tfmodsearch 0.4.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- config.yaml +30 -0
- model/tfmod_bge_base_index.pkl +0 -0
- modules/terraform-aws-modules/acm.md +312 -0
- modules/terraform-aws-modules/alb.md +755 -0
- modules/terraform-aws-modules/apigateway-v2.md +450 -0
- modules/terraform-aws-modules/app-runner.md +403 -0
- modules/terraform-aws-modules/appconfig.md +411 -0
- modules/terraform-aws-modules/appsync.md +373 -0
- modules/terraform-aws-modules/atlantis.md +489 -0
- modules/terraform-aws-modules/autoscaling.md +420 -0
- modules/terraform-aws-modules/batch.md +456 -0
- modules/terraform-aws-modules/cloudfront.md +765 -0
- modules/terraform-aws-modules/cloudwatch.md +1011 -0
- modules/terraform-aws-modules/customer-gateway.md +273 -0
- modules/terraform-aws-modules/datadog-forwarders.md +643 -0
- modules/terraform-aws-modules/dms.md +567 -0
- modules/terraform-aws-modules/dynamodb-table.md +565 -0
- modules/terraform-aws-modules/ebs-optimized.md +122 -0
- modules/terraform-aws-modules/ec2-instance.md +515 -0
- modules/terraform-aws-modules/ecr.md +442 -0
- modules/terraform-aws-modules/ecs.md +808 -0
- modules/terraform-aws-modules/efs.md +433 -0
- modules/terraform-aws-modules/eks-pod-identity.md +486 -0
- modules/terraform-aws-modules/eks.md +1048 -0
- modules/terraform-aws-modules/elasticache.md +661 -0
- modules/terraform-aws-modules/elb.md +389 -0
- modules/terraform-aws-modules/emr.md +567 -0
- modules/terraform-aws-modules/eventbridge.md +479 -0
- modules/terraform-aws-modules/fsx.md +538 -0
- modules/terraform-aws-modules/global-accelerator.md +482 -0
- modules/terraform-aws-modules/iam.md +894 -0
- modules/terraform-aws-modules/key-pair.md +248 -0
- modules/terraform-aws-modules/kms.md +379 -0
- modules/terraform-aws-modules/lambda.md +825 -0
- modules/terraform-aws-modules/managed-service-grafana.md +370 -0
- modules/terraform-aws-modules/managed-service-prometheus.md +392 -0
- modules/terraform-aws-modules/memory-db.md +427 -0
- modules/terraform-aws-modules/msk-kafka-cluster.md +783 -0
- modules/terraform-aws-modules/network-firewall.md +525 -0
- modules/terraform-aws-modules/notify-slack.md +335 -0
- modules/terraform-aws-modules/opensearch.md +594 -0
- modules/terraform-aws-modules/rds-aurora.md +584 -0
- modules/terraform-aws-modules/rds-proxy.md +336 -0
- modules/terraform-aws-modules/rds.md +460 -0
- modules/terraform-aws-modules/redshift.md +575 -0
- modules/terraform-aws-modules/route53.md +581 -0
- modules/terraform-aws-modules/s3-bucket.md +759 -0
- modules/terraform-aws-modules/secrets-manager.md +347 -0
- modules/terraform-aws-modules/security-group.md +512 -0
- modules/terraform-aws-modules/sns.md +323 -0
- modules/terraform-aws-modules/sqs.md +381 -0
- modules/terraform-aws-modules/ssm-parameter.md +285 -0
- modules/terraform-aws-modules/step-functions.md +415 -0
- modules/terraform-aws-modules/transit-gateway.md +405 -0
- modules/terraform-aws-modules/vpc.md +645 -0
- modules/terraform-aws-modules/vpn-gateway.md +374 -0
- tfmod_mcp_server.py +1131 -0
- tfmod_search_cli.py +220 -0
- tfmod_search_lib.py +1083 -0
- tfmodsearch-0.4.0.dist-info/METADATA +826 -0
- tfmodsearch-0.4.0.dist-info/RECORD +64 -0
- tfmodsearch-0.4.0.dist-info/WHEEL +4 -0
- tfmodsearch-0.4.0.dist-info/entry_points.txt +5 -0
- tfmodsearch-0.4.0.dist-info/licenses/LICENSE +21 -0
config.yaml
ADDED
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
# TFModSearch MCP Server Configuration
|
|
2
|
+
#
|
|
3
|
+
# Default embedding model: BAAI/bge-base-en-v1.5
|
|
4
|
+
# Model is configured at index build time via CLI --model argument
|
|
5
|
+
|
|
6
|
+
# Logging level for application loggers
|
|
7
|
+
# Third-party loggers (fakeredis, docket, asyncio) are always set to WARNING
|
|
8
|
+
# Valid values: DEBUG, INFO, WARNING, ERROR, CRITICAL
|
|
9
|
+
log_level: INFO
|
|
10
|
+
|
|
11
|
+
# Optional query instruction for BGE models
|
|
12
|
+
# BGE v1.5 works well without instruction, but this can improve short query retrieval
|
|
13
|
+
# Set to null/empty to disable (default), or use the BGE instruction:
|
|
14
|
+
# query_instruction: "Represent this sentence for searching relevant passages: "
|
|
15
|
+
query_instruction: null
|
|
16
|
+
|
|
17
|
+
# Search scoring weights (default values)
|
|
18
|
+
# These control how different search components are weighted
|
|
19
|
+
search_weights:
|
|
20
|
+
# Weight for keyword overlap with IDF weighting
|
|
21
|
+
w_kw: 1.0
|
|
22
|
+
|
|
23
|
+
# Weight for exact module name match boost
|
|
24
|
+
w_exact: 3.0
|
|
25
|
+
|
|
26
|
+
# Weight for BM25 text relevance
|
|
27
|
+
w_bm25: 2.0
|
|
28
|
+
|
|
29
|
+
# Weight for semantic similarity (cosine similarity of embeddings)
|
|
30
|
+
w_sem: 3.0
|
|
Binary file
|
|
@@ -0,0 +1,312 @@
|
|
|
1
|
+
# Terraform AWS ACM Module
|
|
2
|
+
|
|
3
|
+
## Module Information
|
|
4
|
+
|
|
5
|
+
- **Module Name**: `acm`
|
|
6
|
+
- **Source**: `terraform-aws-modules/acm/aws`
|
|
7
|
+
- **GitHub Repository**: https://github.com/terraform-aws-modules/terraform-aws-acm
|
|
8
|
+
- **Terraform Registry**: https://registry.terraform.io/modules/terraform-aws-modules/acm/aws/latest
|
|
9
|
+
- **Latest Version**: 6.3.0
|
|
10
|
+
- **Purpose**: Creates and validates AWS Certificate Manager (ACM) certificates using DNS or email validation
|
|
11
|
+
- **Service**: AWS ACM (AWS Certificate Manager)
|
|
12
|
+
- **Category**: Security, Networking
|
|
13
|
+
- **Keywords**: acm, certificate, ssl, tls, https, dns-validation, route53, cloudfront, wildcard-certificate, alb, nlb, api-gateway, private-ca, certificate-renewal
|
|
14
|
+
- **Use For**: securing web applications with HTTPS, protecting API Gateway custom domains, enabling SSL/TLS for CloudFront distributions, securing ALB/NLB load balancers, implementing wildcard certificates, cross-account certificate/DNS provisioning, automating certificate lifecycle management
|
|
15
|
+
|
|
16
|
+
## Description
|
|
17
|
+
|
|
18
|
+
This Terraform module creates and manages AWS Certificate Manager (ACM) certificates for securing AWS resources with SSL/TLS encryption. ACM handles the complexity of issuing, storing, and automatically renewing public and private X.509 certificates, eliminating manual certificate management. The module supports both DNS validation (recommended, via Route53) and email validation, and issues either public certificates or private certificates through AWS Private Certificate Authority.
