Terraform-provider-aws: aws_acm_certificate_validation on certificate that is in ValidationStatus=SUCCESS and Status=ISSUED should always succeed
Community Note
- Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform v0.11.13
+ provider.aws v2.10.0
Affected Resource(s)
- aws_acm_certificate_validation
Terraform Configuration Files
resource "aws_acm_certificate" "secure_newdream_net" {
domain_name = "secure.newdream.net"
subject_alternative_names = []
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
resource "aws_acm_certificate_validation" "secure_newdream_net" {
certificate_arn = "${aws_acm_certificate.secure_newdream_net.arn}"
validation_record_fqdns = ["${aws_acm_certificate.secure_newdream_net.domain_name}"]
timeouts {
create = "5m"
}
}
Certificate is already in AWS - it was created earlier and then imported to Terraform.
Debug Output
% TF_LOG=debug terraform apply
...
+ aws_acm_certificate_validation.secure_newdream_net
id: <computed>
certificate_arn: "arn:aws:acm:us-east-1:272624908555:certificate/5b9f10f1-59e2-4d16-a477-c6f4e10200fa"
validation_record_fqdns.#: "1"
validation_record_fqdns.1167109527: "secure.newdream.net"
...
aws_acm_certificate_validation.secure_newdream_net: Creating...
certificate_arn: "" => "arn:aws:acm:us-east-1:272624908555:certificate/5b9f10f1-59e2-4d16-a477-c6f4e10200fa"
validation_record_fqdns.#: "" => "1"
validation_record_fqdns.1167109527: "" => "secure.newdream.net"
2019-05-09T22:30:06.160-0500 [DEBUG] plugin.terraform-provider-aws_v2.10.0_x4: 2019/05/09 22:30:06 [DEBUG] [aws-sdk-go] DEBUG: Request acm/DescribeCertificate Details:
...
2019-05-09T22:30:06.843-0500 [DEBUG] plugin.terraform-provider-aws_v2.10.0_x4: 2019/05/09 22:30:06 [DEBUG] [aws-sdk-go] {"Certificate":{"CertificateArn":"arn:aws:acm:us-east-1:272624908555:certificate/5b9f10f1-59e2-4d16-a477-c6f4e10200fa","CreatedAt":1.545151664E9,"DomainName":"secure.newdream.net","DomainValidationOptions":[{"DomainName":"secure.newdream.net","ResourceRecord":{"Name":"_1ce25b9917074ea63c6d293b9013b5c5.secure.newdream.net.","Type":"CNAME","Value":"_5c08a0d9d8a0c0fe289a91fec8bbbe98.hkvuiqjoua.acm-validations.aws."},"ValidationMethod":"DNS","ValidationStatus":"SUCCESS"}],"ExtendedKeyUsages":[{"Name":"TLS_WEB_SERVER_AUTHENTICATION","OID":"1.3.6.1.5.5.7.3.1"},{"Name":"TLS_WEB_CLIENT_AUTHENTICATION","OID":"1.3.6.1.5.5.7.3.2"}],"InUseBy":["arn:aws:cloudfront::272624908555:distribution/E33SJU5H6240E7"],"IssuedAt":1.545151949E9,"Issuer":"Amazon","KeyAlgorithm":"RSA-2048","KeyUsages":[{"Name":"DIGITAL_SIGNATURE"},{"Name":"KEY_ENCIPHERMENT"}],"NotAfter":1.5793488E9,"NotBefore":1.5450912E9,"Options":{"CertificateTransparencyLoggingPreference":"ENABLED"},"RenewalEligibility":"ELIGIBLE","Serial":"0c:af:a0:4f:09:67:46:b1:15:d6:b9:bd:d2:ba:cb:23","SignatureAlgorithm":"SHA256WITHRSA","Status":"ISSUED","Subject":"CN=secure.newdream.net","SubjectAlternativeNames":["secure.newdream.net"],"Type":"AMAZON_ISSUED"}}
2019/05/09 22:30:06 [ERROR] root: eval: *terraform.EvalApplyPost, err: 1 error(s) occurred:
* aws_acm_certificate_validation.secure_newdream_net: 1 error occurred:
* missing secure.newdream.net DNS validation record: _1ce25b9917074ea63c6d293b9013b5c5.secure.newdream.net
...
Expected Behavior
Just work. Since Amazon considers the certificate issued and DNS validated, it should be a no-op for Terraform. Just create this virtual entity in the state and move on with life.
Actual Behavior
Error: Error applying plan:
1 error(s) occurred:
* aws_acm_certificate_validation.secure_newdream_net: 1 error(s) occurred:
* aws_acm_certificate_validation.secure_newdream_net: 1 error occurred:
* missing secure.newdream.net DNS validation record: (SNIPPED).secure.newdream.net
Steps to Reproduce
- Create an ACM certificate manually using DNS validation in AWS.
terraform importthe ACM certificate.- Create
aws_acm_certificate_validationthat references the certificate.
Nowaker
All 4 comments
News on this?
rafaelsales
on 29 Aug 2019
I reckon there should be at least a way to also "import" the aws_acm_certificate_validation resource as otherwise this kind of creates a loophole if you're trying to import existing stuff into a working module
gonzgonz
on 27 Nov 2019
My use case...
I'm using SSL certs with CloudFront.
Both for web sites and for API gateway custom domains.
I'm creating Terraform code for existing environments which have historically been created by hand.
Not being able to import a aws_acm_certificate_validation resource is a real pain. Without it I am forced to create a new certificate, which in turn forces the CloudFront distribution to be updated. Forcing a change on a production system (that doesn't actually need to be changed) is never a good idea !
My personal preference would be to make aws_acm_certificate_validation importable. It would break the "pattern" if it was to suddenly appear in my state when I hadn't manually imported it.
But maybe I can be convinced otherwise.
At any rate, whatever the solution, there should at least be some import related documentation for this type of resource.
lqueryvg
on 24 Dec 2019
Actually - has the behaviour requested by this issue already been implemented in Terraform .12 ?
I've just noticed a aws_acm_certificate_validation resource appear in my state after importing the associated route 53 validation validation record. If so, my problems are solved in Terraform .12.
lqueryvg
on 24 Dec 2019
Related issues
ccslamstack
路
3Comments
carmas
路
3Comments
hazmeister
路
3Comments
hashibot
路
3Comments
hashibot
路
3Comments
Most helpful comment
I reckon there should be at least a way to also "import" the
aws_acm_certificate_validationresource as otherwise this kind of creates a loophole if you're trying to import existing stuff into a working module