New validation every apply, no changes

azavea / terraform-aws-acm-certificate

A Terraform module to create an Amazon Certificate Manager (ACM) certificate with Route 53 DNS validation.

Apache License 2.0

47 stars 41 forks source link

New validation every apply, no changes #9

Open kyeotic opened 5 years ago

kyeotic commented 5 years ago

I'm applying the following configuration.

module "cert_kye" {
  source = "github.com/azavea/terraform-aws-acm-certificate?ref=1.0.0"

  providers = {
    aws.acm_account     = "aws.certs"
    aws.route53_account = "aws"
  }

  domain_name           = "example.com"
  subject_alternative_names = ["sub.example.com", "www.example.com"]
  hosted_zone_id        = "${data.aws_route53_zone.kye_dev.zone_id}"
  validation_record_ttl = "60"
}

After succeeding, if I plan again immediately I get the following change on every cert

-/+ module.cert_kye.aws_route53_record.validation[1] (new resource required)
      id:                                            "Z1G38T8OFRJIAB__f26c4116acfd0fc3aceb0b36b055c68c.kye.dev._CNAME" => <computed> (forces new resource)

hectcastro commented 5 years ago

This looks like it could be related to https://github.com/azavea/terraform-aws-acm-certificate/pull/8. Does the behavior persist if you use the 1.1.0 release of this Terraform module?

kyeotic commented 5 years ago

Didn't realize a new version was out. I re-ran this after updating the module and the first time it gaves me 3 changes, as opposed to the 6 it had done previously. The next run found 6 again, then 0, then 4... I don't know what's up.

hectcastro commented 5 years ago

Hm. What version of the Terraform AWS provider are you on? For reference, we're using the 1.1.0 version of this module with the following version of the AWS provider:

provider "aws" {
  region  = "${var.aws_region}"
  version = "~> 2.7.0"
}

...

module "cert" {
  source = "github.com/azavea/terraform-aws-acm-certificate?ref=1.1.0"

  providers = {
    aws.acm_account     = "aws"
    aws.route53_account = "aws"
  }

  domain_name               = "${var.r53_public_hosted_zone}"
  subject_alternative_names = ["*.${var.r53_public_hosted_zone}"]
  hosted_zone_id            = "${aws_route53_zone.external.zone_id}"
  validation_record_ttl     = "60"
}

panovitch commented 5 years ago

Hi!

Suffering from the same problem here :(

provider "aws" {
  version = "~> 2.7.0"
  alias      = "certs"
  region     = "us-east-1"
}

module "auth_cert" {
  providers = {
    aws.acm_account         = "aws.certs"
    aws.route53_account     = "aws.certs"
  }
  source = "github.com/azavea/terraform-aws-acm-certificate?ref=1.1.0"
  domain_name               = <CUT>
  hosted_zone_id            = "${data.aws_route53_zone.external.zone_id}"
  validation_record_ttl     = "60"
  subject_alternative_names = [
    <CUT>
    ]
}

hectcastro commented 5 years ago

Hm. How about Terraform version? We are currently using v0.11.11. Another question is, what do your subject_alternative_names look like? Are there multiple and are they all subdomains of domain_name?

kyeotic commented 5 years ago

provider.aws: version = "~> 2.10"
Terraform v0.11.13

I have a single subject_alternative_names and its the "www" to the domain_names apex (no subdomain)