|
|
19
|
+
|
|
20
|
+
The module provides flexible certificate topologies: single domain names, multiple domains via Subject Alternative Names (SANs), and wildcard certificates. It integrates natively with Route53 to auto-create DNS validation records, or supports external DNS providers (Cloudflare, etc.) by disabling internal record creation and supplying validation FQDNs manually. For cross-account setups, the module can be invoked twice with `create_certificate = false` on one instance and `create_route53_records_only = true` on the other, splitting certificate issuance and DNS validation across separate AWS providers/accounts without hand-written `aws_route53_record` resources. For CloudFront distributions, the module supports the mandatory US East (N. Virginia) region via provider aliases or the `region` argument.
|
|
21
|
+
|
|
22
|
+
Additional capabilities include configurable validation timeouts (the underlying AWS provider defaults to a 45-minute wait), certificate transparency logging control, exportable certificates (subject to additional AWS charges), key algorithm selection (RSA/ECDSA), and conditional resource creation via feature flags — a workaround for Terraform's lack of `count` support on module blocks. The module outputs certificate ARNs and validation details for direct consumption by ALB, NLB, CloudFront, and API Gateway resources.
|
|
23
|
+
|
|
24
|
+
## Key Features
|
|
25
|
+
|
|
26
|
+
- **DNS Validation**: Automatic certificate validation using Route53 DNS records
|
|
27
|
+
- **Email Validation**: Certificate validation via email, including validation domain override
|
|
28
|
+
- **Route53 Integration**: Automated DNS record creation and cleanup for validation
|
|
29
|
+
- **External DNS Support**: Works with external DNS providers (Cloudflare, etc.) via manually supplied FQDNs
|
|
30
|
+
- **Subject Alternative Names (SANs)**: Multiple domains and wildcards in a single certificate
|
|
31
|
+
- **Wildcard Certificates**: Secure all subdomains under a domain with one certificate
|
|
32
|
+
- **CloudFront Compatibility**: US East (N. Virginia) region support via provider alias or `region` argument
|
|
33
|
+
- **Private CA Support**: Issue private certificates via AWS Private Certificate Authority
|
|
34
|
+
- **Cross-Account Splitting**: `create_route53_records_only` mode lets a second module instance create only the validation records under a separate provider/account
|
|
35
|
+
- **Exportable Certificates**: Optional certificate/key export (`export = "ENABLED"`), subject to extra AWS charges
|
|
36
|
+
- **Conditional Creation**: Feature flags (`create_certificate`, `validate_certificate`) to control resource creation, working around module `count` limitations
|
|
37
|
+
- **Validation Timeout Control**: Configurable timeout for validation completion (AWS default is 45 minutes)
|
|
38
|
+
- **Certificate Transparency Logging**: Toggle certificate transparency log inclusion
|
|
39
|
+
- **Key Algorithm Selection**: Choose RSA or ECDSA key algorithms
|
|
40
|
+
|
|
41
|
+
## Main Use Cases
|
|
42
|
+
|
|
43
|
+
1. **Web Application Security**: Secure web applications with HTTPS/TLS certificates
|
|
44
|
+
2. **API Gateway Protection**: SSL/TLS for API Gateway custom domain names
|
|
45
|
+
3. **CloudFront Distribution Security**: HTTPS certificates for CloudFront CDN
|
|
46
|
+
4. **Load Balancer Encryption**: TLS termination for ALB and NLB
|
|
47
|
+
5. **Multi-Domain Certificates**: Single certificate covering multiple domains with SANs
|
|
48
|
+
6. **Wildcard Domain Coverage**: Secure all subdomains with wildcard certificates
|
|
49
|
+
7. **Automated Certificate Lifecycle**: Infrastructure as Code for certificate provisioning and renewal
|
|
50
|
+
8. **Cross-Account Deployments**: Split certificate issuance and DNS validation across AWS accounts
|
|
51
|
+
9. **Private/Internal PKI**: Issue private certificates via AWS Private CA for internal services
|
|
52
|
+
|
|
53
|
+
## Submodules
|
|
54
|
+
|
|
55
|
+
This module does not contain submodules. All functionality is provided by the root module (the "cross-account" pattern reuses the same root module twice with different input flags, not a dedicated submodule).
