search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.83k stars 9.17k forks source link

aws_api_gateway_domain_name changing imported cert to ACM AWS Managed recreating resource instead of modify #12366

Closed ivanzolotuhin closed 17 hours ago

ivanzolotuhin commented 4 years ago

I am trying to replace imported cert which soon will expire to AWS Managed on aws_api_gateway_domain_name Edge cert

Terraform v0.12.23

replacing

resource "aws_api_gateway_domain_name" "lambda_custom_domain" {
  domain_name             = "${var.aws_api_lambdas["friendly_domain_prefix"]}.domain.com"
  certificate_name        = "domain-custom-lambda-domain-cert"
  certificate_body        = "${file("../../../certificates/wildcard.domain.com.crt")}"
  certificate_private_key = "${file("../../../certificates/wildcard.domain.com.key")}"
  certificate_chain       = "${file("../../../certificates/wildcard.domain.com.crt.nginx.chain.pem")}"
}

to

resource "aws_api_gateway_domain_name" "lambda_custom_domain" {                                                                                                          
  domain_name             = "${var.aws_api_lambdas["friendly_domain_prefix"]}.domain.com"                                                                
  certificate_arn         = var.global["cert_arn_us"]                                                                                                                    
}

Expected behaviour: tf just modifying resource. Only removes old cert and use Edge us-east-1 ACM cert. What actually happens it trying to recreate resource and recreate all dependant resources which is disaster.

Workaround steps:

  1. Manually replace cert for aws api gateway domain name (choose ACM Edge cert in AWS console), "rollback cert" in AWS console for whatever reason to apply it.
  2. terraform refresh to refresh the state. On this point new certificate_arn is the right one, but plan command still offers to recreate resource, because wants to remove old certificate which not longer attached to resource.
  3. After refresh: manually change .tfstate file by removing all old certificate related fields from JSON: certificate_body, certificate_chain, certificate_name, certificate_private_key
  4. Apply/plan terraform: no changes required! which is expected after all manual manipulations.
justinretzolk commented 3 years ago

Hey @ivanzolotuhin 👋 Thank you for taking the time to file this. I suspect with the amount of time that's passed, you're no longer experiencing this, but I'd like to follow up just to be sure. On a quick look, it looks like certificate_body, certificate_private_key, and certificate_chain are all marked as ForceNew: true, which would at least explain why Terraform was attempting to recreate the resource.

github-actions[bot] commented 1 month ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

github-actions[bot] commented 17 hours ago

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.