation complete after 52s [id=Z09112516IIP4OEAIIQ7]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Creating...
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [10s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [20s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [30s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [40s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Still creating... [50s elapsed]
aws_route53_record.my_dns_record_vpn_server["stuff.mine.com"]: Creation complete after 58s [id=Z09112516IIP4OEAIIQ7__ebd2853fcbfc7cc8bd6582e65d940d54.stuff.mine.com._CNAME]
aws_acm_certificate_validation.vpn_server: Creating...
aws_acm_certificate_validation.vpn_server: Still creating... [10s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [20s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [30s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [40s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [50s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m0s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m10s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m20s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m30s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m40s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [1m50s elapsed]
aws_acm_certificate_validation.vpn_server: Still creating... [2m0s elapsed]

╷
│ Error: Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION
│
│   with aws_acm_certificate_validation.vpn_server,
│   on main.tf line 61, in resource "aws_acm_certificate_validation" "vpn_server":
│   61: resource "aws_acm_certificate_validation" "vpn_server" {
│
╵

Can someone tell me what I am missing to get the Certificate Validation to complete?

Answer 1

The domain validation records need to be in a public zone that is properly delegated. So if you owned mine.com and then wanted to create a zone called stuff.mine.com then you would need to set NS records in mine.com for stuff.mine.com that points to the stuff.mine.com zone's NS servers which you aren't doing here and aren't using an already configured zone.

Without that, the records will be created in your zone but that zone isn't then properly delegated and so nothing will ever be able to resolve those records. You should be able to test this by attempting to resolve them yourself or using an external resolver tool such as MX Toolbox.

There's probably a lot to consider here but you might want to set up a zone that will contain the eventual records you want to create (so the record pointing to the web server/load balancer that you want the certificate for plus the ACM domain validation records) separately and then just refer to the zone by using the aws_route53_zone data source so your domain validation records are created there.