|
|
56
|
+
|
|
57
|
+
## Main Input Variables
|
|
58
|
+
|
|
59
|
+
| Variable | Type | Default | Description |
|
|
60
|
+
|----------|------|---------|-------------|
|
|
61
|
+
| `create_certificate` | `bool` | `true` | Whether to create the ACM certificate |
|
|
62
|
+
| `domain_name` | `string` | `""` | Domain name for which the certificate should be issued |
|
|
63
|
+
| `subject_alternative_names` | `list(string)` | `[]` | List of domains that should be SANs in the certificate |
|
|
64
|
+
| `validation_method` | `string` | `null` | Validation method: `DNS` or `EMAIL` |
|
|
65
|
+
| `zone_id` | `string` | `""` | Route53 hosted zone ID for DNS validation |
|
|
66
|
+
| `zones` | `map(string)` | `{}` | Map of Route53 zone IDs for additional/SAN domains |
|
|
67
|
+
| `validate_certificate` | `bool` | `true` | Whether to validate the certificate by creating Route53 record(s) |
|
|
68
|
+
| `create_route53_records` | `bool` | `true` | Create DNS validation records internally via Route53; set `false` for external DNS |
|
|
69
|
+
| `create_route53_records_only` | `bool` | `false` | Create only the Route53 validation records (second instance in cross-account pattern) |
|
|
70
|
+
| `distinct_domain_names` | `list(string)` | `[]` | Distinct domains/SANs to validate (used with `create_route53_records_only`) |
|
|
71
|
+
| `acm_certificate_domain_validation_options` | `any` | `{}` | Domain validation options from the ACM certificate (used with `create_route53_records_only`) |
|
|
72
|
+
| `validation_record_fqdns` | `list(string)` | `[]` | External DNS validation record FQDNs (when `create_route53_records = false`) |
|
|
73
|
+
| `wait_for_validation` | `bool` | `true` | Whether to wait for validation to complete before returning |
|
|
74
|
+
| `validation_timeout` | `string` | `null` | Maximum timeout for validation completion (AWS default: 45m) |
|
|
75
|
+
| `validation_allow_overwrite_records` | `bool` | `true` | Allow overwrite of existing Route53 validation records |
|
|
76
|
+
| `dns_ttl` | `number` | `60` | TTL for DNS validation records |
|
|
77
|
+
| `certificate_transparency_logging_preference` | `bool` | `true` | Add certificate to the certificate transparency log |
|
|
78
|
+
| `key_algorithm` | `string` | `null` | Key algorithm (e.g. `RSA_2048`, `EC_secp384r1`) |
|
|
79
|
+
| `export` | `string` | `null` | Whether the certificate can be exported: `ENABLED` or `DISABLED`; incurs additional AWS charges |
|
|
80
|
+
| `private_authority_arn` | `string` | `null` | Private CA ARN for issuing private certificates |
|
|
81
|
+
| `region` | `string` | `null` | AWS region override for created resources (alternative to provider alias) |
|
|
82
|
+
| `tags` | `map(string)` | `{}` | Tags to assign to the certificate |
|
|
83
|
+
|
|
84
|
+
## Main Outputs
|
|
85
|
+
|
|
86
|
+
| Output | Description |
|
|
87
|
+
|--------|-------------|
|
|
88
|
+
| `acm_certificate_arn` | The ARN of the certificate |
