Terraform-provider-aws: importing existing acm certificate in terraform with NONE validation_method

Created on 25 May 2018 · 3Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.6
aws_1.20.0

Affected Resource(s)

aws_acm_certificate

Terraform Configuration Files

resource "aws_acm_certificate" "my_cert" {
  domain_name       = "*.some.domain"
  validation_method = "NONE"

  tags {
    Creator     = "Terraform"
    Name        = "my-cert"
    Environment = "${var.env}"
  }
}

Expected Behavior

Creates the acm certificate in Terraform based on existing ACM certificate using NONE as validation_method as specified in documentation https://www.terraform.io/docs/providers/aws/r/acm_certificate.html

validation_method - (Required) Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into Terraform.

Actual Behavior

Throws an error

aws_acm_certificate.my_cert: Error requesting certificate: ValidationException: 1 validation error detected: Value '' at 'validationMethod' failed to satisfy constraint: Member must satisfy enum value set: [DNS, EMAIL]

According to https://github.com/terraform-providers/terraform-provider-aws/blob/80e4ae53941c6fc87239f1d704e2dfe6a4dec3b6/aws/resource_aws_acm_certificate.go#L166 NONE is returned if neither DNS or EMAIL are specified but even if an empty string is set as value for validation_method argument, same error as above. Removing the argument is not possible as it is required.

Steps to Reproduce

terraform apply

terraform plan show nothing wrong by the way.

servicacm

Source

abrechon

Most helpful comment

Hi @abrechon 👋 Sorry you're running into trouble here.

It looks like there might be some confusion about supporting existing certificates with the aws_acm_certificate resource.

Currently we only support the following scenarios with the aws_acm_certificate resource:

Fully creating an ACM certificate (no pre-existing private key+chain+certificate) with the Terraform resource, which requires either DNS or email verification.
Manually importing an existing certificate into ACM (via console, CLI, etc.), then manually importing the resource into Terraform (via terraform import). This is currently where we use the NONE verification method.

We currently do not support creating a certificate with a pre-existing private key+chain+certificate with the Terraform resource yet (e.g. implementing the ACM ImportCertificate API call), but there is already a separate feature request for that: #3560

If you believe the documentation can be clearer in this regard, please let us know. 👍 Otherwise, I'm going to close this issue as NONE is not a valid verification method when creating certificates and we have an earlier feature request issue for supporting creating certificates via ImportCertificate.

bflad on 30 May 2018

👍3

All 3 comments

Hi @abrechon 👋 Sorry you're running into trouble here.

It looks like there might be some confusion about supporting existing certificates with the aws_acm_certificate resource.

Currently we only support the following scenarios with the aws_acm_certificate resource:

Fully creating an ACM certificate (no pre-existing private key+chain+certificate) with the Terraform resource, which requires either DNS or email verification.
Manually importing an existing certificate into ACM (via console, CLI, etc.), then manually importing the resource into Terraform (via terraform import). This is currently where we use the NONE verification method.