From ea03c9e24bcaf7102c97972ce556da272dd268f5 Mon Sep 17 00:00:00 2001
From: Rory McHugh <rmm98@cam.ac.uk>
Date: Mon, 30 Sep 2024 17:06:10 +0100
Subject: [PATCH 1/2] feat(acm): Add ability to use existing certificate

- Add data block data.aws_acm_certificate.existing
- Add conditionals to aws_acm_certificate.default and
  aws_acm_certificate_validation.default
- Update for_each loop on aws_route53_record.acm_validation_cname
- Update certificate_arn argument in aws_lb_listener.https
  resource
- Add new input variables acm_create_certificate and
  acm_certificate_domain_name
---
 acm.tf          |  6 +++++-
 data.tf         |  9 +++++++++
 loadbalancer.tf |  2 +-
 route53.tf      |  6 +++---
 variables.tf    | 12 ++++++++++++
 5 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/acm.tf b/acm.tf
index 07a1e60..8510f14 100644
--- a/acm.tf
+++ b/acm.tf
@@ -5,6 +5,8 @@ locals {
 
 # NOTE see section "Note about Load Balancer Listener" in README.md
 resource "aws_acm_certificate" "default" {
+  count = var.acm_create_certificate ? 1 : 0
+
   domain_name = local.default_domain_name
   subject_alternative_names = [
     local.default_domain_name
@@ -17,7 +19,9 @@ resource "aws_acm_certificate" "default" {
 }
 
 resource "aws_acm_certificate_validation" "default" {
-  certificate_arn         = aws_acm_certificate.default.arn
+  count = var.acm_create_certificate ? 1 : 0
+
+  certificate_arn         = aws_acm_certificate.default.0.arn
   validation_record_fqdns = [for record in aws_route53_record.acm_validation_cname : record.fqdn]
 
   timeouts {
diff --git a/data.tf b/data.tf
index 26ae3a2..01fe867 100644
--- a/data.tf
+++ b/data.tf
@@ -38,3 +38,12 @@ data "aws_route53_zone" "existing" {
 
   zone_id = var.route53_zone_id_existing
 }
+
+data "aws_acm_certificate" "existing" {
+  count = var.acm_create_certificate ? 0 : 1
+
+  domain      = var.acm_certificate_domain_name
+  statuses    = ["ISSUED"]
+  types       = ["IMPORTED"]
+  most_recent = true
+}
diff --git a/loadbalancer.tf b/loadbalancer.tf
index ecc4ddf..a552f83 100644
--- a/loadbalancer.tf
+++ b/loadbalancer.tf
@@ -28,7 +28,7 @@ resource "aws_lb_listener" "https" {
   port              = 443
   protocol          = "HTTPS"
   ssl_policy        = var.alb_listener_ssl_policy
-  certificate_arn   = aws_acm_certificate.default.arn
+  certificate_arn   = var.acm_create_certificate ? aws_acm_certificate.default.0.arn : data.aws_acm_certificate.existing.0.arn
 
   default_action {
     type = "fixed-response"
diff --git a/route53.tf b/route53.tf
index 072d5f7..cc3f111 100644
--- a/route53.tf
+++ b/route53.tf
@@ -7,13 +7,13 @@ resource "aws_route53_zone" "public" {
 }
 
 resource "aws_route53_record" "acm_validation_cname" {
-  for_each = {
-    for dvo in aws_acm_certificate.default.domain_validation_options : dvo.domain_name => {
+  for_each = var.acm_create_certificate ? {
+    for dvo in aws_acm_certificate.default.0.domain_validation_options : dvo.domain_name => {
       name   = dvo.resource_record_name
       record = dvo.resource_record_value
       type   = dvo.resource_record_type
     }
-  }
+  } : {}
 
   allow_overwrite = true
   name            = each.value.name
diff --git a/variables.tf b/variables.tf
index 75f659d..a069df5 100644
--- a/variables.tf
+++ b/variables.tf
@@ -268,3 +268,15 @@ variable "waf_ip_set_addresses" {
   description = "List of IPs for WAF IP Set Safelist"
   default     = ["131.111.0.0/16"]
 }
+
+variable "acm_create_certificate" {
+  type        = bool
+  description = "Whether to create a certificate in Amazon Certificate Manager"
+  default     = true
+}
+
+variable "acm_certificate_domain_name" {
+  type        = string
+  description = "Domain name of an existing certificate in Amazon Certificate Manager. Use if domain name of the certificate is different to domain_name of the service"
+  default     = null
+}

