Terraform-provider-aws: Route53 validation records creation fails

Created on 13 Mar 2019 · 10Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.11

provider.aws v2.1.0

Affected Resource(s)

aws_acm_certificate
aws_route53_record

Terraform Configuration Files

resource "aws_acm_certificate" "example_wildcard" {
  domain_name               = "example.com"
  subject_alternative_names = ["*.example.com"]

  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }

  tags = "${var.tags}"
}

resource "aws_route53_record" "example_wildcard_validation_0" {
    name = "${aws_acm_certificate.example_wildcard.domain_validation_options.0.resource_record_name}"
    type = "${aws_acm_certificate.example_wildcard.domain_validation_options.0.resource_record_type}"
    zone_id = "${aws_route53_zone.example.id}"
    records = ["${aws_acm_certificate.example_wildcard.domain_validation_options.0.resource_record_value}"]
    ttl = 60
}

resource "aws_route53_record" "example_wildcard_validation_1" {
    name = "${aws_acm_certificate.example_wildcard.domain_validation_options.1.resource_record_name}"
    type = "${aws_acm_certificate.example_wildcard.domain_validation_options.1.resource_record_type}"
    zone_id = "${aws_route53_zone.example.id}"
    records = ["${aws_acm_certificate.example_wildcard.domain_validation_options.1.resource_record_value}"]
    ttl = 60
}

Expected Behavior

I tried to create an aws_acm_certificate for "example.com" domain name with "subject_alternative_names" set to "*.example.com". This produces two domain_validation_options with the same CNAME. It should either produce a single domain_validation_option or recognise at validation stage that the two are identical.

Actual Behavior

Error: Error applying plan:

1 error(s) occurred:

* aws_route53_record.example_wildcard_validation_1: 1 error(s) occurred:

* aws_route53_record.example_wildcard_validation_1: [ERR]: Error building changeset: InvalidChangeBatch: [Tried to create resource record set [name='_6fcf8470af9790c423164357049b8dba.example.com.', type='CNAME'] but it already exists]
    status code: 400, request id: d374a768-44ce-11e9-a407-07f68f36e577

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Steps to Reproduce

terraform apply

Important Factoids

None

References

#0000

question servicacm servicroute53

Source

ToROxI

👍50

Most helpful comment

In my use-case, I have an infra module that creates an ACM cert for *.my.domain.com.
This module gets called twice (my platform is deployed in two regions). so I have two certs configured the same, one for each region.

While the call for 1 region succeeds, the other call for the 2nd region fails with the error with the same errors as the OP.

My aws provider version is 2.0.0

Details:

infra-us-east-1
|- aws_acm_certificate: my.domain.com, SAN=*.my.domain.com - this one gets created and validated
infra-us-west-2
|- aws_acm_certificate: my.domain.com, SAN=*.my.domain.com - this one gets created but fails with the R53 records already exists.

I've confirmed that with aws provider version 1.60.0 the issue doesn't happen
With aws provider version 2.3.0 the issue still happening.

ayashjorden on 25 Mar 2019

👍6

All 10 comments

While the call for 1 region succeeds, the other call for the 2nd region fails with the error with the same errors as the OP.

My aws provider version is 2.0.0

Details:

infra-us-east-1
|- aws_acm_certificate: my.domain.com, SAN=*.my.domain.com - this one gets created and validated
infra-us-west-2
|- aws_acm_certificate: my.domain.com, SAN=*.my.domain.com - this one gets created but fails with the R53 records already exists.

I've confirmed that with aws provider version 1.60.0 the issue doesn't happen
With aws provider version 2.3.0 the issue still happening.

ayashjorden on 25 Mar 2019

👍6

Reading this suggests that the new version of this provider are working as designed/expected.

