feat: Support option of private hosted zone for Route53 records (#137)

mike-carey · bryantbiggs · web-flow · commit 52fa251a4af8 · 2025-11-29T08:43:51.000-06:00
Co-authored-by: Bryant Biggs &lt;bryantbiggs@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -229,7 +229,7 @@ module "api_gateway" {
 | <a name="input_body"></a> [body](#input\_body) | An OpenAPI specification that defines the set of routes and integrations to create as part of the HTTP APIs. Supported only for HTTP APIs | `string` | `null` | no |
 | <a name="input_cors_configuration"></a> [cors\_configuration](#input\_cors\_configuration) | The cross-origin resource sharing (CORS) configuration. Applicable for HTTP APIs | <pre>object({<br/>    allow_credentials = optional(bool)<br/>    allow_headers     = optional(list(string))<br/>    allow_methods     = optional(list(string))<br/>    allow_origins     = optional(list(string))<br/>    expose_headers    = optional(list(string), [])<br/>    max_age           = optional(number)<br/>  })</pre> | `null` | no |
 | <a name="input_create"></a> [create](#input\_create) | Controls if resources should be created | `bool` | `true` | no |
-| <a name="input_create_certificate"></a> [create\_certificate](#input\_create\_certificate) | Whether to create a certificate for the domain | `bool` | `true` | no |
+| <a name="input_create_certificate"></a> [create\_certificate](#input\_create\_certificate) | Whether to create a certificate for the domain.  Since certificate validate only works on public domains, this will be ignore if `private_zone` is set to `true` | `bool` | `true` | no |
 | <a name="input_create_domain_name"></a> [create\_domain\_name](#input\_create\_domain\_name) | Whether to create API domain name resource | `bool` | `true` | no |
 | <a name="input_create_domain_records"></a> [create\_domain\_records](#input\_create\_domain\_records) | Whether to create Route53 records for the domain name | `bool` | `true` | no |
 | <a name="input_create_routes_and_integrations"></a> [create\_routes\_and\_integrations](#input\_create\_routes\_and\_integrations) | Whether to create routes and integrations resources | `bool` | `true` | no |
@@ -246,6 +246,7 @@ module "api_gateway" {
 | <a name="input_ip_address_type"></a> [ip\_address\_type](#input\_ip\_address\_type) | The IP address types that can invoke the API. Valid values: ipv4, dualstack. Use ipv4 to allow only IPv4 addresses to invoke your API, or use dualstack to allow both IPv4 and IPv6 addresses to invoke your API. Defaults to ipv4. | `string` | `null` | no |
 | <a name="input_mutual_tls_authentication"></a> [mutual\_tls\_authentication](#input\_mutual\_tls\_authentication) | The mutual TLS authentication configuration for the domain name | `map(string)` | `{}` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name of the API. Must be less than or equal to 128 characters in length | `string` | `""` | no |
+| <a name="input_private_zone"></a> [private\_zone](#input\_private\_zone) | Indicates the hosted zone being looked up is private.  Certificate validation will fail if this is set to true. | `bool` | `false` | no |
 | <a name="input_protocol_type"></a> [protocol\_type](#input\_protocol\_type) | The API protocol. Valid values: `HTTP`, `WEBSOCKET` | `string` | `"HTTP"` | no |
 | <a name="input_route_key"></a> [route\_key](#input\_route\_key) | Part of quick create. Specifies any route key. Applicable for HTTP APIs | `string` | `null` | no |
 | <a name="input_route_selection_expression"></a> [route\_selection\_expression](#input\_route\_selection\_expression) | The route selection expression for the API. Defaults to `$request.method $request.path` | `string` | `null` | no |
diff --git a/main.tf b/main.tf
@@ -136,7 +136,8 @@ locals {
 data "aws_route53_zone" "this" {
   count = local.create_domain_name && var.create_domain_records ? 1 : 0
 
-  name = coalesce(var.hosted_zone_name, local.stripped_domain_name)
+  name         = coalesce(var.hosted_zone_name, local.stripped_domain_name)
+  private_zone = var.private_zone
 }
 
 resource "aws_route53_record" "this" {
@@ -158,7 +159,7 @@ resource "aws_route53_record" "this" {
 ################################################################################
 
 locals {
-  create_certificate = local.create_domain_name && var.create_certificate
+  create_certificate = local.create_domain_name && var.create_certificate && !var.private_zone
 
   is_wildcard = startswith(var.domain_name, "*.")
 }
diff --git a/variables.tf b/variables.tf
@@ -156,6 +156,12 @@ variable "hosted_zone_name" {
   default     = null
 }
 
+variable "private_zone" {
+  description = "Indicates the hosted zone being looked up is private.  Certificate validation will fail if this is set to true."
+  type        = bool
+  default     = false
+}
+
 variable "domain_name_certificate_arn" {
   description = "The ARN of an AWS-managed certificate that will be used by the endpoint for the domain name. AWS Certificate Manager is the only supported source"
   type        = string
@@ -201,7 +207,7 @@ variable "subdomain_record_types" {
 ################################################################################
 
 variable "create_certificate" {
-  description = "Whether to create a certificate for the domain"
+  description = "Whether to create a certificate for the domain.  Since certificate validate only works on public domains, this will be ignore if `private_zone` is set to `true`"
   type        = bool
   default     = true
 }
diff --git a/wrappers/main.tf b/wrappers/main.tf
@@ -27,6 +27,7 @@ module "wrapper" {
   ip_address_type                                    = try(each.value.ip_address_type, var.defaults.ip_address_type, null)
   mutual_tls_authentication                          = try(each.value.mutual_tls_authentication, var.defaults.mutual_tls_authentication, {})
   name                                               = try(each.value.name, var.defaults.name, "")
+  private_zone                                       = try(each.value.private_zone, var.defaults.private_zone, false)
   protocol_type                                      = try(each.value.protocol_type, var.defaults.protocol_type, "HTTP")
   route_key                                          = try(each.value.route_key, var.defaults.route_key, null)
   route_selection_expression                         = try(each.value.route_selection_expression, var.defaults.route_selection_expression, null)

Original file line number	Diff line number	Diff line change
`@@ -136,7 +136,8 @@ locals {`
`136`	`136`	`data "aws_route53_zone" "this" {`
`137`	`137`	`count = local.create_domain_name && var.create_domain_records ? 1 : 0`
`138`	`138`
`139`		`- name = coalesce(var.hosted_zone_name, local.stripped_domain_name)`
	`139`	`+ name = coalesce(var.hosted_zone_name, local.stripped_domain_name)`
	`140`	`+ private_zone = var.private_zone`
`140`	`141`	`}`
`141`	`142`
`142`	`143`	`resource "aws_route53_record" "this" {`
`@@ -158,7 +159,7 @@ resource "aws_route53_record" "this" {`
`158`	`159`	`################################################################################`
`159`	`160`
`160`	`161`	`locals {`
`161`		`- create_certificate = local.create_domain_name && var.create_certificate`
	`162`	`+ create_certificate = local.create_domain_name && var.create_certificate && !var.private_zone`
`162`	`163`
`163`	`164`	`is_wildcard = startswith(var.domain_name, "*.")`
`164`	`165`	`}`