|
|
89
|
+
| `acm_certificate_status` | Status of the certificate |
|
|
90
|
+
| `acm_certificate_domain_validation_options` | Attributes for completing certificate validation (feed into downstream/cross-account instances) |
|
|
91
|
+
| `validation_route53_record_fqdns` | List of FQDNs for validation records |
|
|
92
|
+
| `distinct_domain_names` | List of distinct domain names used for validation |
|
|
93
|
+
| `validation_domains` | List of domain validation options (useful for wildcard SANs) |
|
|
94
|
+
| `acm_certificate_validation_emails` | Addresses that received validation email (EMAIL validation only) |
|
|
95
|
+
|
|
96
|
+
## Usage Examples
|
|
97
|
+
|
|
98
|
+
### Example 1: DNS Validation with Route53
|
|
99
|
+
|
|
100
|
+
```hcl
|
|
101
|
+
module "acm" {
|
|
102
|
+
source = "terraform-aws-modules/acm/aws"
|
|
103
|
+
version = "~> 6.0"
|
|
104
|
+
|
|
105
|
+
domain_name = "example.com"
|
|
106
|
+
zone_id = "Z2ES7B9AZ6SHAE"
|
|
107
|
+
|
|
108
|
+
subject_alternative_names = [
|
|
109
|
+
"*.example.com",
|
|
110
|
+
"app.example.com"
|
|
111
|
+
]
|
|
112
|
+
|
|
113
|
+
validation_method = "DNS"
|
|
114
|
+
wait_for_validation = true
|
|
115
|
+
|
|
116
|
+
tags = {
|
|
117
|
+
Name = "example.com"
|
|
118
|
+
Environment = "production"
|
|
119
|
+
}
|
|
120
|
+
}
|
|
121
|
+
|
|
122
|
+
# Use certificate with ALB
|
|
123
|
+
resource "aws_lb_listener" "https" {
|
|
124
|
+
load_balancer_arn = aws_lb.main.arn
|
|
125
|
+
port = 443
|
|
126
|
+
protocol = "HTTPS"
|
|
127
|
+
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
|
|
128
|
+
certificate_arn = module.acm.acm_certificate_arn
|
|
129
|
+
|
|
130
|
+
default_action {
|
|
131
|
+
type = "forward"
|
|
132
|
+
target_group_arn = aws_lb_target_group.main.arn
|
|
133
|
+
}
|
|
134
|
+
}
|
|
135
|
+
```
|
|
136
|
+
|
|
137
|
+
### Example 2: CloudFront Certificate (US East Region)
|
|
138
|
+
|
|
139
|
+
```hcl
|
|
140
|
+
provider "aws" {
|
|
141
|
+
alias = "us-east-1"
|
|
142
|
+
region = "us-east-1"
|
|
143
|
+
}
|
|
144
|
+
|
|
145
|
+
module "acm_cloudfront" {
|
|
146
|
+
source = "terraform-aws-modules/acm/aws"
|
|
147
|
+
version = "~> 6.0"
|
|
148
|
+
|
|
149
|
+
providers = {
|
|
150
|
+
aws = aws.us-east-1
|
|
151
|
+
}
|
|
152
|
+
|
|
153
|
+
domain_name = "cdn.example.com"
|
|
154
|
+
zone_id = "Z2ES7B9AZ6SHAE"
|
|
155
|
+
|
|
156
|
+
subject_alternative_names = ["*.cdn.example.com"]
|
|
157
|
+
validation_method = "DNS"
|
|
158
|
+
|
|
159
|
+
tags = {
|
|
160
|
+
Name = "CloudFront Certificate"
|
|
161
|
+
Service = "CDN"
|
|
162
|
+
}
|
|
163
|
+
}
|
|
164
|
+
|
|
165
|
+
resource "aws_cloudfront_distribution" "main" {
|
|
166
|
+
# ... other configuration ...
|
|
167
|
+
|
|
168
|
+
viewer_certificate {
|
|
169
|
+
acm_certificate_arn = module.acm_cloudfront.acm_certificate_arn
|
|
170
|
+
ssl_support_method = "sni-only"
|
|
171
|
+
minimum_protocol_version = "TLSv1.2_2021"
|
|
172
|
+
}
|
|
173
|
+
}
|
|
174
|
+
```
|
|
175
|
+
|
|
176
|
+
### Example 3: External DNS (Cloudflare, etc.)
|
|
177
|
+
|
|
178
|
+
```hcl
|
|
179
|
+
module "acm" {
|
|
180
|
+
source = "terraform-aws-modules/acm/aws"
|
|
181
|
+
version = "~> 6.0"
|
|
182
|
+
|
|
183
|
+
domain_name = "example.com"
|
|
184
|
+
subject_alternative_names = ["*.example.com"]
|
|
185
|
+
|
|
186
|
+
validation_method = "DNS"
|
|
187
|
+
create_route53_records = false
|
|
188
|
+
wait_for_validation = false
|
|
189
|
+
|
|
190
|
+
tags = {
|
|
191
|
+
Name = "External DNS Certificate"
|
|
192
|
+
}
|
|
193
|
+
}
|
|
194
|
+
|
|
195
|
+
# Output validation records to create in external DNS
|
|
196
|
+
output "validation_records" {
|
|
197
|
+
description = "DNS records to create for certificate validation"
|
|
198
|
+
value = module.acm.acm_certificate_domain_validation_options
|
|
199
|
+
}
|
|
200
|
+
```
|
|
201
|
+
|
|
202
|
+
### Example 4: Cross-Account (Separate ACM and Route53 Providers)
|
|
203
|
+
|
|
204
|
+
```hcl
|
|
205
|
+
provider "aws" {
|
|
206
|
+
alias = "acm"
|
|
207
|
+
# ACM account credentials
|
|
208
|
+
}
|
|
209
|
+
|
|
210
|
+
provider "aws" {
|
|
211
|
+
alias = "route53"
|
|
212
|
+
# Route53 account credentials
|
|
213
|
+
}
|
|
214
|
+
|
|
215
|
+
# Issue the certificate in the ACM account; do not create Route53 records here
|
|
216
|
+
module "acm" {
|
|
217
|
+
source = "terraform-aws-modules/acm/aws"
|
|
218
|
+
version = "~> 6.0"
|
|
219
|
+
|
|
220
|
+
providers = {
|
|
221
|
+
aws = aws.acm
|
|
222
|
+
}
|
|
223
|
+
|
|
224
|
+
domain_name = "example.com"
|
|
225
|
+
subject_alternative_names = [
|
|
226
|
+
"*.example.com",
|
|
227
|
+
]
|
|
228
|
+
|
|
229
|
+
validation_method = "DNS"
|
|
230
|
+
|
|
231
|
+
create_route53_records = false
|
|
232
|
+
validation_record_fqdns = module.route53_records.validation_route53_record_fqdns
|
|
233
|
+
}
|
|
234
|
+
|
|
235
|
+
# Create only the validation records, in the Route53 account
|
|
236
|
+
module "route53_records" {
|
|
237
|
+
source = "terraform-aws-modules/acm/aws"
|
|
238
|
+
version = "~> 6.0"
|
|
239
|
+
|
|
240
|
+
providers = {
|
|
241
|
+
aws = aws.route53
|
|
242
|
+
}
|
|
243
|
+
|
|
244
|
+
create_certificate = false
|
|
245
|
+
create_route53_records_only = true
|
|
246
|
+
|
|
247
|
+
validation_method = "DNS"
|
|
248
|
+
|
|
249
|
+
zone_id = "Z2ES7B9AZ6SHAE"
|
|
250
|
+
distinct_domain_names = module.acm.distinct_domain_names
|
|
251
|
+
|
|
252
|
+
acm_certificate_domain_validation_options = module.acm.acm_certificate_domain_validation_options
|
|
253
|
+
}
|
|
254
|
+
```
|
|
255
|
+
|
|
256
|
+
## Best Practices
|
|
257
|
+
|
|
258
|
+
### Certificate Design
|
|
259
|
+
|
|
260
|
+
1. **Use DNS Validation**: Prefer DNS validation for automated certificate lifecycle and renewal
|
|
261
|
+
2. **Plan SANs Upfront**: Include all required domains when creating the certificate; they cannot be added after creation without replacing the certificate
|
|
262
|
+
3. **CloudFront Region**: Always create CloudFront certificates in the US East (N. Virginia) region (via provider alias or `region` argument)
|
|
263
|
+
4. **Wildcard Strategy**: Use wildcard certificates for subdomains to reduce certificate count
|
|
264
|
+
5. **Private CA for Internal Services**: Use `private_authority_arn` with AWS Private CA for internal/service-mesh TLS instead of public certificates
|
|
265
|
+
|
|
266
|
+
### Security
|
|
267
|
+
|
|
268
|
+
1. **Certificate Transparency**: Keep `certificate_transparency_logging_preference = true` for public trust requirements
|
|
269
|
+
2. **Modern TLS Policies**: Use TLS 1.2+ policies on load balancers (e.g., `ELBSecurityPolicy-TLS13-1-2-2021-06`)
|
|
270
|
+
3. **Avoid Certificate Pinning**: Don't pin ACM certificates due to automatic renewal; pin to Amazon root CAs if needed
|
|
271
|
+
4. **Restrict Exportability**: Leave `export = null` (disabled) unless the certificate/key genuinely needs to leave ACM; exportable certificates cost more and widen the exposure surface
|
|
272
|
+
5. **CloudTrail Monitoring**: Enable CloudTrail to audit certificate lifecycle events
|
|
273
|
+
|
|
274
|
+
### Operations
|
|
275
|
+
|
|
276
|
+
1. **Keep Validation Records**: Maintain DNS validation records permanently — ACM re-validates them for automatic renewal
|
|
277
|
+
2. **Wait for Validation**: Use `wait_for_validation = true` in production to ensure certificates are valid before dependent resources are created
|
|
278
|
+
3. **CI/CD Pipelines**: Set `wait_for_validation = false` to avoid blocking pipelines on the default 45-minute AWS validation timeout
|
|
279
|
+
4. **Validation Timeout**: Set `validation_timeout` explicitly if DNS propagation is slow or the default 45-minute wait is too short/long for your workflow
|
|
280
|
+
5. **Infrastructure as Code**: Manage certificates through Terraform for reproducibility and audit trails
|
|
281
|
+
|
|
282
|
+
### Cost
|
|
283
|
+
|
|
284
|
+
1. **Free Certificates**: ACM public certificates are free; you pay only for the resources that use them
|
|
285
|
+
2. **Use SNI**: Always use SNI for CloudFront to avoid dedicated IP charges ($600/month)
|
|
286
|
+
3. **Consolidate with Wildcards**: Use wildcard certificates to cover multiple subdomains efficiently
|
|
287
|
+
4. **Exportable Certificates Cost Extra**: Avoid `export = "ENABLED"` unless required — it incurs additional AWS charges
|
|
288
|
+
|
|
289
|
+
## Additional Resources
|
|
290
|
+
|
|
291
|
+
- **Module Repository**: https://github.com/terraform-aws-modules/terraform-aws-acm
|
|
292
|
+
- **Terraform Registry**: https://registry.terraform.io/modules/terraform-aws-modules/acm/aws/latest
|
|
293
|
+
- **Module Examples**: https://github.com/terraform-aws-modules/terraform-aws-acm/tree/master/examples
|
|
294
|
+
- **AWS ACM Documentation**: https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
|
|
295
|
+
- **ACM Best Practices**: https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html
|
|
296
|
+
- **DNS Validation**: https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html
|
|
297
|
+
- **CloudFront and ACM**: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html
|
|
298
|
+
- **AWS Private CA**: https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html
|
|
299
|
+
|
|
300
|
+
## Notes for AI Agents
|
|
301
|
+
|
|
302
|
+
When using this module in automated workflows:
|
|
303
|
+
|
|
304
|
+
1. **DNS Validation Preferred**: Always use DNS validation with Route53 for fully automated certificate management
|
|
305
|
+
2. **Wait for Validation**: Set `wait_for_validation = true` to ensure certificates are valid before dependent resources; set it `false` in CI/CD to avoid the 45-minute default timeout blocking pipelines
|
|
306
|
+
3. **CloudFront Region**: Use a US East (N. Virginia) provider alias or the `region` argument for CloudFront certificates
|
|
307
|
+
4. **Keep Validation Records**: DNS validation records must remain in place for automatic renewal to work
|
|
308
|
+
5. **Plan SANs**: Include all domains upfront; certificates cannot be modified in place after creation
|
|
309
|
+
6. **External DNS**: Set `create_route53_records = false` and supply `validation_record_fqdns` for external DNS providers (e.g. Cloudflare)
|
|
310
|
+
7. **Certificate ARN**: Always surface `acm_certificate_arn` as a module output for use in ALB, CloudFront, and API Gateway resources
|
|
311
|
+
8. **Cross-Account**: Use two module instances — one with `create_route53_records = false` (issues the certificate) and one with `create_route53_records_only = true` (creates only the validation records) — each under a distinct provider alias, rather than hand-writing `aws_route53_record` resources
|
|
312
|
+
9. **Exportable Certificates**: Only set `export = "ENABLED"` when the certificate/key must leave ACM; it adds cost and security exposure
|