Terraform: provider/aws: aws_acm_certificate datasource lookup by SAN.

You can now filter with type in #15063

I'm not sure the mentioned PR solves the original problem. If I have two AMAZON_ISSUED type ACM certificates (because I forgot to include the apex domain originally):

• *.example.com
• *.example.com / SAN: example.com

I will get the multiple certificate error. It would not be nice to not need to flip the domain/SAN just to appease the data source or temporarily breaking the configuration while migrating everything to the single certificate.

We are running into the exact same issue that @bflad described.

I agree, this does not allow for a search based on SAN domains.

Use case:

• 2 related cloudfront sites that differ by domain name, but otherwise very similar
• ACM certificate created with both domains, only site1 can be domain name (CN), and both domains are included in Additional names (SAN)
• site1 queries for it's own domain, and finds it since it is the CN of the ACM cert
• site2 queries for it's own domain, but since it's in the SAN, the data source for the cert fails

A workaround for site2 is to query with the data source using site1's domain, but that's not a scalable solution.
Of course, mutitple certs can be used, so that site2 has it's own with the CN set to site 2

it still seems like a feature gap, but after checking the ACM API/SDK, it looks like the listCertificates doesn't return the SAN, and only returns the ARN and main domain. Adding this support to the provider would be possible, but add a lot of extra API calls to interrogate every certificate that matches the filter criteria in order to match on a SAN/Additional domain value.

@catsby should this be re-opened?

Hi folks 👋 Since this issue was closed, development work for the Terraform AWS provider has been migrated to a separate GitHub repository due to the Terraform core and provider split last year. There is an open issue for this there: https://github.com/terraform-providers/terraform-provider-aws/issues/4877

Please upvote/watch/comment on that Terraform AWS provider issue for updates. Given the API limitations with ACM that prevents this from being easy/lightweight, its less likely to be accepted into the data source as-is currently though, so you may also want to consider opening an AWS Support case for the ACM API to provide a better lookup mechanism.

Since additional comments here will only generate noise for Terraform core repository watchers and Terraform core maintainers, I am going to lock this issue in preference of continuing any discussion in the issue mentioned above.