search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io
Other
42.85k stars 9.56k forks source link

aws: aws_api_gateway_domain_name cannot update the certificate #8789

Closed keymon closed 7 years ago

keymon commented 8 years ago

Terraform Version

$ terraform -v
Terraform v0.7.3

Affected Resource(s)

aws with aws_api_gateway_domain_name

Terraform Configuration Files

resource "aws_api_gateway_domain_name" "hsts" {
  domain_name = "${var.root_apps_domain}"

  certificate_name = "apps"
  certificate_body = "${var.apps_domain_crt}"
  certificate_chain = "${var.apps_domain_intermediate_crt}"
  certificate_private_key = "${var.apps_domain_key}"
}

Expected Behavior

When you change the content of the certificate, it should change the certificate upstream.

Actual Behavior

It does not work, and it fails with this error:

1 error(s) occurred:

* aws_api_gateway_domain_name.hsts: BadRequestException: Invalid patch path  '/certificate_body' specified for op 'replace'. Must be one of: [/certificateName]
    status code: 400, request id: e5a98f19-78e4-11e6-bd58-bdfb359ea935

Steps to Reproduce

Create a API Gateway domain name with one certficate. Try to rerun that with a different certificate.

Important Factoids

The implementation is wrong. Actually there is not a programmatic way of rotating the certs of a API gateway domain name as it is mention in the documentation:

The following steps describe how to upload and renew an expiring certificate for a custom domain name using the API Gateway console. You cannot rotate custom domain name certificates programmatically.

Proposed implementation

Given you cannot rotate the certificate with API calls, I do not really know what should be the actual behaviour.

I suggest that we add an option of force_update: true, so that it will delete and create the resource to change the certificate if it is set to true, or fail with an error reporting that it must be changed manually otherwise.

References

3675

himanso commented 7 years ago

Hi, In which version of terraform is it fixed? I am unable to update the certificates I am getting this error:-

BadRequestException: Invalid patch path '/certificate_body' specified for op 'replace'. Must be one of: [/certificateName, /certificateArn]

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.