Revert "feat: Add provision to use cross-account route53 for acm dns validation"

Author: rahul-infra

.github/workflows/terraform-docs.yaml

@@ -13,7 +13,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ github.ref }}
 
       - name: Render and Push terraform docs for main module
         uses: terraform-docs/gh-actions@main

.pre-commit-config.yaml

@@ -4,7 +4,6 @@ repos:
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
-        exclude: '^[^/]+\.tf$|^modules/acm/.*'
       - id: terraform_tflint
         args:
           - '--args=--only=terraform_deprecated_interpolation'

README.md

@@ -12,13 +12,13 @@ Terraform module to deploy production-ready applications and services on an exis
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
 
 ## Modules
 
@@ -51,8 +51,6 @@ Terraform module to deploy production-ready applications and services on an exis
 | <a name="input_create_s3_bucket_for_alb_logging"></a> [create\_s3\_bucket\_for\_alb\_logging](#input\_create\_s3\_bucket\_for\_alb\_logging) | (Optional) Creates S3 bucket for storing ALB Access and Connection Logs. | `bool` | `true` | no |
 | <a name="input_default_capacity_providers_strategies"></a> [default\_capacity\_providers\_strategies](#input\_default\_capacity\_providers\_strategies) | (Optional) Set of capacity provider strategies to use by default for the cluster. | `any` | `[]` | no |
 | <a name="input_load_balancer"></a> [load\_balancer](#input\_load\_balancer) | Configuration for the Application Load Balancer. | <pre>object({<br/>    name                       = optional(string)<br/>    internal                   = optional(bool, false)<br/>    subnets_ids                = optional(list(string), [])<br/>    security_groups_ids        = optional(list(string), [])<br/>    preserve_host_header       = optional(bool)<br/>    enable_deletion_protection = optional(bool, false)<br/>    access_logs                = optional(any, null)<br/>    connection_logs            = optional(any, null)<br/>    target_groups              = optional(any, {})<br/>    listeners                  = optional(any, {})<br/>    listener_rules             = optional(any, {})<br/>    tags                       = optional(map(string), {})<br/>  })</pre> | `{}` | no |
-| <a name="input_region"></a> [region](#input\_region) | (Optional) AWS region to create resources in. | `string` | `null` | no |
-| <a name="input_route53_assume_role_arn"></a> [route53\_assume\_role\_arn](#input\_route53\_assume\_role\_arn) | (Optional) ARN of the role to assume for Route53 operations. | `string` | `null` | no |
 | <a name="input_s3_bucket_force_destroy"></a> [s3\_bucket\_force\_destroy](#input\_s3\_bucket\_force\_destroy) | (Optional, Default:false) Boolean that indicates all objects (including any locked objects) should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error. | `bool` | `false` | no |
 | <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | (Optional, Forces new resource) Name of the bucket. | `string` | `null` | no |
 | <a name="input_s3_bucket_policy_id_prefix"></a> [s3\_bucket\_policy\_id\_prefix](#input\_s3\_bucket\_policy\_id\_prefix) | (Optional) - Prefix of the ID for the policy document. | `string` | `"ecs-deployment-alb-"` | no |

examples/complete/main.tf

@@ -93,9 +93,6 @@ module "ecs_deployment" {
       record_zone_id    = data.aws_route53_zone.base_domain.zone_id
     }
   }
-  region = var.region
-  # Cross-account role that ACM module will use for Route53 DNS record creation
-  route53_assume_role_arn = var.route53_assume_role_arn
 
   # Application Load Balancer
   load_balancer = {

examples/complete/variables.tf

@@ -132,13 +132,3 @@ variable "domain_name" {
   description = "Domain name for ACM"
   type        = string
 }
-
-variable "region" {
-  description = "AWS region to deploy resources"
-  type        = string
-}
-
-variable "route53_assume_role_arn" {
-  description = "ARN of the cross-account role for Route53 DNS record creation"
-  type        = string
-}

main.tf

@@ -243,33 +243,12 @@ resource "aws_ecs_task_definition" "this" {
 ################################################################################
 # Amazon Certificates Manager Sub-module
 ################################################################################
-provider "aws" {
-  region = var.region
-}
-
-# Cross-account provider for Route53
-provider "aws" {
-  alias  = "cross_account_provider"
-  region = var.region
-
-  dynamic "assume_role" {
-    for_each = var.route53_assume_role_arn != null ? [1] : []
-    content {
-      role_arn = var.route53_assume_role_arn
-    }
-  }
-}
 
 module "acm" {
   source = "./modules/acm"
 
-  providers = {
-    aws                        = aws
-    aws.cross_account_provider = aws.cross_account_provider
-  }
-  route53_assume_role_arn = var.route53_assume_role_arn
-
   for_each = var.create_acm ? var.acm_certificates : {}
+
   # ACM Certificate
   certificate_domain_name               = each.value.domain_name
   certificate_subject_alternative_names = try(each.value.subject_alternative_names, null)
@@ -280,7 +259,8 @@ module "acm" {
   # Route53 Record
   record_zone_id         = try(each.value.record_zone_id, null)
   record_allow_overwrite = try(each.value.record_allow_overwrite, null)
-  tags                   = try(each.value.tags, {})
+
+  tags = try(each.value.tags, {})
 }
 
