From 988d1edea208604dfe1e831810ac723166054167 Mon Sep 17 00:00:00 2001
From: Arzianghanchi <arzian.ghanchi@clouddrove.com>
Date: Wed, 4 Jun 2025 17:54:02 +0000
Subject: [PATCH 1/2] feat:add new variables to acm module

---
 examples/generate-certificate-dns/example.tf | 15 +++++++++------
 examples/generate-certificate-dns/outputs.tf |  5 ++++-
 main.tf                                      | 15 ++++++++++++---
 outputs.tf                                   |  6 +++++-
 variables.tf                                 | 11 +++++++++++
 5 files changed, 41 insertions(+), 11 deletions(-)

diff --git a/examples/generate-certificate-dns/example.tf b/examples/generate-certificate-dns/example.tf
index 6f8594e..e2e9971 100644
--- a/examples/generate-certificate-dns/example.tf
+++ b/examples/generate-certificate-dns/example.tf
@@ -3,7 +3,7 @@ provider "aws" {
 }
 
 locals {
-  domain = "clouddrove.com"
+  domain = "ld.clouddrove.ca"
 }
 
 ##-----------------------------------------------------------------------------
@@ -12,8 +12,11 @@ locals {
 module "acm" {
   source = "./../../"
 
-  name                      = "certificate"
-  environment               = "test"
-  domain_name               = "clouddrove.com"
-  subject_alternative_names = ["www.${local.domain}", "*.${local.domain}"]
-}
+  name                         = "certificate"
+  environment                  = "test"
+  enable_dns_validation        = true
+  domain_name                  = "ld.clouddrove.ca"
+  subject_alternative_names    = ["www.${local.domain}", "*.${local.domain}"]
+  key_algorithm                = "RSA_2048"
+  transparency_logging_enabled = false
+}
\ No newline at end of file
diff --git a/examples/generate-certificate-dns/outputs.tf b/examples/generate-certificate-dns/outputs.tf
index 8e84cca..57424e9 100644
--- a/examples/generate-certificate-dns/outputs.tf
+++ b/examples/generate-certificate-dns/outputs.tf
@@ -23,4 +23,7 @@ output "validation_route53_record_fqdns" {
   description = "List of FQDNs built using the zone domain and name."
 }
 
-
+output "certificate_transparency_logging_preference" {
+  value       = module.acm
+  description = "Certificate transparency logging preference."
+}
diff --git a/main.tf b/main.tf
index 97a5425..2550650 100644
--- a/main.tf
+++ b/main.tf
@@ -45,6 +45,7 @@ resource "aws_acm_certificate" "cert" {
   domain_name               = var.domain_name
   validation_method         = var.validation_method
   subject_alternative_names = var.subject_alternative_names
+  key_algorithm             = var.key_algorithm
   tags                      = module.labels.tags
 
   dynamic "validation_option" {
@@ -56,6 +57,14 @@ resource "aws_acm_certificate" "cert" {
     }
   }
 
+  dynamic "options" {
+    for_each = var.transparency_logging_enabled != null ? [1] : []
+    content {
+      certificate_transparency_logging_preference = var.transparency_logging_enabled ? "ENABLED" : "DISABLED"
+    }
+  }
+
+
   lifecycle {
     create_before_destroy = true
   }
@@ -65,7 +74,7 @@ resource "aws_acm_certificate" "cert" {
 ## Most commonly, this resource is used together with aws_route53_record and aws_acm_certificate to request a DNS validated certificate, deploy the required validation records and wait for validation to complete.
 ##----------------------------------------------------------------------------------
 resource "aws_acm_certificate_validation" "cert" {
-  count                   = var.enable && var.validate_certificate ? 1 : 0
+  count                   = var.enable && var.enable_dns_validation && var.validate_certificate ? 1 : 0
   certificate_arn         = join("", aws_acm_certificate.cert[*].arn)
   validation_record_fqdns = flatten([aws_route53_record.default[*].fqdn, var.validation_record_fqdns])
 
@@ -84,13 +93,13 @@ data "aws_route53_zone" "default" {
 ## A Route 53 record contains authoritative DNS information for a specified DNS name. DNS records are most commonly used to map a name to an IP Address..
 ##----------------------------------------------------------------------------------
 resource "aws_route53_record" "default" {
-  for_each = {
+  for_each = var.enable_dns_validation ? {
     for record in aws_acm_certificate.cert[0].domain_validation_options[*] : record.domain_name => {
       name   = record.resource_record_name
       record = record.resource_record_value
       type   = record.resource_record_type
     }
-  }
+  } : {}
 
   allow_overwrite = var.allow_overwrite
   name            = each.value.name
diff --git a/outputs.tf b/outputs.tf
index 946b44a..2b14fe5 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -26,8 +26,12 @@ output "acm_certificate_status" {
   description = "Status of the certificate."
 }
 
-
 output "validation_route53_record_fqdns" {
   value       = [for record in aws_route53_record.default : record.fqdn]
   description = "List of FQDNs built using the zone domain and name."
+}
+
+output "certificate_transparency_logging_preference" {
+  value       = try(aws_acm_certificate.cert[0].options[0].certificate_transparency_logging_preference, null)
+  description = "Certificate transparency logging preference."
 }
\ No newline at end of file
diff --git a/variables.tf b/variables.tf
index 42820d1..2cf8132 100644
--- a/variables.tf
+++ b/variables.tf
@@ -128,4 +128,15 @@ variable "private_zone" {
   description = "Used with name field to get a private Hosted Zone."
 }
 
+variable "key_algorithm" {
+  type        = string
+  default     = null
+  description = "used to generate the public/private key pair for the certificate. Valid values: RSA_2048, RSA_4096, EC_prime256v1, EC_secp384r1, EC_secp521r1."
+}
+
+variable "transparency_logging_enabled" {
+  type        = bool
+  default     = false
+  description = "Whether to enable certificate transparency logging. Defaults to true. Set to false to disable."
+}
 

From ccb968c66a9e2c2b0155336cdd430fb36b76e8de Mon Sep 17 00:00:00 2001
From: Arzianghanchi <arzian.ghanchi@clouddrove.com>
Date: Wed, 4 Jun 2025 18:06:40 +0000
Subject: [PATCH 2/2] Restore changes domain name

---
 examples/generate-certificate-dns/example.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/examples/generate-certificate-dns/example.tf b/examples/generate-certificate-dns/example.tf
index e2e9971..8eb83e0 100644
--- a/examples/generate-certificate-dns/example.tf
+++ b/examples/generate-certificate-dns/example.tf
@@ -3,7 +3,7 @@ provider "aws" {
 }
 
 locals {
-  domain = "ld.clouddrove.ca"
+  domain = "clouddrove.com"
 }
 
 ##-----------------------------------------------------------------------------
@@ -15,7 +15,7 @@ module "acm" {
   name                         = "certificate"
   environment                  = "test"
   enable_dns_validation        = true
-  domain_name                  = "ld.clouddrove.ca"
+  domain_name                  = "clouddrove.com"
   subject_alternative_names    = ["www.${local.domain}", "*.${local.domain}"]
   key_algorithm                = "RSA_2048"
   transparency_logging_enabled = false