[Bug]: check_certificate_revocation_status ignored on aws_networkfirewall_tls_inspection_configuration

[t0yv0]

Terraform Core Version

1.6.3

AWS Provider Version

5.61.0

Affected Resource(s)

• aws_networkfirewall_tls_inspection_configuration

Expected Behavior

Expected Certificate revocation status to be Enabled after terraform apply, or receive an error indicating what to fix in the HCL configuration.

Actual Behavior

Expected Certificate revocation status is Disabled, terraform apply succeeds.

Relevant Error/Panic Output Snippet

N/A

Terraform Configuration Files

resource "tls_private_key" "pca-key" {
  algorithm = "RSA"
}

resource "tls_self_signed_cert" "self-signed-cert-resource" {
  private_key_pem = tls_private_key.pca-key.private_key_pem

  subject {
    common_name  = "test"
    country      = "us"
    organization = "testing"
  }

  dns_names = [
    "firewall.test.com"
  ]

  is_ca_certificate = true
  set_subject_key_id = true
  set_authority_key_id = true

  validity_period_hours = 9000

  allowed_uses = [
    "cert_signing",
    "crl_signing",
    "digital_signature",
  ]
}

resource aws_acm_certificate "acm-cert" {
  private_key       = tls_private_key.pca-key.private_key_pem
  certificate_body  = tls_self_signed_cert.self-signed-cert-resource.cert_pem
  certificate_chain = tls_self_signed_cert.self-signed-cert-resource.cert_pem
}

resource "aws_networkfirewall_tls_inspection_configuration" "example" {
  name        = "tls-inspection-test"
  tls_inspection_configuration {
    server_certificate_configuration {
      certificate_authority_arn = aws_acm_certificate.acm-cert.arn
      check_certificate_revocation_status {
        revoked_status_action = "REJECT"
        unknown_status_action = "REJECT"
      }
      scope {
        protocols = [6]
        destination_ports {
          from_port = 443
          to_port   = 443
        }
        destination {
          address_definition = "0.0.0.0/0"
        }
        source_ports {
          from_port = 0
          to_port   = 65535
        }
        source {
          address_definition = "0.0.0.0/0"
        }
      }
    }
  }
}

Steps to Reproduce

• terraform apply
• Inspect NetworkFirewall in AWS Console, e.g. https://us-east-1.console.aws.amazon.com/vpcconsole/home?region=us-east-1#NetworkFirewallTLSInspectionConfigurationDetails:arn=arn_aws_network-firewall_us-east-1_616138583583_tls-configuration~tls-inspection-test-d526f2b
• Observe Certificate revocation status is Enabled: no

Debug Output

N/A

Panic Output

N/A

Important Factoids

N/A

References

N/A

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.