Fixing certificates quirks

LeoDiazL · LeoDiazL · commit 06ed67bde1dc · 2025-12-09T12:20:56.000-03:00
diff --git a/action.yaml b/action.yaml
@@ -244,6 +244,9 @@ inputs:
   aws_r53_create_sub_cert: 
     description: 'Generates and manage the sub-domain certificate for the application'
     required: false
+  aws_r53_export_cert:
+    description: 'Enables export flag of the certificate.'
+    required: false
   aws_r53_additional_tags:
     description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`'
     required: false
@@ -1334,6 +1337,7 @@ runs:
         AWS_R53_CERT_ARN: ${{ inputs.aws_r53_cert_arn }}
         AWS_R53_CREATE_ROOT_CERT: ${{ inputs.aws_r53_create_root_cert }}
         AWS_R53_CREATE_SUB_CERT: ${{ inputs.aws_r53_create_sub_cert }}
+        AWS_R53_EXPORT_CERT: ${{ inputs.aws_r53_export_cert }}
         AWS_R53_ADDITIONAL_TAGS: ${{ inputs.aws_r53_additional_tags }}
 
         # AWS ELB
diff --git a/operations/_scripts/generate/generate_vars_terraform.sh b/operations/_scripts/generate/generate_vars_terraform.sh
@@ -116,6 +116,7 @@ if [[ $(alpha_only "$AWS_R53_ENABLE_CERT") == true ]]; then
   aws_r53_cert_arn=$(generate_var aws_r53_cert_arn $AWS_R53_CERT_ARN)
   aws_r53_create_root_cert=$(generate_var aws_r53_create_root_cert $AWS_R53_CREATE_ROOT_CERT)
   aws_r53_create_sub_cert=$(generate_var aws_r53_create_sub_cert $AWS_R53_CREATE_SUB_CERT)
+  aws_r53_export_cert=$(generate_var aws_r53_export_cert $AWS_R53_EXPORT_CERT)
 fi
 
 #-- AWS ELB --#
@@ -512,6 +513,7 @@ $aws_r53_enable_cert
 $aws_r53_cert_arn
 $aws_r53_create_root_cert
 $aws_r53_create_sub_cert
+$aws_r53_export_cert
 $aws_r53_additional_tags
 
 #-- ELB --#
diff --git a/operations/deployment/terraform/aws/aws_variables.tf b/operations/deployment/terraform/aws/aws_variables.tf
@@ -260,6 +260,12 @@ variable "aws_r53_create_sub_cert" {
   default     = false
 }
 
+variable "aws_r53_export_cert" {
+  type        = bool
+  description = "Enables export flag of the certificate."
+  default     = false
+} 
+
 variable "aws_r53_additional_tags" {
   type        = string
   description = "A list of strings that will be added to created resources"
diff --git a/operations/deployment/terraform/aws/bitovi_main.tf b/operations/deployment/terraform/aws/bitovi_main.tf
@@ -67,6 +67,7 @@ module "aws_certificates" {
   aws_r53_cert_arn         = var.aws_r53_cert_arn
   aws_r53_create_root_cert = var.aws_r53_create_root_cert
   aws_r53_create_sub_cert  = var.aws_r53_create_sub_cert
+  aws_r53_export_cert      = var.aws_r53_export_cert
   # R53
   aws_r53_domain_name     = var.aws_r53_domain_name
   aws_r53_sub_domain_name = var.aws_r53_sub_domain_name
diff --git a/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf b/operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf
@@ -6,12 +6,13 @@ data "aws_route53_zone" "selected" {
 
 data "aws_acm_certificate" "issued" {
   #count  = local.is_enabled_and_valid ? (!var.aws_r53_create_root_cert ? (!var.aws_r53_create_sub_cert ? (var.fqdn_provided ? 1 : 0) : 0) : 0) :0
-  for_each = local.is_enabled_and_valid ? {
-    "domain" : var.aws_r53_domain_name,
-    "wildcard" : "*.${var.aws_r53_domain_name}"
-    "sub" : "${var.aws_r53_sub_domain_name}.${var.aws_r53_domain_name}"
+  for_each = (!var.aws_r53_create_root_cert && !var.aws_r53_create_sub_cert && local.is_enabled_and_valid) ? {
+    "domain"   = var.aws_r53_domain_name,
+    "wildcard" = "*.${var.aws_r53_domain_name}",
+    "sub"      = "${var.aws_r53_sub_domain_name}.${var.aws_r53_domain_name}"
   } : {}
-  domain = var.aws_r53_domain_name
+  domain = each.value
+  #domain = var.aws_r53_domain_name
 }
 
 # This block will create and validate the root domain and www cert
@@ -20,6 +21,15 @@ resource "aws_acm_certificate" "root_domain" {
   domain_name               = var.aws_r53_domain_name
   subject_alternative_names = ["*.${var.aws_r53_domain_name}", "${var.aws_r53_domain_name}"]
   validation_method         = "DNS"
+  dynamic "options" {
+    for_each = var.aws_r53_export_cert ? [1] : []
+    content {
+      export = "ENABLED"
+    } 
+  }
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 resource "aws_route53_record" "root_domain" {
@@ -44,6 +54,15 @@ resource "aws_acm_certificate" "sub_domain" {
   count             = local.is_enabled_and_valid ? (var.aws_r53_create_sub_cert ? (var.aws_r53_domain_name != "" ? (var.aws_r53_sub_domain_name != "" ? (var.aws_r53_create_root_cert ? 0 : 1) : 0) : 0) : 0) : 0
   domain_name       = "${var.aws_r53_sub_domain_name}.${var.aws_r53_domain_name}"
   validation_method = "DNS"
+  dynamic "options" {
+    for_each = var.aws_r53_export_cert ? [1] : []
+    content {
+      export = "ENABLED"
+    } 
+  }
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 resource "aws_route53_record" "sub_domain" {
diff --git a/operations/deployment/terraform/modules/aws/certificates/aws_certificates_vars.tf b/operations/deployment/terraform/modules/aws/certificates/aws_certificates_vars.tf
@@ -1,6 +1,7 @@
 variable "aws_r53_create_root_cert" {}
 variable "aws_r53_create_sub_cert" {}
 variable "aws_r53_cert_arn" {}
+variable "aws_r53_export_cert" {}
 # R53
 variable "aws_r53_domain_name" {}
 variable "aws_r53_sub_domain_name" {}
