Terraform-provider-aws: aws_acm_certificate is recreating every time ...

Created on 21 Jun 2018 · 6Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.7

provider.aws v1.24.0

Affected Resource(s)

aws_acm_certificate

Terraform Configuration Files

resource "aws_acm_certificate" "swapr_acm_certificate" {
domain_name = ".${var.global_domain["domain_name"]}"
subject_alternative_names = ["${var.global_domain["domain_name"]}",".${var.global_domain["domain_name"]}"]
validation_method = "DNS"
count = "${var.acm_install ? 1 : 0 }"
lifecycle {
create_before_destroy = true
}
}

data "aws_route53_zone" "zone" {
provider = "aws.devops-account"
name = "${var.global_domain["domain_name"]}"
private_zone = false
count = "${var.acm_install ? 1 : 0 }"

}

resource "aws_route53_record" "swapr_route53_record_validation" {
provider = "aws.devops-account"
name = "${aws_acm_certificate.swapr_acm_certificate.domain_validation_options.0.resource_record_name}"
type = "${aws_acm_certificate.swapr_acm_certificate.domain_validation_options.0.resource_record_type}"
zone_id = "${data.aws_route53_zone.zone.id}"
records = ["${aws_acm_certificate.swapr_acm_certificate.domain_validation_options.0.resource_record_value}"]
ttl = 60
count = "${var.acm_install ? 1 : 0 }"
lifecycle {
create_before_destroy = true
}
}

resource "aws_acm_certificate_validation" "swapr_acm_certificate_validation" {
certificate_arn = "${aws_acm_certificate.swapr_acm_certificate.arn}"
validation_record_fqdns = ["${aws_route53_record.swapr_route53_record_validation.fqdn}"]
count = "${var.acm_install ? 1 : 0 }"
lifecycle {
create_before_destroy = true
}
}

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Panic Output

Expected Behavior

i am using the ACM to self CA and its working fine ... but every run its recreating the CA
if i understand the state didint change and the ACM dont need to recreate the CA again ?
what i am missing ?

Actual Behavior

erraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

aws_acm_certificate.swapr_acm_certificate: Refreshing state... (ID: arn:aws:acm:us-east-1:546076352089:cert...e/9e70d000-a74c-4b1b-bbfe-bd500d40158c)
data.aws_route53_zone.zone: Refreshing state...
aws_route53_record.swapr_route53_record_validation: Refreshing state... (ID: Z1MAYN73NFZE32__0be9821638252419257c866b5ee7ac4d.mydomain.link._CNAME)
aws_acm_certificate_validation.swapr_acm_certificate_validation: Refreshing state... (ID: 2018-06-21 20:08:00 +0000 UTC)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

-/+ aws_acm_certificate.swapr_acm_certificate (new resource required)
id: "arn:aws:acm:us-east-1:546076352089:certificate/9e70d000-a74c-4b1b-bbfe-bd500d40158c" => (forces new resource)
arn: "arn:aws:acm:us-east-1:546076352089:certificate/9e70d000-a74c-4b1b-bbfe-bd500d40158c" =>
domain_name: ".mydomain.link" => ".mydomain.link"
domain_validation_options.#: "2" =>
subject_alternative_names.#: "1" => "2" (forces new resource)
subject_alternative_names.0: "mydomain.link" => "mydomain.link"
subject_alternative_names.1: "" => "*.mydomain.link" (forces new resource)
validation_emails.#: "0" =>
validation_method: "DNS" => "DNS"

-/+ aws_acm_certificate_validation.swapr_acm_certificate_validation (new resource required)
id: "2018-06-21 20:08:00 +0000 UTC" => (forces new resource)
certificate_arn: "arn:aws:acm:us-east-1:546076352089:certificate/9e70d000-a74c-4b1b-bbfe-bd500d40158c" => "${aws_acm_certificate.swapr_acm_certificate.arn}" (forces new resource)
validation_record_fqdns.#: "1" => "1"
validation_record_fqdns.3648751135: "_0be9821638252419257c866b5ee7ac4d.mydomain.link" => "_0be9821638252419257c866b5ee7ac4d.mydomain.link"

Plan: 2 to add, 0 to change, 2 to destroy.

Steps to Reproduce

terraform apply

Important Factoids

References

#0000

question servicacm waiting-response

Source

Noam-greenberrg

Most helpful comment

Hi again @Noam-greenberrg -- sorry if I am misunderstanding your English here. What I meant is that your Terraform configuration can be changed to prevent Terraform from recreating the certificate each time:

resource "aws_acm_certificate" "swapr_acm_certificate" {
  domain_name = "*.${var.global_domain["domain_name"]}"
  subject_alternative_names = ["${var.global_domain["domain_name"]}"]
  validation_method = "DNS"
  count = "${var.acm_install ? 1 : 0 }"
  lifecycle {
    create_before_destroy = true
  }
}

AWS is removing the duplicate *.mydomain.link entry from the subject alternative names, so Terraform shows your configuration as different from AWS and this type of difference requires recreating the certificate to correctly perform the action. The above configuration should still create the certificate with a common name of *.mydomain.link and subject alternative name of mydomain.link as before without Terraform recreating it every run.

bflad on 4 Jul 2018

👍2

All 6 comments

Hi @Noam-greenberrg 👋 according to your plan output, it looks like you have ,"*.${var.global_domain["domain_name"]}" extraneously added to your configuration.

      subject_alternative_names.#:        "1" => "2" (forces new resource)
      subject_alternative_names.0:        "mydomain.link" => "mydomain.link"
      subject_alternative_names.1:        "" => "*.mydomain.link" (forces new resource)

Does it work if you remove that from your configuration?

bflad on 26 Jun 2018

Hi @bflad
I dont think it will work as this setup is need for API gateway , i dont understand why terra dont check the state ? why he recreate it ....

the workaround i found is to move this part to different folder but ...
and i see this issue in security group as well i dont change any part and its update all the time ...

Noam-greenberrg on 28 Jun 2018

resource "aws_acm_certificate" "swapr_acm_certificate" {
  domain_name = "*.${var.global_domain["domain_name"]}"
  subject_alternative_names = ["${var.global_domain["domain_name"]}"]
  validation_method = "DNS"
  count = "${var.acm_install ? 1 : 0 }"
  lifecycle {
    create_before_destroy = true
  }
}

bflad on 4 Jul 2018

👍2

Hi @bflad
i will try this ... i have same issue in route tables ...

Noam

Noam-greenberrg on 8 Jul 2018

Closing as the original issue appears to be resolved by the 👍 reaction from awhile ago. Please open a new issue if you're still having trouble, thanks!

bflad on 25 Sep 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!