Open Nowaker opened 5 years ago
News on this?
I reckon there should be at least a way to also "import" the aws_acm_certificate_validation
resource as otherwise this kind of creates a loophole if you're trying to import existing stuff into a working module
My use case...
I'm using SSL certs with CloudFront. Both for web sites and for API gateway custom domains.
I'm creating Terraform code for existing environments which have historically been created by hand.
Not being able to import a aws_acm_certificate_validation
resource is a real pain. Without it I am forced to create a new certificate, which in turn forces the CloudFront distribution to be updated. Forcing a change on a production system (that doesn't actually need to be changed) is never a good idea !
My personal preference would be to make aws_acm_certificate_validation
importable. It would break the "pattern" if it was to suddenly appear in my state when I hadn't manually imported it.
But maybe I can be convinced otherwise.
At any rate, whatever the solution, there should at least be some import
related documentation for this type of resource.
Actually - has the behaviour requested by this issue already been implemented in Terraform .12 ?
I've just noticed a aws_acm_certificate_validation
resource appear in my state after importing the associated route 53 validation validation record. If so, my problems are solved in Terraform .12.
I just got this error, but let it apply and it was a 'no-op' and just succeeded in TF1.0
I imported the certificate and it's DNS records, then let TF do the apply for the validation resource.
@michael-robbins I'm getting this as well. To confirm, running an apply against a plan creating a new aws_acm_certificate_validation
resource is a no-op on the actual infrastructure?
I've imported the R53 validation record and the ACM cert into my state but it still wants to create the validation resource in the plan.
Yeah it was just a no-op for me IIRC, I don't remember it re-deploying anything (please don't blame me if it destroys your production DNS and you lose the cert for your primary domain)
Same issue here, there is a workaround?
This is happening to me after having added new hosts to an existing certificates. The new hosts are in a different zone. On AWS everything looks fine (cert is valid and working, DNS validation records are in place, ...). Yet Terraform is unable to create aws_acm_certificate_validation
and there is no way to manually import it into the state.
In my case was a zone_id issue. Here how I solved it:
variable "alternative_names" {
type = list(object({
domain_name = string
zone_id = string
}))
default = []
}
resource "aws_acm_certificate" "this" {
domain_name = var.domain_name
validation_method = "DNS"
subject_alternative_names = [for record in var.alternative_names : record.domain_name]
tags = {
Manager = "terraform"
}
lifecycle {
create_before_destroy = true
}
}
resource "aws_acm_certificate_validation" "this" {
certificate_arn = aws_acm_certificate.this.arn
validation_record_fqdns = [for record in aws_route53_record.validation : record.fqdn]
}
data "aws_route53_zone" "root_domain_name" {
name = var.domain_name
private_zone = false
}
locals {
alternative_names_domain_list = [for item in var.alternative_names : item.domain_name]
alternative_names_zone_list = [for item in var.alternative_names : item.zone_id]
}
resource "aws_route53_record" "validation" {
for_each = {
for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
zone = contains(
local.alternative_names_domain_list, dvo.domain_name) ? local.alternative_names_zone_list[
index(local.alternative_names_domain_list, dvo.domain_name)] : ""
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = each.value.zone == "" ? data.aws_route53_zone.root_domain_name.zone_id : each.value.zone
}
Community Note
Terraform Version
Affected Resource(s)
Terraform Configuration Files
Certificate is already in AWS - it was created earlier and then imported to Terraform.
Debug Output
Expected Behavior
Just work. Since Amazon considers the certificate issued and DNS validated, it should be a no-op for Terraform. Just create this virtual entity in the state and move on with life.
Actual Behavior
Steps to Reproduce
terraform import
the ACM certificate.aws_acm_certificate_validation
that references the certificate.