Terraform-provider-aws: ACM Certificates have validation method set to NONE
Need to add some details when I have time but it looks like aws_acm_certificate isn't correctly parsing the AWS response to determine the validation method
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
0.12.3
Affected Resource(s)
- aws_acm_certificate
Terraform Configuration Files
TODO
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
Debug Output
Panic Output
Expected Behavior
Certificate response is parsed correctly
Actual Behavior
EMAIL validation isn't successfully parsed from the response
Steps to Reproduce
terraform plan
Important Factoids
References
AWS response
{
"Certificate": {
"CertificateArn": "arn:aws:acm:us-east-1:1234:certificate/1234",
"DomainName": "sub-domain.example.com",
"SubjectAlternativeNames": [
"sub-domain2.example.com"
],
"DomainValidationOptions": [
{
"DomainName": "sub-domain.example.com",
"ValidationDomain": "example.com",
"ValidationStatus": "SUCCESS",
"ValidationMethod": "EMAIL"
}
],
"Serial": "12:34:6e:24:29:ad:00:00:00:00:88:04:00:00:00:00",
"Subject": "sub-domain.example.com",
"Issuer": "Amazon",
"CreatedAt": 1552662375.0,
"IssuedAt": 1581825267.0,
"Status": "ISSUED",
"NotBefore": 1581811200.0,
"NotAfter": 1615896000.0,
"KeyAlgorithm": "RSA-2048",
"SignatureAlgorithm": "SHA256WITHRSA",
"InUseBy": [
"arn:aws:elasticloadbalancing:us-east-1:1234:loadbalancer/app/my-lb/1234"
],
"Type": "AMAZON_ISSUED",
"RenewalSummary": {
"RenewalStatus": "SUCCESS",
"DomainValidationOptions": [
{
"DomainName": "sub-domain.example.com",
"ValidationDomain": "example.com",
"ValidationStatus": "SUCCESS",
"ValidationMethod": "EMAIL"
}
],
"UpdatedAt": 1581827004.0
},
"KeyUsages": [
{
"Name": "DIGITAL_SIGNATURE"
},
{
"Name": "KEY_ENCIPHERMENT"
}
],
"ExtendedKeyUsages": [
{
"Name": "TLS_WEB_SERVER_AUTHENTICATION",
"OID": "1.3.6.1.5.5.7.3.1"
},
{
"Name": "TLS_WEB_CLIENT_AUTHENTICATION",
"OID": "1.3.6.1.5.5.7.3.2"
}
],
"RenewalEligibility": "ELIGIBLE",
"Options": {
"CertificateTransparencyLoggingPreference": "ENABLED"
}
}
}
aws_acm_certificate.go
for _, o := range certificate.DomainValidationOptions {
if o.ResourceRecord != nil {
validationOption := map[string]interface{}{
"domain_name": *o.DomainName,
"resource_record_name": *o.ResourceRecord.Name,
"resource_record_type": *o.ResourceRecord.Type,
"resource_record_value": *o.ResourceRecord.Value,
}
domainValidationResult = append(domainValidationResult, validationOption)
} else if o.ValidationEmails != nil && len(o.ValidationEmails) > 0 {
for _, validationEmail := range o.ValidationEmails {
emailValidationResult = append(emailValidationResult, *validationEmail)
}
} else if o.ValidationStatus == nil || aws.StringValue(o.ValidationStatus) == acm.DomainStatusPendingValidation {
log.Printf("[DEBUG] No validation options need to retry: %#v", o)
return nil, nil, fmt.Errorf("No validation options need to retry: %#v", o)
}
}
It is looking for ValidationEmails and ResourceRecord keys but my response contains a ValidationMethod key that provides the correct information. Need to validate with AWS docs, as well
- #0000
nijave
All 3 comments
The resource has been updated to directly lookup the DomainValidationOptions ValidationMethod instead of guessing based on ResourceRecord or ValidationEmails. This will release with version 2.65.0 of the Terraform AWS Provider, likely later today. 👍
bflad
on 4 Jun 2020
This has been released in version 2.65.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 5 Jun 2020
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
hashibot[bot]
on 5 Jul 2020
Related issues
modax
·
3Comments
reedloden
·
3Comments
hashibot
·
3Comments
andywirv
·
3Comments
hashibot
·
3Comments
Most helpful comment
The resource has been updated to directly lookup the
DomainValidationOptionsValidationMethodinstead of guessing based onResourceRecordorValidationEmails. This will release with version 2.65.0 of the Terraform AWS Provider, likely later today. 👍