[Bug]: Unable to get data aws_acm_certificate with multiple domains

[guyguy333]

Terraform Core Version

1.5.1

AWS Provider Version

5.6.1

Affected Resource(s)

• aws_acm_certificate

Expected Behavior

I'm able to get aws_acm_certificate with multiple domains (one main and one alternative domain)

Actual Behavior

Currently, even if I set domain value to one or the other domain, result is always a "not found" error. Data is working well with ACM related to a single domain (no issue).

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: no ACM Certificate matching domain (www.example.com)
│ 
│   with data.aws_acm_certificate. example,
│   on acm.tf line 1, in data "aws_acm_certificate" "example":
│    1: data "aws_acm_certificate" "example" {
│ 
╵

Relevant Error/Panic Output Snippet

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: no ACM Certificate matching domain (www.example.com)
│ 
│   with data.aws_acm_certificate. example,
│   on acm.tf line 1, in data "aws_acm_certificate" "example":
│    1: data "aws_acm_certificate" "example" {
│ 
╵

Terraform Configuration Files

data "aws_acm_certificate" "example" {
  domain   = "www.example.com"
  statuses = ["ISSUED"]

  provider = aws.us-east-1
}

Steps to Reproduce

• Import in Console a certificate with one main domain and at least one alternative domain
• Try to use it as data in your Terraform code

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @guyguy333 👋 Thank you for taking the time to raise this! So that we have the necessary information in order to look into this, can you supply debug logs (redacted as needed) as well?

[guyguy333]

Hi @justinretzolk,

Thanks for checking my issue. Sure, here is debug log:

debug.log

[justinretzolk]

Hey @guyguy333 👋 Thanks for supplying those! I took a look over them, and it does indeed look like the response from the AWS API doesn't include any certificates:

2023-07-15T16:43:49.461+0200 [DEBUG] provider.terraform-provider-aws_v5.7.0_x5: HTTP Response Received: tf_data_source_type=aws_acm_certificate tf_mux_provider=*schema.GRPCProviderServer tf_req_id=6ba5bb7b-5614-beb4-6cd2-d86636594b5f aws.service=ACM http.duration=333 http.response.header.date="Sat, 15 Jul 2023 14:43:49 GMT" @module=aws aws.operation=ListCertificates http.response.header.x_amzn_requestid=28d0c60f-599b-47a3-af0c-ef27e9483801 http.response_content_length=29 http.response.body="{"Cert**************List":[]}" http.response.header.content_type=application/x-amz-json-1.1 http.status_code=200 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ReadDataSource @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.31/logging/logger.go:39 aws.region=us-east-1 aws.sdk=aws-sdk-go-v2 timestamp=2023-07-15T16:43:49.457+0200

Something that might help would be to attempt to use either the AWS CLI or API to attempt to ListCertificates and see if you get a different result (make sure to include the requisite "certificate statuses" to try to replicate the call that Terraform makes). Can you do so and let us know if you get a different result?

[guyguy333]

Hi @justinretzolk.

Thanks for looking at log. I think you shared a good hint.

AWS_REGION=us-east-1 aws acm help list-certificates

didn't return anything. In order to get certificates, I had to run this command:

AWS_REGION=us-east-1 aws acm list-certificates --include keyTypes=EC-prime256v1

to match my key type.

Thus, I edited my terraform code to :

 data "aws_acm_certificate" "example" {
  domain   = "www.example.com"
  statuses = ["ISSUED"]
  key_types = ["EC_prime256v1"]

  provider = aws.us-east-1
}

and provider found the certificate !

So I don't know what's the final good fix, maybe a hint in documentation.

[rahulreddy0120]

Hi @justinretzolk I'm also facing the same issue when trying to get data for a ACM cert with multiple domains.

Error: no ACM Certificate matching domain (*.test.example.com)

[JAnderson800]

In my situation, I needed to add key_types = ["RSA_2048", "RSA_4096"] to the terraform data block because the "missing" certificate was not using the RSA_2048 algorithm:

bash % aws acm list-certificates | grep "DomainName"
            "DomainName": "*.dev.my-domain.com",
            "DomainName": "*.staging.my-domain.com",
            "DomainName": "*.screenshots.my-domain.com",
bash % aws acm list-certificates --includes keyTypes=RSA_4096 | grep "DomainName"
            "DomainName": "*.widgets-stage3.my-domain.com",
bash % aws acm list-certificates --includes keyTypes=RSA_4096,RSA_2048 | grep "DomainName"
            "DomainName": "*.dev.my-domain.com",
            "DomainName": "*.staging.my-domain.com",
            "DomainName": "*.screenshots.my-domain.com",
            "DomainName": "*.widgets-stage3.my-domain.com",

Updated code to fix:

data "aws_acm_certificate" "wildcard_cert" {
  domain   = "*.widgets-stage3.my-domain.com"
  statuses = ["ISSUED"]
  key_types = ["RSA_2048", "RSA_4096"]
}

Note: For this particular data block, I don't actually need the key_type of RSA_2048 assuming the certificate will always be issued as RSA_4096

[TMineCola]

FYI, terraform based on ACM API list-certificates and the default action for such API only query RSA_1024 / RSA_2048 for return. So if you're using RSA_4096, you need to specific it.

Specify one or more algorithms that can be used to generate key pairs.

Default filtering returns only RSA_1024 and RSA_2048 certificates that have at least one domain. To return other certificate types, provide the desired type signatures in a comma-separated list. For example, "keyTypes": ["RSA_2048","RSA_4096"] returns both RSA_2048 and RSA_4096 certificates.

https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/list-certificates.html

Also ECDSA certificates.

[bacoboy-doordash]

~The root issue here is that domains that are wildcard certificates don't match with the data lookup.~

~What I've personally seen is some other more specific certificate (non-wildcard, when exists) gets returned and the provider just keeps retrying (using TF_LOG=1 terraform plan~

For others that stumble on this, I discovered I was using a newer elliptical key and the API defaults to RSA2048/4096 only. So wildcard matching works if you do this:

locals {
  all_acm_key_types = toset([
    "RSA_2048",
    "RSA_4096",
    "EC_prime256v1",
    "EC_secp384r1",
    "EC_secp521r1",
  ])
}
data "aws_acm_certificate" "wildcard" {
  domain    = "*.mydomain.com"
  key_types = local.all_acm_key_types
}

While the API defaults to RSA, I feel like the terraform provider perhaps should change the default to all key types if not specified. Something to consider as new key types become the norm.