Make creating acm validation records optional

Author: OlamideOl1

README.md

@@ -21,6 +21,7 @@ module "ingress" {
 
   alarm_actions            = [data.aws_sns_topic.cloudwatch_alarms]
   alternate_domain_names   = ["example.com", "api.example.com"]
+  create_validation_records = true
   description              = "My example application"
   hosted_zone_name         = "example.com"
   name                     = "example-ingress"
@@ -71,6 +72,9 @@ module "ingress" {
   # Disable issuing of certificates entirely.
   issue_certificates = false
 
+  # Disable creation of Route 53 validation records when they already exist.
+  create_validation_records = false
+
   # If you have multiple DNS hosted zones, you can set the hosted zone name for
   # each domain name:
   additional_hosted_zones = {
@@ -145,6 +149,7 @@ the combination of hosted zone, record name, and record type.
 | <a name="input_certificate_domain_name"></a> [certificate\_domain\_name](#input\_certificate\_domain\_name) | Override the domain name for the ACM certificate (defaults to primary domain) | `string` | `null` | no |
 | <a name="input_certificate_types"></a> [certificate\_types](#input\_certificate\_types) | Types of certificates to look for (default: AMAZON\_ISSUED) | `list(string)` | <pre>[<br>  "AMAZON_ISSUED"<br>]</pre> | no |
 | <a name="input_create_aliases"></a> [create\_aliases](#input\_create\_aliases) | Set to false to disable creation of Route 53 aliases | `bool` | `true` | no |
+| <a name="input_create_validation_records"></a> [create\_validation\_records](#input\_create\_validation\_records) | Create Route53 DNS validation records for ACM certificates managed by this module | `bool` | `true` | no |
 | <a name="input_description"></a> [description](#input\_description) | Human description for this load balancer | `string` | n/a | yes |
 | <a name="input_enable_stickiness"></a> [enable\_stickiness](#input\_enable\_stickiness) | Set to true to use a cookie for load balancer stickiness | `bool` | `false` | no |
 | <a name="input_failure_threshold"></a> [failure\_threshold](#input\_failure\_threshold) | Percentage of failed requests considered an anomaly | `number` | `5` | no |

main.tf

@@ -52,8 +52,9 @@ module "acm_certificate" {
   providers = { aws.certificate = aws.cluster, aws.route53 = aws.route53 }
   source    = "./modules/acm-certificate"
 
-  allow_overwrite = var.allow_overwrite
-  domain_name     = each.value
+  allow_overwrite           = var.allow_overwrite
+  create_validation_records = var.create_validation_records
+  domain_name               = each.value
 
   hosted_zone_name = (
     var.validate_certificates ?

modules/acm-certificate/README.md

@@ -33,6 +33,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_allow_overwrite"></a> [allow\_overwrite](#input\_allow\_overwrite) | Allow overwriting of existing DNS records | `bool` | `false` | no |
 | <a name="input_alternative_names"></a> [alternative\_names](#input\_alternative\_names) | Other domains which should be included in the certificate | `list(string)` | `[]` | no |
+| <a name="input_create_validation_records"></a> [create\_validation\_records](#input\_create\_validation\_records) | Create Route53 DNS validation records for the certificate | `bool` | `true` | no |
 | <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Domain for which an SSL certificate should be created | `string` | n/a | yes |
 | <a name="input_hosted_zone_name"></a> [hosted\_zone\_name](#input\_hosted\_zone\_name) | Zone for AWS Route53 for verifying certificates | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to be applied to created resources | `map(string)` | `{}` | no |

modules/acm-certificate/main.tf

@@ -26,7 +26,7 @@ locals {
 resource "aws_route53_record" "validation" {
   provider = aws.route53
 
-  count = var.hosted_zone_name == null ? 0 : 1
+  count = var.hosted_zone_name == null || !var.create_validation_records ? 0 : 1
 
   allow_overwrite = var.allow_overwrite
   name            = local.domain_validation_options[0].resource_record_name
@@ -39,7 +39,7 @@ resource "aws_route53_record" "validation" {
 resource "aws_route53_record" "alternative_validation" {
   provider = aws.route53
 
-  count = var.hosted_zone_name == null ? 0 : length(var.alternative_names)
+  count = var.hosted_zone_name == null || !var.create_validation_records ? 0 : length(var.alternative_names)
 
   allow_overwrite = var.allow_overwrite
   name            = local.domain_validation_options[count.index].resource_record_name
@@ -54,10 +54,10 @@ resource "aws_acm_certificate_validation" "this" {
 
   certificate_arn = aws_acm_certificate.this.arn
 
-  validation_record_fqdns = concat(
-    aws_route53_record.validation.*.fqdn,
-    aws_route53_record.alternative_validation.*.fqdn
-  )
+  validation_record_fqdns = var.create_validation_records ? concat(
+    aws_route53_record.validation[*].fqdn,
+    aws_route53_record.alternative_validation[*].fqdn
+  ) : null
 }
 
 data "aws_route53_zone" "this" {

modules/acm-certificate/variables.tf

@@ -10,6 +10,12 @@ variable "alternative_names" {
   default     = []
 }
 
+variable "create_validation_records" {
+  type        = bool
+  description = "Create Route53 DNS validation records for the certificate"
+  default     = true
+}
+
 variable "domain_name" {
   type        = string
   description = "Domain for which an SSL certificate should be created"

variables.tf

@@ -65,6 +65,12 @@ variable "create_aliases" {
   default     = true
 }
 
+variable "create_validation_records" {
+  description = "Create Route53 DNS validation records for ACM certificates managed by this module"
+  type        = bool
+  default     = true
+}
+
 variable "description" {
   description = "Human description for this load balancer"
   type        = string