InvalidParameterValue: Certificate <certificate_arn> does not have a domain

afdecastro879 commented 1 year ago

Describe the Bug

When using this module the server certificate is created successfully, but when trying to create the aws_ec2_client_vpn_endpoint.default[0] resource it fails as the created certificate does not have a domain:

Error: error creating EC2 Client VPN Endpoint: InvalidParameterValue: Certificate <certiicate_arn> does not have a domain

My configuration is very simple:

module "ec2_client_vpn" {
  source  = "cloudposse/ec2-client-vpn/aws"
  version = "0.13.0"

  associated_subnets  = var.private_subnets
  client_cidr         = var.client_cidr
  logging_stream_name = null
  organization_name   = <my_org_name>
  vpc_id = var.vpc_id

  additional_routes = [
    {
      destination_cidr_block = "0.0.0.0/0"
      description            = "Internet Route"
      target_vpc_subnet_id   = element(var.private_subnets, 0)
    }
  ]
}

Expected Behavior

The module.ec2_client_vpn.aws_ec2_client_vpn_endpoint.default[0] resource should be created.

Steps to Reproduce

Steps to reproduce the behavior:

Provide private_subnets, vpc_id, client_cidr and a valid org_name to the following snippet

module "ec2_client_vpn" {
  source  = "cloudposse/ec2-client-vpn/aws"
  version = "0.13.0"

  associated_subnets  = var.private_subnets
  client_cidr         = var.client_cidr
  logging_stream_name = null
  organization_name   = <my_org_name>
  vpc_id = var.vpc_id

  additional_routes = [
    {
      destination_cidr_block = "0.0.0.0/0"
      description            = "Internet Route"
      target_vpc_subnet_id   = element(var.private_subnets, 0)
    }
  ]
}

Run terraform apply
The module should fail with the error Error: error creating EC2 Client VPN Endpoint: InvalidParameterValue: Certificate <certiicate_arn> does not have a domain

Environment (please complete the following information):

Using Mac OS silicon
Monterey v12.3.1
terraform 1.1.9

afdecastro879 commented 1 year ago

Once I set the parameters:

  ca_common_name     = <a_ca_common_name>
  root_common_name   = <a_root_common_name>
  server_common_name = <a_server_common_name>

Fixes the issue with the missing domain. Maybe this inputs should be required? my suspicion is that when these values are not provided this is assigning a domain vpn.server that does not belong to my org, hence it can't set the domain.

Nuru commented 1 year ago

I believe this would also be avoided if you supplied any of the null-label label inputs. I apologize that the example in the README does not include

context = module.this.context

but in practice nearly all our modules need some kind of name input and sometimes we take it for granted that users know this.

Try your example again, but adding name = <my_org_name> to the module inputs.

cloudposse / terraform-aws-ec2-client-vpn