将别名 AWS Provider 传递给子模块 Terraform

Question

I am trying to pass two AWS Terraform providers to my child module. I want the default to stay unaliased, because I can't go through and add a provider to all of the terraform resources in the parent module.

Parent Module------------------------------------------ versions.tf

terraform {
  required_version = "~> 1.0"

  backend "remote" {
    hostname     = "app.terraform.io"
    organization = "some-org"

    workspaces {
      prefix = "some-state-file"
    }
  }

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
      configuration_aliases = [ aws.domain-management ]
    }
  }
}

provider "aws" {
  access_key = var.aws_access_key_id
  secret_key = var.aws_secret_access_key
  region     = var.aws_region

  default_tags {
    tags = {
      Application = var.application_name
      Environment = var.environment
    }
  }
}

provider "aws" {
  alias      = "domain-management"
  region     = var.domain_management_aws_region
  access_key = var.domain_management_aws_access_key_id
  secret_key = var.domain_management_aws_secret_access_key
}

module.tf (calling child module)

module "vanity-cert-test" {
  source = "some-source"

  fully_qualified_domain_name = "some-domain.com"
  alternative_names           = ["*.${var.dns_zone.name}"]
  application_name            = var.application_name
  environment                 = var.environment
  service_name                = var.service_name
  domain_managment_zone_name  = "some-domain02.com"

  providers = {
    aws.domain-management = aws.domain-management
  }
}

Child Module-------------------------------------------------------

versions.tf

terraform {
  required_version = "~> 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
      confiuration_aliases = [aws.domain-management]
    }
  }
}

provider "aws" {
  alias = domain-management
}

route53.tf

# Create validation Route53 records
resource "aws_route53_record" "vanity_route53_cert_validation" {
  # use domain management secondary aws provider
  provider = aws.domain-management

  for_each = {
    for dvo in aws_acm_certificate.vanity_certificate.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  zone_id         = data.aws_route53_zone.vanity_zone.zone_id
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  allow_overwrite = true
}

The use case for this is to have a vanity cert defined in a seperate account from where the DNS Validation for the certificate needs to go. Currently when running this, I get the following error: terraform plan -var-file=./application.tfvars

╷
│ Warning: Provider aws.domain-management is undefined
│ 
│   on services/self-service-ticket-portal-app/ssl-certificate.tf line 33, in module "vanity-cert-test":
│   33:     aws.domain-management = aws.domain-management
│ 
│ Module module.services.module.self-service-ticket-portal-app.module.vanity-cert-test does not declare a provider named aws.domain-management.
│ If you wish to specify a provider configuration for the module, add an entry for aws.domain-management in the required_providers block within the module.
╵
╷
│ Error: missing provider module.services.module.self-service-ticket-portal-app.provider["registry.terraform.io/hashicorp/aws"].domain-management

Answer 1

If your "Parent Module" is the root module, then you can't use configuration_aliases in it. configuration_aliases is only used in child modules :

To declare a configuration alias within a module in order to receive an alternate provider configuration from the parent module, add the configuration_aliases argument to that provider's required_providers entry.