InvalidParameterException when creating aws_cognito_user_pool_domain on a newly created aws_acm_certificate

jwilson8767 commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.0.2 on linux_amd64

provider registry.terraform.io/hashicorp/archive v2.2.0
provider registry.terraform.io/hashicorp/aws v3.37.0
provider registry.terraform.io/hashicorp/local v2.1.0

Affected Resource(s)

aws_cognito_user_pool_domain
aws_acm_certificate_validation

Terraform Configuration Files


locals {
  user_pool_domain = "test.example.com"

}

resource "aws_route53_record" "auth-cognito-A" {
  name = aws_cognito_user_pool_domain.user_pool_domain.domain
  type = "A"
  zone_id = data.aws_route53_zone.product_root_domain_zone.zone_id
  alias {
    evaluate_target_health = false
    name = aws_cognito_user_pool_domain.user_pool_domain.cloudfront_distribution_arn
    # This zone_id is fixed
    zone_id = "Z2FDTNDATAQYW2"
  }
}

resource "aws_acm_certificate" "user_pool_domain_cert" {
  domain_name = local.user_pool_domain
  subject_alternative_names = []
  validation_method = "DNS"

  tags = {
  }

  lifecycle {
    create_before_destroy = true
  }
}

data "aws_route53_zone" "product_root_domain_zone" {
  name = "example.com."
  private_zone = false
}

resource "aws_route53_record" "user_pool_domain_cert_validation" {
  for_each = {
  for dvo in aws_acm_certificate.user_pool_domain_cert.domain_validation_options: dvo.domain_name => {
    name = dvo.resource_record_name
    record = dvo.resource_record_value
    type = dvo.resource_record_type
  }
  }
  allow_overwrite = true
  name = each.value.name
  records = [each.value.record]
  ttl = 60
  type = each.value.type
  zone_id = data.aws_route53_zone.product_root_domain_zone.id
}

resource "aws_acm_certificate_validation" "user_pool_domain_cert_validation" {
  certificate_arn = aws_acm_certificate.user_pool_domain_cert.arn
  validation_record_fqdns = [for record in aws_route53_record.user_pool_domain_cert_validation: record.fqdn]
}

resource "aws_cognito_user_pool_domain" "user_pool_domain" {
  domain = local.user_pool_domain
  certificate_arn = aws_acm_certificate.user_pool_domain_cert.arn
  user_pool_id = aws_cognito_user_pool.user_pool.id
}

resource "aws_cognito_user_pool" "user_pool" {

  name = "test-users"

  # ...

}

Panic Output

aws_acm_certificate.user_pool_domain_cert (deposed object ad05eee0): Destroying... [id=REDACTED]
aws_acm_certificate.user_pool_domain_cert: Destruction complete after 0s
╷
│ Error: Error creating Cognito User Pool Domain: InvalidParameterException: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certifi
cate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: 05dae2fc-81e2-4130-83a4-336229e994a8; Proxy: null)
│
│   with aws_cognito_user_pool_domain.user_pool_domain,
│   on api_resources.tf line 806, in resource "aws_cognito_user_pool_domain" "user_pool_domain":
│  806: resource "aws_cognito_user_pool_domain" "user_pool_domain" {
│
╵

Expected Behavior

The user_pool_domain creation should have been retried after ~1 minute to avoid the error, which I believe stems from the eventual consistency model of ACM.

Actual Behavior

Received error "InvalidParameterException".

Steps to Reproduce

terraform apply

References

Here's a similar issue relating to Cloudfront Distribution creation: https://github.com/hashicorp/terraform-provider-aws/issues/4687 And here's the PR that resolved that issue: https://github.com/hashicorp/terraform-provider-aws/pull/4698

Biacode commented 1 year ago

@breathingdust just had the same issue on my end. You must create the certificate in us-east-1 (Virginia) to solve this issue. See the example below.

resource "aws_acm_certificate" "user_pool_domain_cert" {
  provider          = aws.aws_us_east_1
  domain_name = local.user_pool_domain
  subject_alternative_names = []
  validation_method = "DNS"

  tags = {
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_acm_certificate_validation" "user_pool_domain_cert_validation" {
  provider          = aws.aws_us_east_1
  certificate_arn = aws_acm_certificate.user_pool_domain_cert.arn
  validation_record_fqdns = [for record in aws_route53_record.user_pool_domain_cert_validation: record.fqdn]
}

Notice that I am using provider property to change the region. Good luck!

wmdanor commented 4 weeks ago

For me it was because I had one more (undeleted from previous stuff) certificate for the same domain, so in case someone else might have same issue, check if you only have one certificate.

hashicorp / terraform-provider-aws