From 139774d5909a41a517dfa0847a78e6ffe73c777e Mon Sep 17 00:00:00 2001
From: Rory McHugh <rmm98@cam.ac.uk>
Date: Tue, 1 Oct 2024 10:11:02 +0100
Subject: [PATCH 2/2] feat(acm): Add reference to existing ACM certificate

- Use conditional in aws_lb_listener.this to refer to
  certificate_arn argument
- Add input variables acm_create_certificate and acm_certificate_arn
- Update README.md
---
 README.md       | 2 ++
 data.tf         | 9 ---------
 loadbalancer.tf | 2 +-
 variables.tf    | 4 ++--
 4 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index 3c37d2d..1990b9f 100644
--- a/README.md
+++ b/README.md
@@ -97,6 +97,8 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_acm_certificate_arn"></a> [acm\_certificate\_arn](#input\_acm\_certificate\_arn) | ARN of an existing certificate in Amazon Certificate Manager | `string` | `null` | no |
+| <a name="input_acm_create_certificate"></a> [acm\_create\_certificate](#input\_acm\_create\_certificate) | Whether to create a certificate in Amazon Certificate Manager | `bool` | `true` | no |
 | <a name="input_alb_access_logs_bucket"></a> [alb\_access\_logs\_bucket](#input\_alb\_access\_logs\_bucket) | Name of the S3 Bucket for ALB access logs | `string` | `""` | no |
 | <a name="input_alb_access_logs_enabled"></a> [alb\_access\_logs\_enabled](#input\_alb\_access\_logs\_enabled) | Whether to enable access logging for the ALB | `bool` | `false` | no |
 | <a name="input_alb_access_logs_prefix"></a> [alb\_access\_logs\_prefix](#input\_alb\_access\_logs\_prefix) | Prefix for objects in S3 bucket for ALB access logs | `string` | `""` | no |
diff --git a/data.tf b/data.tf
index 01fe867..26ae3a2 100644
--- a/data.tf
+++ b/data.tf
@@ -38,12 +38,3 @@ data "aws_route53_zone" "existing" {
 
   zone_id = var.route53_zone_id_existing
 }
-
-data "aws_acm_certificate" "existing" {
-  count = var.acm_create_certificate ? 0 : 1
-
-  domain      = var.acm_certificate_domain_name
-  statuses    = ["ISSUED"]
-  types       = ["IMPORTED"]
-  most_recent = true
-}
diff --git a/loadbalancer.tf b/loadbalancer.tf
index a552f83..b620335 100644
--- a/loadbalancer.tf
+++ b/loadbalancer.tf
@@ -28,7 +28,7 @@ resource "aws_lb_listener" "https" {
   port              = 443
   protocol          = "HTTPS"
   ssl_policy        = var.alb_listener_ssl_policy
-  certificate_arn   = var.acm_create_certificate ? aws_acm_certificate.default.0.arn : data.aws_acm_certificate.existing.0.arn
+  certificate_arn   = var.acm_create_certificate ? aws_acm_certificate.default.0.arn : var.acm_certificate_arn
 
   default_action {
     type = "fixed-response"
diff --git a/variables.tf b/variables.tf
index a069df5..178f71d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -275,8 +275,8 @@ variable "acm_create_certificate" {
   default     = true
 }
 
-variable "acm_certificate_domain_name" {
+variable "acm_certificate_arn" {
   type        = string
-  description = "Domain name of an existing certificate in Amazon Certificate Manager. Use if domain name of the certificate is different to domain_name of the service"
+  description = "ARN of an existing certificate in Amazon Certificate Manager"
   default     = null
 }