This breaks the functionality of validating ACM certs using DNS validation as AWS generate the validation record data (name and value) based on the requested domain (and SANs) and the account info.
Region and other information of the certificate does not go into calculation.

ayashjorden on 27 Mar 2019

Is the only option to provide the allow_overwrite = true field to the aws_route53_record resource? I'm using latest version 2.15.0 and am hitting this issue as well.

allow_overwrite option didn't work for me anyways

texascloud on 20 Jun 2019

👍4

This bug is preventing me from deploying applications that utilize Certificate Manager DNS validation. I'm having the same issue as @CamelCaseNotation mentions above - allow_overwrite = true has no effect.

christianbradley on 1 Jul 2019

👍2

Thank you for using Terraform and for opening up this question @ToROxI. Issues on GitHub are intended to be related to bugs or feature requests with the provider codebase. Please use https://discuss.hashicorp.com/c/terraform-providers for community discussions, and questions around Terraform.

It looks as though @ayashjorden has provided an answer and reference to this question.

If you believe this issue was miscategorized as a question or closed in error, please create a new issue using one of the following provided templates: bug report or feature request. Please make sure to provide us with the appropriate information so we can best determine how to assist with the given issue.

tracypholmes on 1 Jul 2019

👎5 😕1

Is the only option to provide the allow_overwrite = true field to the aws_route53_record resource? I'm using latest version 2.15.0 and am hitting this issue as well.

allow_overwrite option didn't work for me anyways

It worked for me

mkamrani on 12 Jul 2019

oh well, allow_overwrite didn't work for me either... any ideas how to make it not fail on existing record?

  # module.xxxxxxxx-xxxx.aws_route53_record.cert_validation[0] will be created
  + resource "aws_route53_record" "cert_validation" {
      + allow_overwrite = (known after apply)
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "xxxxxxxx.xx-xxxxxx.com"
      + records         = [
          + "xxxxxxxxxxx.olprtlswtu.acm-validations.aws.",
        ]
      + ttl             = 60
      + type            = "CNAME"
      + zone_id         = "xxxxxxxxx"
    }

Error: [ERR]: Error building changeset: InvalidChangeBatch: [Tried to create resource record set [name='xxxxxxxxx.xxx-xxxxx.com.', type='CNAME'] but it already exists]
    status code: 400, request id: xxxxxx-4530-430f-920c-xxxxxxx

  on xxxxx/aws/acm/acm.tf line 25, in resource "aws_route53_record" "cert_validation":
  25: resource "aws_route53_record" "cert_validation" {

Dmitry1987 on 1 Oct 2019

by the way I am using terraform 0.12.9
and all default settings for the provider, I guess it pulls the latest AWS provider, so the fix with overwrite flag definitely does not work.

I have the flag hardcoded to true:

resource "aws_route53_record" "cert_validation" {
  count   = "${length(var.domain_names)}"
  name    = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_name")}"
  type    = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_type")}"
  zone_id = "${data.aws_route53_zone.selected.id}"
  records = ["${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_value")}"]
  ttl     = 60
  allow_overwrite = true
}

and it still fails with the error above. Maybe there is a way to add some conditional block to avoid TF attempting the operation if record already exists? I am thinking of a way to disable that block on consequent runs....

Dmitry1987 on 1 Oct 2019

oh and the * provider.aws: version = "~> 2.30" and it is latest. But yeah, this discussion belongs to here: https://github.com/terraform-providers/terraform-provider-aws/issues
just that this page is in google top for the issue search keyword ....

so,
Anyone who has this issue please go here: https://github.com/terraform-providers/terraform-provider-aws

Dmitry1987 on 1 Oct 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 1 Nov 2019

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Failed to destroy AWS node with volume: * aws_volume_attachment.jenkins_disk_attachment: Error waiting for Volume (vol-XXXX) to detach from Instance: i-XXXXX

hashibot · 3Comments

AWS CodeBuild using environment variables from EC2 Parameter Store

blaltarriba · 3Comments

AWS Security Group Rule protocol/port error.

gothrek22 · 3Comments

S3 Lifecycle Rule Unnecessarily Updates on Each Terraform Apply

hashibot · 3Comments

Terraform support for Alexa Smart Home Lambda trigger

joelittlejohn · 3Comments