diff --git a/README.md b/README.md
index c31c912..eb9dfa2 100644
--- a/README.md
+++ b/README.md
@@ -229,7 +229,7 @@ module "api_gateway" {
| [body](#input\_body) | An OpenAPI specification that defines the set of routes and integrations to create as part of the HTTP APIs. Supported only for HTTP APIs | `string` | `null` | no |
| [cors\_configuration](#input\_cors\_configuration) | The cross-origin resource sharing (CORS) configuration. Applicable for HTTP APIs | object({
allow_credentials = optional(bool)
allow_headers = optional(list(string))
allow_methods = optional(list(string))
allow_origins = optional(list(string))
expose_headers = optional(list(string), [])
max_age = optional(number)
}) | `null` | no |
| [create](#input\_create) | Controls if resources should be created | `bool` | `true` | no |
-| [create\_certificate](#input\_create\_certificate) | Whether to create a certificate for the domain | `bool` | `true` | no |
+| [create\_certificate](#input\_create\_certificate) | Whether to create a certificate for the domain. Since certificate validate only works on public domains, this will be ignore if `private_zone` is set to `true` | `bool` | `true` | no |
| [create\_domain\_name](#input\_create\_domain\_name) | Whether to create API domain name resource | `bool` | `true` | no |
| [create\_domain\_records](#input\_create\_domain\_records) | Whether to create Route53 records for the domain name | `bool` | `true` | no |
| [create\_routes\_and\_integrations](#input\_create\_routes\_and\_integrations) | Whether to create routes and integrations resources | `bool` | `true` | no |
@@ -246,6 +246,7 @@ module "api_gateway" {
| [ip\_address\_type](#input\_ip\_address\_type) | The IP address types that can invoke the API. Valid values: ipv4, dualstack. Use ipv4 to allow only IPv4 addresses to invoke your API, or use dualstack to allow both IPv4 and IPv6 addresses to invoke your API. Defaults to ipv4. | `string` | `null` | no |
| [mutual\_tls\_authentication](#input\_mutual\_tls\_authentication) | The mutual TLS authentication configuration for the domain name | `map(string)` | `{}` | no |
| [name](#input\_name) | The name of the API. Must be less than or equal to 128 characters in length | `string` | `""` | no |
+| [private\_zone](#input\_private\_zone) | Indicates the hosted zone being looked up is private. Certificate validation will fail if this is set to true. | `bool` | `false` | no |
| [protocol\_type](#input\_protocol\_type) | The API protocol. Valid values: `HTTP`, `WEBSOCKET` | `string` | `"HTTP"` | no |
| [route\_key](#input\_route\_key) | Part of quick create. Specifies any route key. Applicable for HTTP APIs | `string` | `null` | no |
| [route\_selection\_expression](#input\_route\_selection\_expression) | The route selection expression for the API. Defaults to `$request.method $request.path` | `string` | `null` | no |
diff --git a/main.tf b/main.tf
index 0e5c206..0b36225 100644
--- a/main.tf
+++ b/main.tf
@@ -136,7 +136,8 @@ locals {
data "aws_route53_zone" "this" {
count = local.create_domain_name && var.create_domain_records ? 1 : 0
- name = coalesce(var.hosted_zone_name, local.stripped_domain_name)
+ name = coalesce(var.hosted_zone_name, local.stripped_domain_name)
+ private_zone = var.private_zone
}
resource "aws_route53_record" "this" {
@@ -158,7 +159,7 @@ resource "aws_route53_record" "this" {
################################################################################
locals {
- create_certificate = local.create_domain_name && var.create_certificate
+ create_certificate = local.create_domain_name && var.create_certificate && !var.private_zone
is_wildcard = startswith(var.domain_name, "*.")
}
diff --git a/variables.tf b/variables.tf
index 3e2219d..8318104 100644
--- a/variables.tf
+++ b/variables.tf
@@ -156,6 +156,12 @@ variable "hosted_zone_name" {
default = null
}
+variable "private_zone" {
+ description = "Indicates the hosted zone being looked up is private. Certificate validation will fail if this is set to true."
+ type = bool
+ default = false
+}
+
variable "domain_name_certificate_arn" {
description = "The ARN of an AWS-managed certificate that will be used by the endpoint for the domain name. AWS Certificate Manager is the only supported source"
type = string
@@ -201,7 +207,7 @@ variable "subdomain_record_types" {
################################################################################
variable "create_certificate" {
- description = "Whether to create a certificate for the domain"
+ description = "Whether to create a certificate for the domain. Since certificate validate only works on public domains, this will be ignore if `private_zone` is set to `true`"
type = bool
default = true
}
diff --git a/wrappers/main.tf b/wrappers/main.tf
index 879333a..8deb054 100644
--- a/wrappers/main.tf
+++ b/wrappers/main.tf
@@ -27,6 +27,7 @@ module "wrapper" {
ip_address_type = try(each.value.ip_address_type, var.defaults.ip_address_type, null)
mutual_tls_authentication = try(each.value.mutual_tls_authentication, var.defaults.mutual_tls_authentication, {})
name = try(each.value.name, var.defaults.name, "")
+ private_zone = try(each.value.private_zone, var.defaults.private_zone, false)
protocol_type = try(each.value.protocol_type, var.defaults.protocol_type, "HTTP")
route_key = try(each.value.route_key, var.defaults.route_key, null)
route_selection_expression = try(each.value.route_selection_expression, var.defaults.route_selection_expression, null)