diff --git a/README.md b/README.md
index 951eaaa..902d69d 100644
--- a/README.md
+++ b/README.md
@@ -406,6 +406,7 @@ The Lambda function uses the following environment variables (automatically conf
| `ACME_PERSIST_ACCOUNT_KEY` | Whether to persist ACME account key | `true` |
| `RSA_KEY_SIZE` | RSA key size for certificates | `2048` |
| `DNS_PROPAGATION_WAIT_SECONDS` | Additional DNS propagation wait time | `30` |
+| `DNS_TXT_TTL` | TTL for DNS TXT records in ACME challenges | `60` |
## Testing
@@ -461,5 +462,4 @@ uv sync --all-packages
Then create corresponding Terraform resources in `terraform/` for the new Lambda function.
## TODO
-- Add a feature that enables the storage of certificate-generating data in AWS ACM
- Add support for multiple Hosted Zones
diff --git a/lambdas/certbot/lambda_function.py b/lambdas/certbot/lambda_function.py
index 57d602b..74fab5e 100644
--- a/lambdas/certbot/lambda_function.py
+++ b/lambdas/certbot/lambda_function.py
@@ -113,6 +113,7 @@ def wrapper(*args: Any, **kwargs: Any) -> Any:
REQUIRED_CERT_KEYS = {"private_key", "certificate", "expiry", "domains"}
RSA_KEY_SIZE = int(os.environ.get("RSA_KEY_SIZE", "2048"))
DNS_PROPAGATION_WAIT_SECONDS = int(os.environ.get("DNS_PROPAGATION_WAIT_SECONDS", "30"))
+DNS_TXT_TTL = int(os.environ.get("DNS_TXT_TTL", "60"))
ACME_PERSIST_ACCOUNT_KEY = (
os.environ.get("ACME_PERSIST_ACCOUNT_KEY", "true").lower() == "true"
)
@@ -343,7 +344,7 @@ def _create_dns_record(self, domain: str, validation: str) -> str:
"ResourceRecordSet": {
"Name": record_name,
"Type": "TXT",
- "TTL": 60,
+ "TTL": DNS_TXT_TTL,
"ResourceRecords": [{"Value": f'"{validation}"'}],
},
}
@@ -385,7 +386,7 @@ def _cleanup_dns_record(self, domain: str, validation: str) -> None:
"ResourceRecordSet": {
"Name": record_name,
"Type": "TXT",
- "TTL": 60,
+ "TTL": DNS_TXT_TTL,
"ResourceRecords": [{"Value": f'"{validation}"'}],
},
}
diff --git a/terraform/README.md b/terraform/README.md
index b23a15d..791070d 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -51,6 +51,7 @@ No modules.
| [acme\_persist\_account\_key](#input\_acme\_persist\_account\_key) | Persist ACME account key in Secrets Manager (recommended for production to avoid rate limits) | `bool` | `true` | no |
| [acme\_use\_staging](#input\_acme\_use\_staging) | Use Let's Encrypt staging environment (for testing) | `bool` | `false` | no |
| [additional\_tags](#input\_additional\_tags) | Additional tags to set for all resources | `map(string)` | `{}` | no |
+| [dns\_txt\_ttl](#input\_dns\_txt\_ttl) | TTL for DNS TXT records used in ACME challenges (seconds) | `number` | `60` | no |
| [domains](#input\_domains) | List of domains to obtain certificates for | `list(string)` | n/a | yes |
| [eb\_bus\_name](#input\_eb\_bus\_name) | EventBridge bus name for publishing certificate events (empty to disable) | `string` | `""` | no |
| [enable\_notifications](#input\_enable\_notifications) | Enable SNS notifications for certificate events | `bool` | `false` | no |
diff --git a/terraform/lambda.tf b/terraform/lambda.tf
index bc7f915..7392916 100644
--- a/terraform/lambda.tf
+++ b/terraform/lambda.tf
@@ -101,6 +101,7 @@ resource "aws_lambda_function" "this" {
EB_BUS_NAME = var.eb_bus_name
POWERTOOLS_SERVICE_NAME = var.project_name
ACME_PERSIST_ACCOUNT_KEY = tostring(var.acme_persist_account_key)
+ DNS_TXT_TTL = tostring(var.dns_txt_ttl)
}
}
diff --git a/terraform/variables.tf b/terraform/variables.tf
index b48a8c4..345f572 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -101,3 +101,9 @@ variable "acme_persist_account_key" {
type = bool
default = true
}
+
+variable "dns_txt_ttl" {
+ description = "TTL for DNS TXT records used in ACME challenges (seconds)"
+ type = number
+ default = 60
+}