Terraform: domain_validation_options not iterable

Created on 29 Jun 2018  ยท  5Comments  ยท  Source: hashicorp/terraform

Terraform Version

0.11.7

Terraform Configuration Files

resource "aws_acm_certificate" "certificates" {
  count             = "${var.value_count}"
  domain_name       = "${var.aws_lb_listener_rule_values[count.index]}"
  validation_method = "DNS"
}

resource "cloudflare_record" "validation_record" {
  count      = "${var.value_count}"
  type       = "${aws_acm_certificate.certificates.*.domain_validation_options.0.type[count.index]}"
  name       = "${aws_acm_certificate.certificates.*.domain_validation_options.0.name[count.index]}"
  value      = "${aws_acm_certificate.certificates.*.domain_validation_options.0.value[count.index]}"
  depends_on = [ "aws_acm_certificate.certificates" ]
}

resource "aws_acm_certificate_validation" "validation" {
  count                   = "${var.value_count}"
  certificate_arn         = "${aws_acm_certificate.certificates.*.arn[count.index]}"
  validation_record_fqdns = ["${cloudflare_record.validation_record.*.hostname[count.index]}"]
  depends_on              = [ "aws_acm_certificate.certificates", "cloudflare_record.validation_record" ]
}

Expected Behavior

This should iterate over aws_lb_listener_rule_values and create a cert for every entry. Then create validation records on cloudflare.

Actual Behavior

module.dcms_load_balancer_rules.cloudflare_record.validation_record[0]: Resource 'aws_acm_certificate.certificates' does not have attribute 'domain_validation_options.0.name' for variable 'aws_acm_certificate.certificates.*.domain_validation_options.0.name'

This however, works fine:

resource "aws_acm_certificate" "certificate" {
  count             = "${var.value_count}"
  domain_name       = "${var.aws_lb_listener_rule_values[count.index]}"
  validation_method = "DNS"
}

locals {
  flattened_domains = "${flatten(aws_acm_certificate.certificate.*.domain_validation_options)}"
}

resource "cloudflare_record" "validation_record" {
  count      = "${var.value_count}"
  domain     = "${replace(var.aws_lb_listener_rule_values[count.index], "*.", "")}"
  name       = "${lookup(local.flattened_domains[count.index], "resource_record_name")}"
  type       = "${lookup(local.flattened_domains[count.index], "resource_record_type")}"
  value      = "${lookup(local.flattened_domains[count.index], "resource_record_value")}"
  depends_on = [ "aws_acm_certificate.certificate" ]
}

resource "aws_acm_certificate_validation" "validation" {
  count                   = "${var.value_count}"
  certificate_arn         = "${aws_acm_certificate.certificate.*.arn[count.index]}"
  validation_record_fqdns = ["${cloudflare_record.validation_record.*.hostname[count.index]}"]
  depends_on              = [ "aws_acm_certificate.certificate", "cloudflare_record.validation_record" ]
}

resource "aws_lb_listener_certificate" "listener_certificate" {
  count           = "${var.value_count}"
  listener_arn    = "${var.aws_lb_listener_rule_listener_ssl_arn}"
  certificate_arn = "${aws_acm_certificate_validation.validation.*.certificate_arn[count.index]}"
}
bug config
Source
picture mzhaase
👍6

All 5 comments

Same thing over here. Is there any update on this one?

somanianshul picture somanianshul on 25 Jul 2018

It's a known bug, and it should be addressed in the next major release.

apparentlymart picture apparentlymart on 25 Jul 2018

Hi again, @mzhaase! Sorry for the long silence here.

This issue has the same root cause as #17156, which I've verified is fixed in master and ready for inclusion in the forthcoming v0.12.0 release. In my latest comment over there you can see what I tested and also a different way I was able to update that config using the new features coming in v0.12.0.

A similar reorganization of the expressions should be possible for your configuration too. For example:

resource "cloudflare_record" "validation_record" {
  count      = var.value_count
  type       = aws_acm_certificate.certificates[count.index].domain_validation_options[0].type
  name       = aws_acm_certificate.certificates[count.index].domain_validation_options[0].name
  value      = aws_acm_certificate.certificates[count.index].domain_validation_options[0].value
}

(The depends_on wasn't doing anything here because the references to aws_acm_certificate.certificates already establish that dependency.)

Since the fix is in master, I'm going to close this out now. Thanks for reporting this, and sorry again for the late response.

apparentlymart picture apparentlymart on 31 Oct 2018

wow this 0.12.0 release has allot of pressure to get these things right :(

rosscdh picture rosscdh on 8 Jan 2019
😕3

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 30 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rjinski picture rjinski  ยท  3Comments
allomov picture allomov  ยท  3Comments
cpoole picture cpoole  ยท  3Comments
sprokopiak picture sprokopiak  ยท  3Comments
darron picture darron  ยท  3Comments