terraform 创建重复的 DNS 验证记录

terraform creating duplicate dns validation records

我是 Terraform 的新手,但我的 route53 文件看起来像这样...

resource "aws_route53_zone" "main" {
  name = var.domain_name
  tags = var.common_tags
}

resource "aws_route53_record" "root-a" {
  zone_id = aws_route53_zone.main.zone_id
  name = var.domain_name
  type = "A"

  alias {
    name = aws_cloudfront_distribution.root_s3_distribution.domain_name
    zone_id = aws_cloudfront_distribution.root_s3_distribution.hosted_zone_id
    evaluate_target_health = false
  }
}

resource "aws_route53_record" "www-a" {
  zone_id = aws_route53_zone.main.zone_id
  name = "www.${var.domain_name}"
  type = "A"

  alias {
    name = aws_cloudfront_distribution.www_s3_distribution.domain_name
    zone_id = aws_cloudfront_distribution.www_s3_distribution.hosted_zone_id
    evaluate_target_health = false
  }
}

resource "aws_route53_record" "cert-validations" {
  count = length(aws_acm_certificate.ssl_certificate.domain_validation_options)
  
  zone_id = aws_route53_zone.main.zone_id
  name    = element(aws_acm_certificate.ssl_certificate.domain_validation_options.*.resource_record_name, count.index)
  type    = element(aws_acm_certificate.ssl_certificate.domain_validation_options.*.resource_record_type, count.index)
  records = [element(aws_acm_certificate.ssl_certificate.domain_validation_options.*.resource_record_value, count.index)]
  ttl     = 60
}

我的计划包含这个副本...

  # aws_route53_record.cert-validations[0] will be created
  + resource "aws_route53_record" "cert-validations" {
      + allow_overwrite = (known after apply)
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "_0a4aefbce6d554a924845eec429fb23e.gingerbreadtemplate.uk"
      + records         = [
          + "_8392f4358688e2d691acfe88deecb4f6.xjncphngnr.acm-validations.aws.",
        ]
      + ttl             = 60
      + type            = "CNAME"
      + zone_id         = "Z068604727JU0L259KARW"
    }

  # aws_route53_record.cert-validations[1] will be created
  + resource "aws_route53_record" "cert-validations" {
      + allow_overwrite = (known after apply)
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "_0a4aefbce6d554a924845eec429fb23e.gingerbreadtemplate.uk"
      + records         = [
          + "_8392f4358688e2d691acfe88deecb4f6.xjncphngnr.acm-validations.aws.",
        ]
      + ttl             = 60
      + type            = "CNAME"
      + zone_id         = "Z068604727JU0L259KARW"
    }

然后在应用时失败。如果我将 cert-validations.count 设置为 1 它可以工作,但我认为这是一个 hack。会不会是因为我也设置了重定向托管区,所以总体验证次数是2,但我的代码不够聪明?

我已经尝试阅读示例和文档,但我真的很难理解重复的来源。

重复可能来自 aws_acm_certificate:

的定义
domain_name = "gingerbreadtemplate.uk"
subject_alternative_names = [
  "gingerbreadtemplate.uk"
]

如果代码定义了与域名相同值的SAN,则其之后生成的验证记录将重复。

此外,由于此代码似乎是 Terraform 0.12+,因此使用 validation recordsfor_each 块会更容易阅读代码。如果在其他 SAN 中间添加新 SAN,它还可以避免计数带来的排序问题。