Home > other >  ACM certificates cross account DNS validation
ACM certificates cross account DNS validation

Time:03-04

I have 2 AWS accounts: dev and prod.

In the prod account, I setup a DNS domain (example.com), as well as 2 public Hosted Zone: example.com and prod.example.com. 2 ACM certificates are also issued for these domains internal.prod.example.com and eks.prod.example.com. Those certificates are correctly validated by DNS.

In the dev account, I have created 2 public Hosted Zones: dev.example.com and example.com. I issued 2 ACM certificates for internal.dev.example.com and eks.dev.example.com which, as far as I understand need to be validated with the DNS in the prod account.

These certificated are in pending state.

How can I validate them?

What I did so far:

  • I added a NS record called dev.example.com in the prod account for the example.com Hosted Zone. The value of the NS record are the ones of the dev.example.com Hosted Zone created in the dev account. This is to delegate the ownership of the R53 Hosted Zone in prod. See here.

  • In the dev account, the CNAME of the requested domain from ACM have been added in the dev.example.com Hosted Zone for validation.

The following code is how it's been done (and working) on the prod account.

Note - this is a code that I took over, so I'm not aware if any manual steps have been taken.

data "aws_route53_zone" "dns-zone" {
  name = "${var.environment}.${var.zone_name}"
}

resource "aws_acm_certificate" "cert" {
  domain_name       = "*.${var.environment}.${var.zone_name}"
  validation_method = "DNS"
  subject_alternative_names = list("*.internal.${var.environment}.${var.zone_name}", "*.eks.${var.environment}.${var.zone_name}")

  lifecycle {
    create_before_destroy = true
    prevent_destroy = true
  }
}

resource "aws_route53_record" "cert_validation" {
  for_each = {
    for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
      name    = dvo.resource_record_name
      record  = dvo.resource_record_value
      type    = dvo.resource_record_type
      zone_id = data.aws_route53_zone.dns-zone.zone_id
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = each.value.zone_id
}


resource "aws_acm_certificate_validation" "cert" {
  certificate_arn         = aws_acm_certificate.cert.arn
  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
}

Ps - Should you need more clarification, please let me know.

CodePudding user response:

dev & prod account you have example.com? Only 1 can be used properly. Wherever the registrar is for example.com ... that registrar can only use the name servers from 1 of those hosted zones.

You mentioned you have 2 ACM certs for internal.dev.example.com & eks.dev.example.com ... those should be validated in the DEV Account if that's where their domains are created.

Also I recommend you just create 1 wild card cert in ACM for *.dev.example.com & validate that 1 in the DEV account. Any subdomains such as eks.dev.example.com will be able to use it.

Page link:https//www.codepudding.com/other/322982.html

Prev:How can I iterate over an object that I don't know it's keys?
Next:How can I fix SSL error, nothing seems to work?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding