ACM Certificate (DNS-validated)

aws-acm

Public ACM TLS certificate, DNS-validated. Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0. The module requests the certificate and outputs the DNS records you publish to validate it — and from then on ACM auto-renews it forever with zero further action.

It deliberately does not create an aws_acm_certificate_validation resource. That resource blocks the apply until the validation records resolve in public DNS, coupling a fast, free certificate request to slow external DNS propagation (and failing the apply outright if you do not control the zone yet). Instead, take the domain_validation_options output, publish one CNAME per entry (e.g. with aws_route53_record), and let ACM validate asynchronously.

Secure defaults:

• Certificate Transparency logging ENABLED — required for the certificate to be trusted by modern browsers; only disable for private/internal names.
• DNS validation by default — the only method that supports unattended auto-renewal (EMAIL validation needs a human to click a link every renewal).
• RSA_2048 key for the broadest client compatibility (EC algorithms offered).
• Wildcard names (*.example.com) and SANs supported and validated.
• create_before_destroy so the replacement certificate exists before the old ARN is removed, never leaving a listener pointing at a deleted certificate.

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0

Verification

Static-validated (fmt, validate, tflint). A live apply creates the certificate in PENDING_VALIDATION (no charge — public ACM certificates are free) and tears it down immediately; see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).