Unable to import or create `awscc_amplify_domain` (using non-managed domain)

[kevcube]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

OpenTofu and Terraform latest, awscc 0.78.0

Affected Resource(s)

• awscc_amplify_domain

Terraform Configuration Files

resource "aws_amplify_app" "default" {
  name = "test"
}

resource "aws_amplify_branch" "default" {
  app_id      = aws_amplify_app.default.id
  branch_name = "main"
}

resource "awscc_amplify_domain" "default" {
  app_id              = aws_amplify_app.default.id
  domain_name         = "example.com"
  sub_domain_settings = [
    {
      branch_name = "master"
      prefix      = "web"
    }
  ]
}

Debug Output

If I try to create:

│ Error: AWS SDK Go Service Operation Incomplete
│ 
│   with module.amplify.awscc_amplify_domain.default["example.com"],
│   on ../../../terraform-aws-amplify-app/main.tf line 98, in resource "awscc_amplify_domain" "default":
│   98: resource "awscc_amplify_domain" "default" {
│ 
│ Waiting for Cloud Control API service CreateResource operation completion returned: waiter state transitioned to FAILED. StatusMessage: Resource of type
│ 'AWS::Amplify::Domain' with identifier 'null' was not found.. ErrorCode: NotFound

If I try to import:

│ Error: Cannot import non-existent remote object
│ 
│ While attempting to import an existing object to "module.amplify.awscc_amplify_domain.default[\"example.com\"]", the provider detected that no object
│ exists with the given id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's configured region or
│ endpoint, or use "tofu apply" to create a new remote object for this resource.

Expected Behavior

I expect to be able to either create a domain which references an external domain name into PENDING state, where I can see it in the console and manage it from there, or to at least be able to import that domain once created.

Import is using Arn as taken from https://github.com/hashicorp/terraform-provider-awscc/blob/v0.78.0/internal/service/cloudformation/schemas/AWS_Amplify_Domain.json#L136

Actual Behavior

See Debug output

Steps to Reproduce

1. Attempt creating or importing a amplify domain association with a URL that could not be created in a hosted zone in the present account.
2. Of note, My account A contains example.com which has a NS record for zone.example.com which is delegated to account B.

Important Factoids

References

[quixoticmonk]

Thanks for opening the issue @kevcube . I did try the domain resource and I had an stabilization issue different from yours. Should the branch name be main in subdomain settings ?

[kevcube]

Thanks for opening the issue @kevcube . I did try the domain resource and I had an stabilization issue different from yours.

Should the branch name be main in subdomain settings ?

I don't think the branch name has any bearing. I think the biggest factor is that the hosted zone is delegated from the account which owns the amplify app to a different place

[kevcube]

Thanks for opening the issue @kevcube . I did try the domain resource and I had an stabilization issue different from yours.

Should the branch name be main in subdomain settings ?

Ah sorry now I see what you're referring to. Yes I misaligned the branches. Try it with them matching

[kevcube]

@quixoticmonk experienced this again today, was unable to create a custom domain within the same AWS account, and unable to import this domain once manually created to my terraform state.

[quixoticmonk]

@kevcube I used the same configuration and had the amplify app and domain created in a delegated account with the hosted zone having the NS records for the domain I own on my primary account.

resource "aws_amplify_app" "default" {
  name = "test"
}

resource "aws_amplify_branch" "default" {
  app_id      = aws_amplify_app.default.id
  branch_name = "main"
}

resource "awscc_amplify_domain" "default" {
  app_id              = aws_amplify_app.default.id
  domain_name         = "monk-stack.com"
  sub_domain_settings = [
    {
      branch_name = "main"
      prefix      = "test"
    }
  ]
}

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  + create

Terraform will perform the following actions:

  # aws_amplify_app.default will be created
  + resource "aws_amplify_app" "default" {
      + arn               = (known after apply)
      + build_spec        = (known after apply)
      + custom_headers    = (known after apply)
      + default_domain    = (known after apply)
      + id                = (known after apply)
      + name              = "test"
      + platform          = "WEB"
      + production_branch = (known after apply)
      + tags_all          = (known after apply)
    }

  # aws_amplify_branch.default will be created
  + resource "aws_amplify_branch" "default" {
      + app_id               = (known after apply)
      + arn                  = (known after apply)
      + associated_resources = (known after apply)
      + branch_name          = "main"
      + custom_domains       = (known after apply)
      + destination_branch   = (known after apply)
      + display_name         = (known after apply)
      + enable_auto_build    = true
      + id                   = (known after apply)
      + source_branch        = (known after apply)
      + tags_all             = (known after apply)
    }

  # awscc_amplify_domain.default will be created
  + resource "awscc_amplify_domain" "default" {
      + app_id                            = (known after apply)
      + arn                               = (known after apply)
      + auto_sub_domain_creation_patterns = (known after apply)
      + auto_sub_domain_iam_role          = (known after apply)
      + certificate                       = (known after apply)
      + certificate_record                = (known after apply)
      + certificate_settings              = (known after apply)
      + domain_name                       = "monk-stack.com"
      + domain_status                     = (known after apply)
      + enable_auto_sub_domain            = (known after apply)
      + id                                = (known after apply)
      + status_reason                     = (known after apply)
      + sub_domain_settings               = [
          + {
              + branch_name = "main"
              + prefix      = "test"
            },
        ]
      + update_status                     = (known after apply)
    }

Plan: 3 to add, 0 to change, 0 to destroy.
aws_amplify_app.default: Creating...
aws_amplify_app.default: Creation complete after 0s [id=############]
aws_amplify_branch.default: Creating...
awscc_amplify_domain.default: Creating...
aws_amplify_branch.default: Creation complete after 1s [id=############/main]
awscc_amplify_domain.default: Still creating... [10s elapsed]
awscc_amplify_domain.default: Creation complete after 13s [id=arn:aws:amplify:us-east-1:############:apps/############/domains/monk-stack.com]

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

What is recorded against the statefile for the domain and others ?