Terraform-provider-aws: aws_acm_certificate_validation forces new resource every time we run terraform plan
Hi,
I am facing an issue where my aws_acm_certificate_validation is forcing new resource every time I do a terraform plan or terraform apply and as a result even the route 53 records are updated with their Guids
To replicate the issue below is a sample code:
resource "aws_acm_certificate" "cert" {
domain_name = "${var.domain_name}"
validation_method = "DNS"
subject_alternative_names = "${var.subject_alternative_names}"
lifecycle {
create_before_destroy = true
}
}
# Creates route 53 records for validation of DNS
resource "aws_route53_record" "cert_validation" {
# The number of records to be created
count = "${length(var.subject_alternative_names) + 1}"
name = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_name")}"
type = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_type")}"
records = ["${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_value")}"]
zone_id = "${var.zone_id}"
ttl = 60
}
# Validates the ACM certificate
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = "${aws_acm_certificate.cert.arn}"
validation_record_fqdns = ["${aws_route53_record.cert_validation.*.fqdn}"]
}
resource "null_resource" "dependency_setter" {
depends_on = [
"aws_acm_certificate_validation.cert",
]
}
This was not happening until a week back but we are facing these issues since then
ani-patel
All 7 comments
Duplicate of #8531 I believe.
nickdgriffin
on 20 May 2019
@ani-patel thanks for opening this issue, and sorry you are running into trouble here. This is a duplicate of #8531 so I am going to close this issue and ask that any new comments be tracked on the existing thread. If you haven't already done so please upvote #8531
nywilken
on 21 May 2019
Hi Nick,
This is different than #8531. My affected resource is
"aws_acm_certificate_validation". The certificate is not recreated every
time but instead the validation is performed again and again
On Mon, May 20, 2019 at 4:30 PM Nick Griffin notifications@github.com
wrote:
Duplicate of #8531
https://github.com/terraform-providers/terraform-provider-aws/issues/8531
I believe.—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/terraform-providers/terraform-provider-aws/issues/8714?email_source=notifications&email_token=AC7ZBOCB7P7RTOQI3UQCJKTPWKAD7A5CNFSM4HOAVQY2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVYOSJA#issuecomment-493938980,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AC7ZBOCRELVTUOSBSHMPVN3PWKAD7ANCNFSM4HOAVQYQ
.
ani-patel
on 21 May 2019
@nywilken
Please reopen this issue. It is not a duplicate of 8531. As @ani-patel mentioned, this issue is specific to the certificate validation, NOT the certificate itself.
Thank you!
MeMan-MasterOfTheUniverse
on 6 Aug 2019
@MeMan-MasterOfTheUniverse @ani-patel thanks for the additional information here, and my apologies for any confusion. I reopened the issue and have applied the needs-triage label. Have you tried reproducing this issue with Terraform 0.12? If so can you please provide a redacted version of the plan output.
nywilken
on 7 Aug 2019
I am also experiencing this. Validation is forcing a new resource every time and can take up to 45 minutes before it errors out. Environment: terraform 0.12.9 with aws provider 2.32, using the same method to create a cert found in this module:
https://github.com/cloudposse/terraform-aws-acm-request-certificate
implementation:
module "cert" {
source = "git::https://github.com/cloudposse/terraform-aws-acm-request-certificate.git?ref=0.4.0"
zone_name = "examplezone.com"
domain_name = "myhost.examplezone.com"
validation_record_ttl = 60
wait_for_certificate_issued = true
}
We used real zone and domain_name entries, of course. The first apply eventually succeeds, but what we see on the second apply and beyond is the following unless we destroy and apply:
module.cert.aws_acm_certificate_validation.default[0]: Still creating... [16m10s elapsed]
module.cert.aws_acm_certificate_validation.default[0]: Still creating... [16m20s elapsed]
...
module.cert.aws_acm_certificate_validation.default[0]: Still creating... [45m0s elapsed]
Error: Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION
johnhpatton
on 14 Oct 2019
As a workaround, I added ignore_changes on the field id which was the current date/time:
resource "aws_acm_certificate_validation" "certificate" {
[...]
lifecycle {
ignore_changes = [
"id",
]
}
}
vlechemin
on 8 Nov 2019
Related issues
gothrek22
·
3Comments
hazmeister
·
3Comments
ccslamstack
·
3Comments
modax
·
3Comments
hashibot
·
3Comments
Most helpful comment
Hi Nick,
This is different than #8531. My affected resource is
"aws_acm_certificate_validation". The certificate is not recreated every
time but instead the validation is performed again and again
On Mon, May 20, 2019 at 4:30 PM Nick Griffin notifications@github.com
wrote: