Skip to content

Resource: awsAcmCertificateValidation

This resource represents a successful validation of an ACM certificate in concert with other resources.

Most commonly, this resource is used together with awsRoute53Record and awsAcmCertificate to request a DNS validated certificate, deploy the required validation records and wait for validation to complete.

\~> WARNING: This resource implements a part of the validation workflow. It does not represent a real-world entity in AWS, therefore changing or deleting this resource on its own has no immediate effect.

Example Usage

DNS Validation with Route 53

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsAcmCertificateExample = new aws.acmCertificate.AcmCertificate(
  this,
  "example",
  {
    domainName: "example.com",
    validationMethod: "DNS",
  }
);
const dataAwsRoute53ZoneExample = new aws.dataAwsRoute53Zone.DataAwsRoute53Zone(
  this,
  "example_1",
  {
    name: "example.com",
    privateZone: false,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsRoute53ZoneExample.overrideLogicalId("example");
const awsRoute53RecordExample = new aws.route53Record.Route53Record(
  this,
  "example_2",
  {
    allowOverwrite: true,
    name: "${each.value.name}",
    records: ["${each.value.record}"],
    ttl: 60,
    type: "${each.value.type}",
    zoneId: dataAwsRoute53ZoneExample.zoneId,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRoute53RecordExample.overrideLogicalId("example");
/*In most cases loops should be handled in the programming language context and 
not inside of the Terraform context. If you are looping over something external, e.g. a variable or a file input
you should consider using a for loop. If you are looping over something only known to Terraform, e.g. a result of a data source
you need to keep this like it is.*/
awsRoute53RecordExample.addOverride(
  "for_each",
  `\${{
    for dvo in ${awsAcmCertificateExample.domainValidationOptions} : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }}`
);
const awsAcmCertificateValidationExample =
  new aws.acmCertificateValidation.AcmCertificateValidation(this, "example_3", {
    certificateArn: awsAcmCertificateExample.arn,
    validationRecordFqdns: [
      `\${[for record in ${awsRoute53RecordExample.fqn} : record.fqdn]}`,
    ],
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsAcmCertificateValidationExample.overrideLogicalId("example");
const awsLbListenerExample = new aws.lbListener.LbListener(this, "example_4", {
  certificateArn: awsAcmCertificateValidationExample.certificateArn,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsLbListenerExample.overrideLogicalId("example");

Alternative Domains DNS Validation with Route 53

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsAcmCertificateExample = new aws.acmCertificate.AcmCertificate(
  this,
  "example",
  {
    domainName: "example.com",
    subjectAlternativeNames: ["www.example.com", "example.org"],
    validationMethod: "DNS",
  }
);
const awsRoute53RecordExample = new aws.route53Record.Route53Record(
  this,
  "example_1",
  {
    allowOverwrite: true,
    name: "${each.value.name}",
    records: ["${each.value.record}"],
    ttl: 60,
    type: "${each.value.type}",
    zoneId: "${each.value.zone_id}",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRoute53RecordExample.overrideLogicalId("example");
/*In most cases loops should be handled in the programming language context and 
not inside of the Terraform context. If you are looping over something external, e.g. a variable or a file input
you should consider using a for loop. If you are looping over something only known to Terraform, e.g. a result of a data source
you need to keep this like it is.*/
awsRoute53RecordExample.addOverride(
  "for_each",
  `\${{
    for dvo in ${awsAcmCertificateExample.domainValidationOptions} : dvo.domain_name => {
      name    = dvo.resource_record_name
      record  = dvo.resource_record_value
      type    = dvo.resource_record_type
      zone_id = dvo.domain_name == "example.org" ? data.aws_route53_zone.example_org.zone_id : data.aws_route53_zone.example_com.zone_id
    }
  }}`
);
new aws.dataAwsRoute53Zone.DataAwsRoute53Zone(this, "example_com", {
  name: "example.com",
  privateZone: false,
});
new aws.dataAwsRoute53Zone.DataAwsRoute53Zone(this, "example_org", {
  name: "example.org",
  privateZone: false,
});
const awsAcmCertificateValidationExample =
  new aws.acmCertificateValidation.AcmCertificateValidation(this, "example_4", {
    certificateArn: awsAcmCertificateExample.arn,
    validationRecordFqdns: [
      `\${[for record in ${awsRoute53RecordExample.fqn} : record.fqdn]}`,
    ],
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsAcmCertificateValidationExample.overrideLogicalId("example");
const awsLbListenerExample = new aws.lbListener.LbListener(this, "example_5", {
  certificateArn: awsAcmCertificateValidationExample.certificateArn,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsLbListenerExample.overrideLogicalId("example");

Email Validation

In this situation, the resource is simply a waiter for manual email approval of ACM certificates.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsAcmCertificateExample = new aws.acmCertificate.AcmCertificate(
  this,
  "example",
  {
    domainName: "example.com",
    validationMethod: "EMAIL",
  }
);
const awsAcmCertificateValidationExample =
  new aws.acmCertificateValidation.AcmCertificateValidation(this, "example_1", {
    certificateArn: awsAcmCertificateExample.arn,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsAcmCertificateValidationExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • certificateArn - (Required) ARN of the certificate that is being validated.
  • validationRecordFqdns - (Optional) List of FQDNs that implement the validation. Only valid for DNS validation method ACM certificates. If this is set, the resource can implement additional sanity checks and has an explicit dependency on the resource that is implementing the validation

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - Time at which the certificate was issued

Timeouts

Configuration options:

  • create - (Default 75M)