Tried to create resource record set...but it already exists

manicminer / terraform-aws-acm-certificate

Terraform module to create and validate AWS ACM certificates with DNS validation via Route53

Other

11 stars 10 forks source link

Tried to create resource record set...but it already exists #2

Open mabushey opened 5 years ago

mabushey commented 5 years ago

aws_route53_record.validation.1: [ERR]: Error building changeset: InvalidChangeBatch: [Tried to create resource record set [name='_c5b842e75809145c11acf8a651595aea.example.com.', type='CNAME'] but it already exists] status code: 400, request id: fc24fa85-81e0-11e9-becc-010152381b5e

module "my_acm_certificate" {
  source = "modules/aws_acm_certificate" 
  domain_names = ["example.com", "*.example.com"]
  zone_id = "${aws_route53_zone.example.zone_id}"
  providers = {
    "aws.acm" = "aws"
    "aws.route53" = "aws"
  }
}

What I think is the issue is under ACM both example.com and *.example.com have the exact same record of _c5b842e75809145c11acf8a651595aea.example.com. CNAME _d30e37cdff7e37b3a49d6ac69b67b567.ltfvzjuylp.acm-validations.aws.... Seems like they should be different.

mabushey commented 5 years ago

I was able to get Terraform to apply cleanly with this change:

 resource "aws_route53_record" "validation" {
   provider = "aws.route53"
-  count = "${length(var.domain_names)}"
+#  count = "${length(var.domain_names)}"
+  count = 1
   name = "${lookup(aws_acm_certificate.main.domain_validation_options[count.index], "resource_record_name")}"
   type = "${lookup(aws_acm_certificate.main.domain_validation_options[count.index], "resource_record_type")}"
   # default required for zone_ids lookup because https://github.com/hashicorp/terraform/issues/11574

a-abella commented 4 years ago

Just ran into this myself. AWS has the validation CNAME behavior documented here: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html:

Note that the first two _x values in the table are the same. That is, the random string created by ACM for the wild card name *.example.com is the same as that created for the base domain name example.com. Note also that ACM creates different CNAME records for example.com and www.example.com.

luis02lopez commented 4 years ago

Happening to us too. Terraform v 0.11 aws provider v 2.70, it destroys the DNS record, try to create, but it says that already exist and we end up having our app DOWN because there is no record replacement.

fingerquote commented 3 years ago

We are getting this issue as well. Any workarounds? We are in Terraform v0.13.5 and AWS Provider 3.15.0.