 ################################################################################

modules/acm/README.md

@@ -24,14 +24,12 @@ This sub-module creates the Amazon-issued certificate for a given domain with `v
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 6.0 |
-| <a name="provider_aws.cross_account_provider"></a> [aws.cross\_account\_provider](#provider\_aws.cross\_account\_provider) | ~> 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 
 ## Modules
 
@@ -43,7 +41,6 @@ No modules.
 |------|------|
 | [aws_acm_certificate.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
 | [aws_acm_certificate_validation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
-| [aws_route53_record.cross_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 
 ## Inputs
@@ -57,7 +54,6 @@ No modules.
 | <a name="input_certificate_validation_option"></a> [certificate\_validation\_option](#input\_certificate\_validation\_option) | (Optional) Configuration block used to specify information about the initial validation of each domain name. | <pre>object({<br/>    domain_name       = string<br/>    validation_domain = string<br/>  })</pre> | `null` | no |
 | <a name="input_record_allow_overwrite"></a> [record\_allow\_overwrite](#input\_record\_allow\_overwrite) | (Optional) Allow creation of this record in Terraform to overwrite an existing record, if any. | `bool` | `true` | no |
 | <a name="input_record_zone_id"></a> [record\_zone\_id](#input\_record\_zone\_id) | (Required) Hosted zone ID for a CloudFront distribution, S3 bucket, ELB, or Route 53 hosted zone. | `string` | n/a | yes |
-| <a name="input_route53_assume_role_arn"></a> [route53\_assume\_role\_arn](#input\_route53\_assume\_role\_arn) | (Optional) IAM role ARN to assume for Route53 operations | `string` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Map of tags to assign to the resource. | `map(string)` | `{}` | no |
 
 ## Outputs
@@ -67,5 +63,5 @@ No modules.
 | <a name="output_acm_certificate_arn"></a> [acm\_certificate\_arn](#output\_acm\_certificate\_arn) | ARN of the ACM certificate. |
 | <a name="output_acm_certificate_id"></a> [acm\_certificate\_id](#output\_acm\_certificate\_id) | ARN of the ACM certificate. |
 | <a name="output_acm_certificate_validation_id"></a> [acm\_certificate\_validation\_id](#output\_acm\_certificate\_validation\_id) | Identifier of the ACM certificate validation resource. |
-| <a name="output_route53_record_id"></a> [route53\_record\_id](#output\_route53\_record\_id) | Identifier of the Route53 Record (supports same & cross-account). |
+| <a name="output_route53_record_id"></a> [route53\_record\_id](#output\_route53\_record\_id) | Identifier of the Route53 Record for validation of the ACM certificate. |
 <!-- END_TF_DOCS -->

modules/acm/main.tf

@@ -38,21 +38,6 @@ resource "aws_acm_certificate" "this" {
 ################################################################################
 
 resource "aws_route53_record" "this" {
-  count = var.route53_assume_role_arn == null ? 1 : 0
-
-  zone_id         = var.record_zone_id
-  name            = local.acm_certificate_validation_record.name
-  type            = local.acm_certificate_validation_record.type
-  records         = [local.acm_certificate_validation_record.value]
-  ttl             = 60
-  allow_overwrite = var.record_allow_overwrite
-}
-
-resource "aws_route53_record" "cross_account" {
-  count    = var.route53_assume_role_arn != null ? 1 : 0
-  provider = aws.cross_account_provider
-
-
   zone_id         = var.record_zone_id
   name            = local.acm_certificate_validation_record.name
   type            = local.acm_certificate_validation_record.type
@@ -62,11 +47,6 @@ resource "aws_route53_record" "cross_account" {
 }
 
 resource "aws_acm_certificate_validation" "this" {
-  certificate_arn = aws_acm_certificate.this.arn
-
-  validation_record_fqdns = [
-    var.route53_assume_role_arn == null ?
-    aws_route53_record.this[0].fqdn :
-    aws_route53_record.cross_account[0].fqdn
-  ]
+  certificate_arn         = aws_acm_certificate.this.arn
+  validation_record_fqdns = [aws_route53_record.this.fqdn]
 }

modules/acm/outputs.tf

@@ -17,15 +17,10 @@ output "acm_certificate_arn" {
 ################################################################################
 
 output "route53_record_id" {
-  description = "Identifier of the Route53 Record (supports same & cross-account)."
-  value = (
-    var.route53_assume_role_arn == null
-    ? aws_route53_record.this[0].id
-    : aws_route53_record.cross_account[0].id
-  )
+  description = "Identifier of the Route53 Record for validation of the ACM certificate."
+  value       = aws_route53_record.this.id
 }
 
-
 ################################################################################
 # ACM Certificate Validation
 ################################################################################