Add external validation option

README.md

@@ -70,6 +70,7 @@ module "acm" {
 - [Basic usage example](./examples/basic/)
 - [Use existing domain validations records](./examples/without-domain-validation)
 - [Different AWS account between ACM and Route53](./examples/different-aws-account)
+- [External certificate validations](./examples/external-validation)
 
 ## Requirements
 
@@ -103,3 +104,4 @@ module "acm" {
 | certificate\_arn | The ARN of the certificate |
 | certificate\_domain\_validation\_options | A list of attributes to feed into other resources to complete certificate validation |
 | certificate\_domains | List of domain names covered by the certificate |
+

examples/external-validation/README.md

@@ -0,0 +1,43 @@
+# Terraform AWS ACM Multiple Hosted Zone Example
+
+This example provides guides on how to use terraform-aws-acm-multiple-hosted-zone with external certificate validation.
+You may have a case where some of domains in the certificate is located in different AWS account.
+In this case, you can provision the ACM certificate using this module and do the certificate validation in the root project.
+
+This module will ignore registering domain to Route53 when there is no `zone` key in the domain object.
+
+## Usage 
+
+To run this example you need to execute:
+
+```terraform
+terraform init
+terraform plan -out=tfplan.out
+terraform apply tfplan.out
+```
+
+Note that this example may create resources that cost money.
+Run `terraform destroy` to clean up the resources.
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws.example\_org | n/a |
+| aws.xendit | n/a |
+
+## Inputs
+
+No input.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| certificate\_arn | n/a |
+| certificate\_domains | n/a |
+

examples/external-validation/main.tf

@@ -0,0 +1,68 @@
+locals {
+  outside_domains = ["example.org", "*.example.org"]
+
+  outside_record_validation = {
+    for dvo in module.acm.certificate_domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    } if contains(local.outside_domains, dvo.domain_name)
+  }
+}
+
+module "acm" {
+  source = "../../"
+
+  providers = {
+    aws.acm     = aws
+    aws.route53 = aws
+  }
+
+  domain_name = {
+    zone   = "example.com"
+    domain = "example.com"
+  }
+
+  subject_alternative_names = [
+    {
+      zone   = "example.com"
+      domain = "*.example.com"
+    },
+    {
+      domain = "example.org"
+    },
+    {
+      domain = "*.example.org"
+    }
+  ]
+
+  validate_certificate = false
+
+  tags = {
+    Name = "ACM request external validation"
+  }
+}
+
+data "aws_route53_zone" "example_org" {
+  provider = aws.example_org
+
+  name         = "example.org"
+  private_zone = false
+}
+
+resource "aws_route53_record" "example_org_validation" {
+  provider = aws.example_org
+  for_each = local.outside_record_validation
+
+  zone_id         = data.aws_route53_zone.example_org.zone_id
+  name            = each.value.name
+  type            = each.value.type
+  records         = [each.value.record]
+  ttl             = 60
+  allow_overwrite = true
+}
+
+resource "aws_acm_certificate_validation" "self" {
+  certificate_arn         = module.acm.certificate_arn
+  validation_record_fqdns = [for dvo in module.acm.certificate_domain_validation_options : dvo.resource_record_name]
+}

examples/external-validation/outputs.tf

@@ -0,0 +1,7 @@
+output "certificate_arn" {
+    value = module.acm.certificate_arn
+}
+
+output "certificate_domains" {
+    value = module.acm.certificate_domains
+}

examples/external-validation/providers.tf

@@ -0,0 +1,9 @@
+provider "aws" {
+  region = "us-west-2"
+}
+
+provider "aws" {
+  region  = "us-west-2"
+  alias   = "example_org"
+  profile = "example_org"
+}

main.tf

@@ -1,13 +1,13 @@
 locals {
-  all_domains = concat([var.domain_name.domain], [
-    for v in var.subject_alternative_names : v.domain
-  ])
+  validated_domains = [
+    for object in concat([var.domain_name], var.subject_alternative_names) : object.domain if can(object["zone"])
+  ]
 
-  all_zones = concat([var.domain_name.zone], [
-    for v in var.subject_alternative_names : v.zone
-  ])
+  validated_zones = [
+    for object in concat([var.domain_name], var.subject_alternative_names) : object.zone if can(object["zone"])
+  ]
 
-  domain_zone_mapping = zipmap(local.all_domains, local.all_zones)
+  domain_zone_mapping = zipmap(local.validated_domains, local.validated_zones)
 
   cert_sans = sort([
     for v in var.subject_alternative_names : v.domain
@@ -20,7 +20,7 @@ locals {
 
 data "aws_route53_zone" "self" {
   provider = aws.route53
-  for_each = toset(local.all_zones)
+  for_each = toset(local.validated_zones)
 
   name         = each.value
   private_zone = false
@@ -43,7 +43,7 @@ resource "aws_route53_record" "validation" {
       name   = dvo.resource_record_name
       record = dvo.resource_record_value
       type   = dvo.resource_record_type
-    }
+    } if contains(local.validated_domains, dvo.domain_name)
   } : {}
 
   zone_id         = data.aws_route53_zone.self[local.domain_zone_mapping[each.key]].zone_id

outputs.tf

@@ -5,7 +5,7 @@ output "certificate_arn" {
 
 output "certificate_domains" {
   description = "List of domain names covered by the certificate"
-  value       = concat([aws_acm_certificate.self.domain_name], list(aws_acm_certificate.self.subject_alternative_names))
+  value       = sort(concat([aws_acm_certificate.self.domain_name], tolist(aws_acm_certificate.self.subject_alternative_names)))
 }
 
 output "certificate_domain_validation_options" {