feat : Given provision for acm module such it can have hostedzone in same account or different account.

rahul-infra · rahul-infra · commit b6f1a1450c84 · 2025-11-20T15:52:26.000+05:30
fix : removed extra space.

fix: removed unwanted region in my acm module.

fix : updated aws support provider.

fix : updated aws version.

fix : formatted main file.

fix: removed region from passing to my acm module.

Made changes in pre-commit file excluded acm main.tf file.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -4,6 +4,7 @@ repos:
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
+        exclude: '^[^/]+\.tf$|^modules/acm/.*'
       - id: terraform_tflint
         args:
           - '--args=--only=terraform_deprecated_interpolation'
diff --git a/main.tf b/main.tf
@@ -243,12 +243,33 @@ resource "aws_ecs_task_definition" "this" {
 ################################################################################
 # Amazon Certificates Manager Sub-module
 ################################################################################
+provider "aws" {
+  region = var.region
+}
+
+# Cross-account provider for Route53
+provider "aws" {
+  alias  = "dns"
+  region = var.region
+
+  dynamic "assume_role" {
+    for_each = var.route53_assume_role_arn != null ? [1] : []
+    content {
+      role_arn = var.route53_assume_role_arn
+    }
+  }
+}
 
 module "acm" {
   source = "./modules/acm"
 
-  for_each = var.create_acm ? var.acm_certificates : {}
+  providers = {
+    aws     = aws
+    aws.dns = aws.dns
+  }
+  route53_assume_role_arn = var.route53_assume_role_arn
 
+  for_each = var.create_acm ? var.acm_certificates : {}
   # ACM Certificate
   certificate_domain_name               = each.value.domain_name
   certificate_subject_alternative_names = try(each.value.subject_alternative_names, null)
@@ -259,8 +280,7 @@ module "acm" {
   # Route53 Record
   record_zone_id         = try(each.value.record_zone_id, null)
   record_allow_overwrite = try(each.value.record_allow_overwrite, null)
-
-  tags = try(each.value.tags, {})
+  tags                   = try(each.value.tags, {})
 }
 
 ################################################################################
diff --git a/modules/acm/main.tf b/modules/acm/main.tf
@@ -7,6 +7,19 @@ locals {
   }
 }
 
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+      configuration_aliases = [
+        aws,
+        aws.dns
+      ]
+    }
+  }
+}
+
 ################################################################################
 # ACM Certificate
 ################################################################################
@@ -37,7 +50,22 @@ resource "aws_acm_certificate" "this" {
 # ACM Validation
 ################################################################################
 
-resource "aws_route53_record" "this" {
+resource "aws_route53_record" "same_account" {
+  count = var.route53_assume_role_arn == null ? 1 : 0
+
+  zone_id         = var.record_zone_id
+  name            = local.acm_certificate_validation_record.name
+  type            = local.acm_certificate_validation_record.type
+  records         = [local.acm_certificate_validation_record.value]
+  ttl             = 60
+  allow_overwrite = var.record_allow_overwrite
+}
+
+resource "aws_route53_record" "cross_account" {
+  count    = var.route53_assume_role_arn != null ? 1 : 0
+  provider = aws.dns
+
+
   zone_id         = var.record_zone_id
   name            = local.acm_certificate_validation_record.name
   type            = local.acm_certificate_validation_record.type
@@ -47,6 +75,11 @@ resource "aws_route53_record" "this" {
 }
 
 resource "aws_acm_certificate_validation" "this" {
-  certificate_arn         = aws_acm_certificate.this.arn
-  validation_record_fqdns = [aws_route53_record.this.fqdn]
+  certificate_arn = aws_acm_certificate.this.arn
+
+  validation_record_fqdns = [
+    var.route53_assume_role_arn == null ?
+    aws_route53_record.same_account[0].fqdn :
+    aws_route53_record.cross_account[0].fqdn
+  ]
 }
diff --git a/modules/acm/outputs.tf b/modules/acm/outputs.tf
@@ -17,10 +17,15 @@ output "acm_certificate_arn" {
 ################################################################################
 
 output "route53_record_id" {
-  description = "Identifier of the Route53 Record for validation of the ACM certificate."
-  value       = aws_route53_record.this.id
+  description = "Identifier of the Route53 Record (supports same & cross-account)."
+  value = (
+    var.route53_assume_role_arn == null
+    ? aws_route53_record.same_account[0].id
+    : aws_route53_record.cross_account[0].id
+  )
 }
 
+
 ################################################################################
 # ACM Certificate Validation
 ################################################################################
diff --git a/modules/acm/variables.tf b/modules/acm/variables.tf
@@ -60,3 +60,9 @@ variable "record_allow_overwrite" {
   nullable    = false
   default     = true
 }
+
+variable "route53_assume_role_arn" {
+  type        = string
+  default     = null
+  description = "(Optional) IAM role ARN to assume for Route53 operations"
+}
diff --git a/variables.tf b/variables.tf
@@ -199,3 +199,15 @@ variable "acm_certificates" {
   nullable = false
   default  = {}
 }
+
+variable "region" {
+  description = "(Optional) AWS region to create resources in."
+  type        = string
+  default     = null
+}
+
+variable "route53_assume_role_arn" {
+  description = "(Optional) ARN of the role to assume for Route53 operations."
+  type        = string
+  default     = null
+}
diff --git a/versions.tf b/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0"
+      version = "~> 6.0"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = "~> 5.0"`
	`7`	`+ version = "~> 6.0"`
`8`	`8`	`}`
`9`	`9`	`}`
`10`	`10`	`}`