chroche commented 4 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.20 provider.aws v2.66.0

Affected Resource(s)

aws_acm_certificate

Terraform Configuration Files

resource "aws_acm_certificate" "test_cert" {
  private_key       = file("./test_cert.key")
  certificate_body  = file("./test_cert.cer")
  certificate_chain = file("./CA.cer")
  tags = {  Name = "test_cert" }
}

The certificate is successfully imported manually to ACM from these files through the AWS Console, resulting in ARN arn:aws:acm:us-east-1:123456789:certificate/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

> terraform import -var-file=env.tfvars "aws_acm_certificate"."test_cert" arn:aws:acm:us-east-1:123456789:certificate/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
aws_acm_certificate.test_cert: Importing from ID "arn:aws:acm:us-east-1:123456789:certificate/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"...
aws_acm_certificate.test_cert: Import prepared!
  Prepared aws_acm_certificate for import
aws_acm_certificate.test_cert: Refreshing state... [id=arn:aws:acm:us-east-1:123456789:certificate/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee]

Import successful!

Debug Output

N/A

Panic Output

N/A

Expected Behavior

At that point terraform plan should show

No changes. Infrastructure is up-to-date.

Actual Behavior

> terraform plan
Terraform will perform the following actions:
  # aws_acm_certificate.test_cert will be updated in-place
  ~ resource "aws_acm_certificate" "test_cert" {
        arn                       = "arn:aws:acm:us-east-1:123456789:certificate/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
      + certificate_body          = "<hash_value_for_cer>"
      + certificate_chain         = "<hash_value_for_ca"
        domain_name               = "my_domain.com"
        domain_validation_options = []
        id                        = "arn:aws:acm:us-east-1:123456789:certificate/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
      + private_key               = (sensitive value)
        status                    = "ISSUED"

The state file contains the following:

> terraform state pull > terraform.tfstate
> cat terrfarom.tfstate

    {
      "mode": "managed",
      "type": "aws_acm_certificate",
      "name": "test_cert",
      "provider": "provider.aws",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "arn": "arn:aws:acm:us-east-1:123456789:certificate/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
            "certificate_authority_arn": "",
            "certificate_body": null,
            "certificate_chain": null,
            "domain_name": "my_domain.com",
            "domain_validation_options": [],
            "id": "arn:aws:acm:us-east-1:123456789:certificate/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
           "options": [
              {
                "certificate_transparency_logging_preference": "DISABLED"
              }
            ],
            "private_key": null,
            "status": "ISSUED",
            "subject_alternative_names": [
[...]

Note the null values instead of expected hash values.

Important Factoids

It is possible to work around this issue by manually updating the null values in the state file with the values shown in the output of

> terraform show -json

after which the plan shows no differences anymore.

0000

github-actions[bot] commented 2 years ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

visit1985 commented 2 years ago

The certificates aren't stored as hashes anymore, but the issue stays the same. DescribeCertificate does not return CertificateBody, CertificateChain or PrivateKey.

So, in order to ensure the imported certificate matches the defined resource, we would probably need to validate that the resource attributes (certificate_body, certificate_chain, private_key) match each other and only then compare the certificates Serial with the one returned by DescribeCertificate.

sambathlu commented 1 year ago

Hello Team,

We are experiencing the same issue in one of our current use case, Kindly let us know if this has been fixed?? or the Bug is Still Open??

devopscloud2022 commented 1 year ago

hi Team

On running terraform plan command i am able to see complete value (string) of my certificate. So how can i hide this.

debu99 commented 1 year ago

this is indeed a bug and we have to manually update the state file

hashicorp / terraform-provider-aws

"terraform import" on an existing "aws_acm_certificate" fails to set the hash values in the state file #13749