Fixing cert_arn override behaviour

Author: LeoDiazL

README.md

@@ -583,6 +583,8 @@ Setting `aws_r53_create_root_cert` to `true` will create this certificate with b
 
 Setting `aws_r53_create_sub_cert` to `true` will create a certificate **just for the subdomain**, and validate it.
 
+> :sparkles: Defining `aws_r53_cert_arn` with `aws_r53_enable_cert` set to `true` will use the provided cert as is. Ignoring creation, validation or maintenance of any other certificate. 
+
 > :warning: Be very careful here! **Created certificates are fully managed by Terraform**. Therefor **they will be destroyed upon stack destruction**.
 
 To change a certificate (root_cert, sub_cert, ARN or pre-existing root cert), you must first set the `aws_r53_enable_cert` flag to false, run the action, then set the `aws_r53_enable_cert` flag to true, add the desired settings and excecute the action again. (**This will destroy the first certificate.**)

operations/deployment/terraform/aws/bitovi_main.tf

@@ -62,7 +62,7 @@ module "efs_to_ec2_sg" {
 
 module "aws_certificates" {
   source = "../modules/aws/certificates"
-  count  = ( var.aws_ec2_instance_create || var.aws_ecs_enable ) && var.aws_r53_enable && var.aws_r53_domain_name != "" ? 1 : 0
+  count  = ( var.aws_ec2_instance_create || var.aws_ecs_enable ) && var.aws_r53_enable && ( var.aws_r53_domain_name != "" || var.aws_r53_cert_arn != "" ) ? 1 : 0
   # Cert
   aws_r53_cert_arn         = var.aws_r53_cert_arn
   aws_r53_create_root_cert = var.aws_r53_create_root_cert
@@ -90,7 +90,7 @@ module "aws_route53" {
   aws_elb_dns_name              = try(module.aws_elb[0].aws_elb_dns_name,"")
   aws_elb_zone_id               = try(module.aws_elb[0].aws_elb_zone_id,"")
   # Certs
-  aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : ""
+  aws_certificates_selected_arn = var.aws_r53_enable_cert && length(module.aws_certificates) > 0 ? module.aws_certificates[0].selected_arn : ""
   # Others
   fqdn_provided                 = local.fqdn_provided
 
@@ -118,7 +118,7 @@ module "aws_elb" {
   aws_instance_server_id             = module.ec2[0].aws_instance_server_id
   aws_elb_target_sg_id               = module.ec2[0].aws_security_group_ec2_sg_id 
   # Certs
-  aws_certificates_selected_arn      = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : ""
+  aws_certificates_selected_arn      = var.aws_r53_enable_cert && length(module.aws_certificates) > 0 ? module.aws_certificates[0].selected_arn : ""
   # Others
   aws_resource_identifier            = var.aws_resource_identifier
   aws_resource_identifier_supershort = var.aws_resource_identifier_supershort
@@ -498,7 +498,7 @@ module "aws_ecs" {
   aws_selected_subnets               = module.vpc.aws_selected_vpc_subnets
   # Others
   aws_certificate_enabled            = var.aws_r53_enable_cert && length(module.aws_certificates) > 0 ? true : false
-  aws_certificates_selected_arn      = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : ""
+  aws_certificates_selected_arn      = var.aws_r53_enable_cert && length(module.aws_certificates) > 0 ? module.aws_certificates[0].selected_arn : ""
   aws_resource_identifier            = var.aws_resource_identifier
   aws_resource_identifier_supershort = var.aws_resource_identifier_supershort
   app_repo_name                      = var.app_repo_name
@@ -521,7 +521,7 @@ module "aws_route53_ecs" {
   aws_elb_dns_name              = try(module.aws_ecs[0].load_balancer_dns,"")
   aws_elb_zone_id               = try(module.aws_ecs[0].load_balancer_zone_id,"")
   # Certs
-  aws_certificates_selected_arn = var.aws_r53_enable_cert && var.aws_r53_domain_name != "" ? module.aws_certificates[0].selected_arn : ""
+  aws_certificates_selected_arn = var.aws_r53_enable_cert && length(module.aws_certificates) > 0 ? module.aws_certificates[0].selected_arn : ""
   # Others
   fqdn_provided                 = local.fqdn_provided
   depends_on = [ module.aws_certificates,module.aws_ecs ]

operations/deployment/terraform/modules/aws/certificates/aws_certificates.tf

@@ -1,11 +1,11 @@
 # Lookup for main domain.
 data "aws_route53_zone" "selected" {
+  count           = local.is_enabled_and_valid ? 1 : 0
   name         = "${var.aws_r53_domain_name}."
   private_zone = false
 }
 
 data "aws_acm_certificate" "issued" {
-  #count  = local.is_enabled_and_valid ? (!var.aws_r53_create_root_cert ? (!var.aws_r53_create_sub_cert ? (var.fqdn_provided ? 1 : 0) : 0) : 0) :0
   for_each = local.is_enabled_and_valid ? {
     "domain" : var.aws_r53_domain_name,
     "wildcard" : "*.${var.aws_r53_domain_name}"
@@ -28,7 +28,7 @@ resource "aws_route53_record" "root_domain" {
   name            = tolist(aws_acm_certificate.root_domain[0].domain_validation_options)[0].resource_record_name
   records         = [tolist(aws_acm_certificate.root_domain[0].domain_validation_options)[0].resource_record_value]
   type            = tolist(aws_acm_certificate.root_domain[0].domain_validation_options)[0].resource_record_type
-  zone_id         = data.aws_route53_zone.selected.zone_id
+  zone_id         = data.aws_route53_zone.selected[0].zone_id
   ttl             = 60
 }
 
@@ -52,7 +52,7 @@ resource "aws_route53_record" "sub_domain" {
   name            = tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_name
   records         = [tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_value]
   type            = tolist(aws_acm_certificate.sub_domain[0].domain_validation_options)[0].resource_record_type
-  zone_id         = data.aws_route53_zone.selected.zone_id
+  zone_id         = data.aws_route53_zone.selected[0].zone_id
   ttl             = 60
 }
 
@@ -63,28 +63,17 @@ resource "aws_acm_certificate_validation" "sub_domain" {
 }
 
 locals {
-  is_enabled_and_valid = var.aws_r53_domain_name != "" ? true : false
+  is_enabled_and_valid = var.aws_r53_cert_arn != "" ? false : var.aws_r53_domain_name != "" ? true : false
   selected_arn = (
-    local.is_enabled_and_valid ? 
-    (var.aws_r53_cert_arn != "" ? var.aws_r53_cert_arn :
+    var.aws_r53_cert_arn != "" ? var.aws_r53_cert_arn :
+    (local.is_enabled_and_valid ?
       (!var.aws_r53_create_root_cert ?
         (!var.aws_r53_create_sub_cert ?
           (var.fqdn_provided ? local.acm_arn : "")
           : aws_acm_certificate.sub_domain[0].arn
         ) : aws_acm_certificate.root_domain[0].arn
-      ) 
-    ) : ""
-  )
-  cert_available = (
-    local.is_enabled_and_valid ?
-    (var.aws_r53_cert_arn != "" ? true :
-      (!var.aws_r53_create_root_cert ?
-        (!var.aws_r53_create_sub_cert ?
-          (var.fqdn_provided ? true : false)
-          : true
-        ) : true
-      )
-    ) : false
+      ) : ""
+    )
   )
   acm_arn = try(data.aws_acm_certificate.issued["domain"].arn, try(data.aws_acm_certificate.issued["wildcard"].arn, data.aws_acm_certificate.issued["sub"].arn, ""))
 }