From 809503f6d8df4ff91dfe8abc0329f408a3547f60 Mon Sep 17 00:00:00 2001
From: luk-kop <luk.kopicki@gmail.com>
Date: Mon, 19 Jan 2026 00:34:20 +0100
Subject: [PATCH 1/2] feature: added DNS_TXT_TTL var

---
 terraform/README.md    | 1 +
 terraform/lambda.tf    | 1 +
 terraform/variables.tf | 6 ++++++
 3 files changed, 8 insertions(+)

diff --git a/terraform/README.md b/terraform/README.md
index b23a15d..791070d 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -51,6 +51,7 @@ No modules.
 | <a name="input_acme_persist_account_key"></a> [acme\_persist\_account\_key](#input\_acme\_persist\_account\_key) | Persist ACME account key in Secrets Manager (recommended for production to avoid rate limits) | `bool` | `true` | no |
 | <a name="input_acme_use_staging"></a> [acme\_use\_staging](#input\_acme\_use\_staging) | Use Let's Encrypt staging environment (for testing) | `bool` | `false` | no |
 | <a name="input_additional_tags"></a> [additional\_tags](#input\_additional\_tags) | Additional tags to set for all resources | `map(string)` | `{}` | no |
+| <a name="input_dns_txt_ttl"></a> [dns\_txt\_ttl](#input\_dns\_txt\_ttl) | TTL for DNS TXT records used in ACME challenges (seconds) | `number` | `60` | no |
 | <a name="input_domains"></a> [domains](#input\_domains) | List of domains to obtain certificates for | `list(string)` | n/a | yes |
 | <a name="input_eb_bus_name"></a> [eb\_bus\_name](#input\_eb\_bus\_name) | EventBridge bus name for publishing certificate events (empty to disable) | `string` | `""` | no |
 | <a name="input_enable_notifications"></a> [enable\_notifications](#input\_enable\_notifications) | Enable SNS notifications for certificate events | `bool` | `false` | no |
diff --git a/terraform/lambda.tf b/terraform/lambda.tf
index bc7f915..7392916 100644
--- a/terraform/lambda.tf
+++ b/terraform/lambda.tf
@@ -101,6 +101,7 @@ resource "aws_lambda_function" "this" {
       EB_BUS_NAME                = var.eb_bus_name
       POWERTOOLS_SERVICE_NAME    = var.project_name
       ACME_PERSIST_ACCOUNT_KEY   = tostring(var.acme_persist_account_key)
+      DNS_TXT_TTL                = tostring(var.dns_txt_ttl)
     }
   }
 
diff --git a/terraform/variables.tf b/terraform/variables.tf
index b48a8c4..345f572 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -101,3 +101,9 @@ variable "acme_persist_account_key" {
   type        = bool
   default     = true
 }
+
+variable "dns_txt_ttl" {
+  description = "TTL for DNS TXT records used in ACME challenges (seconds)"
+  type        = number
+  default     = 60
+}

From 65b33e4c79c49ecf95fed51a25aaf772f46c5de4 Mon Sep 17 00:00:00 2001
From: luk-kop <luk.kopicki@gmail.com>
Date: Mon, 19 Jan 2026 00:34:37 +0100
Subject: [PATCH 2/2] feature: added DNS_TXT_TTL var

---
 README.md                          | 2 +-
 lambdas/certbot/lambda_function.py | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 951eaaa..902d69d 100644
--- a/README.md
+++ b/README.md
@@ -406,6 +406,7 @@ The Lambda function uses the following environment variables (automatically conf
 | `ACME_PERSIST_ACCOUNT_KEY` | Whether to persist ACME account key | `true` |
 | `RSA_KEY_SIZE` | RSA key size for certificates | `2048` |
 | `DNS_PROPAGATION_WAIT_SECONDS` | Additional DNS propagation wait time | `30` |
+| `DNS_TXT_TTL` | TTL for DNS TXT records in ACME challenges | `60` |
 
 ## Testing
 
@@ -461,5 +462,4 @@ uv sync --all-packages
 Then create corresponding Terraform resources in `terraform/` for the new Lambda function.
 
 ## TODO
-- Add a feature that enables the storage of certificate-generating data in AWS ACM
 - Add support for multiple Hosted Zones
diff --git a/lambdas/certbot/lambda_function.py b/lambdas/certbot/lambda_function.py
index 57d602b..74fab5e 100644
--- a/lambdas/certbot/lambda_function.py
+++ b/lambdas/certbot/lambda_function.py
@@ -113,6 +113,7 @@ def wrapper(*args: Any, **kwargs: Any) -> Any:
 REQUIRED_CERT_KEYS = {"private_key", "certificate", "expiry", "domains"}
 RSA_KEY_SIZE = int(os.environ.get("RSA_KEY_SIZE", "2048"))
 DNS_PROPAGATION_WAIT_SECONDS = int(os.environ.get("DNS_PROPAGATION_WAIT_SECONDS", "30"))
+DNS_TXT_TTL = int(os.environ.get("DNS_TXT_TTL", "60"))
 ACME_PERSIST_ACCOUNT_KEY = (
     os.environ.get("ACME_PERSIST_ACCOUNT_KEY", "true").lower() == "true"
 )
@@ -343,7 +344,7 @@ def _create_dns_record(self, domain: str, validation: str) -> str:
                     "ResourceRecordSet": {
                         "Name": record_name,
                         "Type": "TXT",
-                        "TTL": 60,
+                        "TTL": DNS_TXT_TTL,
                         "ResourceRecords": [{"Value": f'"{validation}"'}],
                     },
                 }
@@ -385,7 +386,7 @@ def _cleanup_dns_record(self, domain: str, validation: str) -> None:
                         "ResourceRecordSet": {
                             "Name": record_name,
                             "Type": "TXT",
-                            "TTL": 60,
+                            "TTL": DNS_TXT_TTL,
                             "ResourceRecords": [{"Value": f'"{validation}"'}],
                         },
                     }