feat: Add provision to use cross-account route53 for acm dns validation

[rahul-infra]

Terraform plan for same account:
`Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

• create

Terraform will perform the following actions:

module.acm["base_domain"].aws_acm_certificate.this will be created

• resource "aws_acm_certificate" "this" {

  • arn = (known after apply)

  • domain_name = "kong.staging.gaussb.io"

  • domain_validation_options = [

    • {
      • domain_name = "kong.staging.gaussb.io"
      • resource_record_name = (known after apply)
      • resource_record_type = (known after apply)
      • resource_record_value = (known after apply)
        },
        ]

  • id = (known after apply)

  • key_algorithm = "RSA_2048"

  • not_after = (known after apply)

  • not_before = (known after apply)

  • pending_renewal = (known after apply)

  • region = "ap-south-1"

  • renewal_eligibility = (known after apply)

  • renewal_summary = (known after apply)

  • status = (known after apply)

  • subject_alternative_names = [

    • "kong.staging.gaussb.io",
      ]

  • tags = {

    • "env" = "dev"
      }

  • tags_all = {

    • "env" = "dev"
      }

  • type = (known after apply)

  • validation_emails = (known after apply)

  • validation_method = "DNS"

  • options (known after apply)
    }

module.acm["base_domain"].aws_acm_certificate_validation.this will be created

• resource "aws_acm_certificate_validation" "this" {
  • certificate_arn = (known after apply)
  • id = (known after apply)
  • region = "ap-south-1"
  • validation_record_fqdns = (known after apply)
    }

module.acm["base_domain"].aws_route53_record.same_account[0] will be created

• resource "aws_route53_record" "same_account" {
  • allow_overwrite = true
  • fqdn = (known after apply)
  • id = (known after apply)
  • name = (known after apply)
  • records = (known after apply)
  • ttl = 60
  • type = (known after apply)
  • zone_id = "Z0105802SJKE46BQ70GU"
    }

Plan: 3 to add, 0 to change, 0 to destroy.

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.`

Terraform plan for cross account:
`
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

• create

Terraform will perform the following actions:

module.acm["base_domain"].aws_acm_certificate.this will be created

• resource "aws_acm_certificate" "this" {

  • arn = (known after apply)

  • domain_name = "kong.staging.gaussb.io"

  • domain_validation_options = [

    • {
      • domain_name = "kong.staging.gaussb.io"
      • resource_record_name = (known after apply)
      • resource_record_type = (known after apply)
      • resource_record_value = (known after apply)
        },
        ]

  • id = (known after apply)

  • key_algorithm = "RSA_2048"

  • not_after = (known after apply)

  • not_before = (known after apply)

  • pending_renewal = (known after apply)

  • region = "ap-south-1"

  • renewal_eligibility = (known after apply)

  • renewal_summary = (known after apply)

  • status = (known after apply)

  • subject_alternative_names = [

    • "kong.staging.gaussb.io",
      ]

  • tags = {

    • "env" = "dev"
      }

  • tags_all = {

    • "env" = "dev"
      }

  • type = (known after apply)

  • validation_emails = (known after apply)

  • validation_method = "DNS"

  • options (known after apply)
    }

module.acm["base_domain"].aws_acm_certificate_validation.this will be created

• resource "aws_acm_certificate_validation" "this" {
  • certificate_arn = (known after apply)
  • id = (known after apply)
  • region = "ap-south-1"
  • validation_record_fqdns = (known after apply)
    }

module.acm["base_domain"].aws_route53_record.cross_account[0] will be created

• resource "aws_route53_record" "cross_account" {
  • allow_overwrite = true
  • fqdn = (known after apply)
  • id = (known after apply)
  • name = (known after apply)
  • records = (known after apply)
  • ttl = 60
  • type = (known after apply)
  • zone_id = "Z0105802SJKE46BQ70GU"
    }

Plan: 3 to add, 0 to change, 0 to destroy.

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now
`

This is the terraform plan when the resource is already created with older version and when user wants to change to newer version:
`terraform plan
module.ecs-deployment_acm["base_domain"].aws_acm_certificate.this: Refreshing state... [id=arn:aws:acm:ap-south-1:471112575944:certificate/51b7aab4-9b03-479a-a4c3-9d3aae34348e]
module.ecs-deployment_acm["base_domain"].aws_route53_record.this[0]: Refreshing state... [id=Z0105802SJKE46BQ70GU__73523f433659a8ecb8b3cbb19ed15127.kong.staging.gaussb.io._CNAME]
module.ecs-deployment_acm["base_domain"].aws_acm_certificate_validation.this: Refreshing state... [id=2025-11-21 05:24:03.256 +0000 UTC]

Terraform will perform the following actions:

module.ecs-deployment_acm["base_domain"].aws_route53_record.this has moved to module.ecs-deployment_acm["base_domain"].aws_route53_record.this[0]

resource "aws_route53_record" "this" {
    id                               = "Z0105802SJKE46BQ70GU__73523f433659a8ecb8b3cbb19ed15127.kong.staging.gaussb.io._CNAME"
    name                             = "_73523f433659a8ecb8b3cbb19ed15127.kong.staging.gaussb.io"
    # (9 unchanged attributes hidden)
}

Plan: 0 to add, 0 to change, 0 to destroy.

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.`

[ashwinimanoj]

as variable is not allowed here and as description mentions cross-account provider, would it make more sense to call it cross_account_provider?

[rahul-infra]

I have changed the alias from dns to cross_account_provider

[ashwinimanoj]

@rahul-infra Possible to paste result of terraform plan with an example for these changes?
You can add for one with cross account and one without it.

[ashwinimanoj]

let's have the name as something more descriptive than same account and cross account.
also wouldn't changing name of existing resource require a destroy and create? We should avoid it in that case and only use a different name for the new aws_route53_record resource being added.

[rahul-infra]

I made this change from 'same_account' to 'this' such that it doesnt destroy and create resources If user wants to change only the version.

[ashwinimanoj]

why did we update from 5.0 to 6.0?
are there any breaking changes when moving from 5.0 to 6.0?

[rahul-infra]

This shouldn't be a breaking change @ashwinimanoj .

[ashwinimanoj]

There are many breaking changes according to release notes:
https://github.com/hashicorp/terraform-provider-aws/releases/tag/v6.0.0

Not sure how many of them apply here

[ashwinimanoj]

For reference: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-6-upgrade

[rahul-infra]

I checked the release notes for AWS Provider Version 6,
I can see those upgrades doesn't have any breaking changes .

[ashwinimanoj]

move this terraform block to providers.tf

[rahul-infra]

Moved providers into providers.tf file.