Terraform-provider-aws: aws_acm_certificate appears to be waiting for DNS validation to complete when SANs are present

Created on 6 May 2019 · 6Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.13
+ provider.aws v2.8.0

Affected Resource(s)

aws_acm_certificate

Terraform Configuration Files

resource "aws_acm_certificate" "main" {
  domain_name = "example.com"
  validation_method = "DNS"

  subject_alternative_names = [
    "one.example.com",
  ]
}

Expected Behavior

The certificate should be created in a state of pending validation, and Terraform should return success.

Actual Behavior

The certificate _is_ created in a state of pending validation, but Terraform appears to wait for validation of the SAN to succeed (which it won't, DNS records haven't been retrieved and added yet), and then errors as follows:

aws_acm_certificate.main: Creating...
  arn:                         "" => "<computed>"
  domain_name:                 "" => "example.com"
  domain_validation_options.#: "" => "<computed>"
  subject_alternative_names.#: "" => "1"
  subject_alternative_names.0: "" => "one.example.com"
  validation_emails.#:         "" => "<computed>"
  validation_method:           "" => "DNS"
aws_acm_certificate.main: Still creating... (10s elapsed)
aws_acm_certificate.main: Still creating... (20s elapsed)
aws_acm_certificate.main: Still creating... (30s elapsed)
aws_acm_certificate.main: Still creating... (40s elapsed)
aws_acm_certificate.main: Still creating... (50s elapsed)
aws_acm_certificate.main: Still creating... (1m0s elapsed)

Error: Error applying plan:

1 error(s) occurred:

* aws_acm_certificate.main: 1 error(s) occurred:

* aws_acm_certificate.main: No validation options need to retry: {
  DomainName: "one.example.com",
  ValidationMethod: "DNS",
  ValidationStatus: "PENDING_VALIDATION"
}

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Note: when there are no SANs included, the certificate is created without errors, as expected, so this issue appears to be unique to SANs.

Steps to Reproduce

Use the code supplied above
terraform apply and enter yes when prompted

Important Factoids

I don't appear to be able to re-produce this issue every time. I originally discovered it on my own domain, hence trying to reproduce it with the sample code above using example.com. However, I am now _not_ able to reproduce this if I replace example.com with one of my own domains. This appears to point to example.com being an issue with ACM (makes sense).... except that the domain I originally experienced it with should have been just fine!

Out of interest, the domain that I did experience this on before went on to take some time to validate - over an hour, which is much more than usual - so perhaps something had triggered inside AWS and validation was just extended for that domain. Perhaps that resulted in a different API response which is similar to what happens with example.com here??

Either way, I understand that if this is difficult/flimsy to replicate, it's difficult to fix.

References

Might be related to another SAN issue I just lodged: #8531

bug servicacm

Source

tdmalone

👍25

Most helpful comment

I am experiencing the same issue, terraform is still on _module.wildcard_certificate.aws_acm_certificate_validation.cert: Still creating... [27m1s elapsed]_

Terraform v0.12.1

provider.aws: version = "~> 2.13"

Zone example.com. is been created, certificate *.example.com is also created but does not seem to pick up the DNS record for validation...

alkis-hexa on 25 Jun 2019

👍2

All 6 comments

I am experiencing the same issue, terraform is still on _module.wildcard_certificate.aws_acm_certificate_validation.cert: Still creating... [27m1s elapsed]_

Terraform v0.12.1

provider.aws: version = "~> 2.13"

Zone example.com. is been created, certificate *.example.com is also created but does not seem to pick up the DNS record for validation...

alkis-hexa on 25 Jun 2019

👍2

Just to add to this for those in pain - I was also experiencing this error with Terraform trying to create forever, and then tried to create my certificate manually only to get the bemusing "com.amazon.coral.service.InternalFailure" error.

If you're like me and working in an Organization with a service control policy or a permissions-restricted IAM user, the permissions of acm:* aren't enough, as it turns out you also need kms:CreateGrant.

Since the AWS console doesn't even surface this error, Terraform has no chance and just continuously retries.

petewilcock on 13 Aug 2019

👍1

Removing the cert from the console, then running apply fixed this for me.

thepont on 16 Jan 2020

Hi folks 👋 Apologies if this error is confusing in any way. This happens during the asynchronous process where a certificate with DNS validation is requested and the ACM service has yet to return back the DNS validation records for the domains. We have just merged an update to the aws_acm_certificate resource that will now allow it to wait for up to 5 minutes (instead of just 1 minute) for the ACM service to generate the DNS validation records for certificates with higher amounts of Subject Alternative Names or if this asynchronous ACM DNS validation value creation is otherwise being slow. This will release in version 2.64.0 of the Terraform AWS Provider, later this week. Thanks to @gilbsgilbs for the implementation. 👍