feat: added dns txt ttl

README.md

@@ -406,6 +406,7 @@ The Lambda function uses the following environment variables (automatically conf
 | `ACME_PERSIST_ACCOUNT_KEY` | Whether to persist ACME account key | `true` |
 | `RSA_KEY_SIZE` | RSA key size for certificates | `2048` |
 | `DNS_PROPAGATION_WAIT_SECONDS` | Additional DNS propagation wait time | `30` |
+| `DNS_TXT_TTL` | TTL for DNS TXT records in ACME challenges | `60` |
 
 ## Testing
 
@@ -461,5 +462,4 @@ uv sync --all-packages
 Then create corresponding Terraform resources in `terraform/` for the new Lambda function.
 
 ## TODO
-- Add a feature that enables the storage of certificate-generating data in AWS ACM
 - Add support for multiple Hosted Zones

lambdas/certbot/lambda_function.py

@@ -113,6 +113,7 @@ def wrapper(*args: Any, **kwargs: Any) -> Any:
 REQUIRED_CERT_KEYS = {"private_key", "certificate", "expiry", "domains"}
 RSA_KEY_SIZE = int(os.environ.get("RSA_KEY_SIZE", "2048"))
 DNS_PROPAGATION_WAIT_SECONDS = int(os.environ.get("DNS_PROPAGATION_WAIT_SECONDS", "30"))
+DNS_TXT_TTL = int(os.environ.get("DNS_TXT_TTL", "60"))
 ACME_PERSIST_ACCOUNT_KEY = (
     os.environ.get("ACME_PERSIST_ACCOUNT_KEY", "true").lower() == "true"
 )
@@ -343,7 +344,7 @@ def _create_dns_record(self, domain: str, validation: str) -> str:
                     "ResourceRecordSet": {
                         "Name": record_name,
                         "Type": "TXT",
-                        "TTL": 60,
+                        "TTL": DNS_TXT_TTL,
                         "ResourceRecords": [{"Value": f'"{validation}"'}],
                     },
                 }
@@ -385,7 +386,7 @@ def _cleanup_dns_record(self, domain: str, validation: str) -> None:
                         "ResourceRecordSet": {
                             "Name": record_name,
                             "Type": "TXT",
-                            "TTL": 60,
+                            "TTL": DNS_TXT_TTL,
                             "ResourceRecords": [{"Value": f'"{validation}"'}],
                         },
                     }

terraform/README.md

@@ -51,6 +51,7 @@ No modules.
 | <a name="input_acme_persist_account_key"></a> [acme\_persist\_account\_key](#input\_acme\_persist\_account\_key) | Persist ACME account key in Secrets Manager (recommended for production to avoid rate limits) | `bool` | `true` | no |
 | <a name="input_acme_use_staging"></a> [acme\_use\_staging](#input\_acme\_use\_staging) | Use Let's Encrypt staging environment (for testing) | `bool` | `false` | no |
 | <a name="input_additional_tags"></a> [additional\_tags](#input\_additional\_tags) | Additional tags to set for all resources | `map(string)` | `{}` | no |
+| <a name="input_dns_txt_ttl"></a> [dns\_txt\_ttl](#input\_dns\_txt\_ttl) | TTL for DNS TXT records used in ACME challenges (seconds) | `number` | `60` | no |
 | <a name="input_domains"></a> [domains](#input\_domains) | List of domains to obtain certificates for | `list(string)` | n/a | yes |
 | <a name="input_eb_bus_name"></a> [eb\_bus\_name](#input\_eb\_bus\_name) | EventBridge bus name for publishing certificate events (empty to disable) | `string` | `""` | no |
 | <a name="input_enable_notifications"></a> [enable\_notifications](#input\_enable\_notifications) | Enable SNS notifications for certificate events | `bool` | `false` | no |

terraform/lambda.tf

@@ -101,6 +101,7 @@ resource "aws_lambda_function" "this" {
       EB_BUS_NAME                = var.eb_bus_name
       POWERTOOLS_SERVICE_NAME    = var.project_name
       ACME_PERSIST_ACCOUNT_KEY   = tostring(var.acme_persist_account_key)
+      DNS_TXT_TTL                = tostring(var.dns_txt_ttl)
     }
   }
 

terraform/variables.tf

@@ -101,3 +101,9 @@ variable "acme_persist_account_key" {
   type        = bool
   default     = true
 }
+
+variable "dns_txt_ttl" {
+  description = "TTL for DNS TXT records used in ACME challenges (seconds)"
+  type        = number
+  default     = 60
+}