-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not possible to disable certificate_transparency_logging_preference in aws provider #10167
Comments
If those certificates are used by a load balancer, then replacing them doesn't work as it tries to delete them without removing them from the load balancer. See #10233. These issues effectively prevent people from using LetsEncrypt derived certificates with load balancers on AWS. E.g. for test or development environments. |
You can hack around the issue of the certificate being re-created every time by adding a lifecycle block like this to make it ignore the options block:
|
As the author of the code that introduced this issue I'd like to apologize/explain :) As you noted from the console, when you initially import a certificate, CT Logging is enabled (and at import time you have no way of changing this). Only after the fact, can you update the options on the certificate to disable CT Logging. However, at this point your certificate may already have been added to the public CT logs. So, disabling CT Logging may not have the effect you think it will, as explained at https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency:
The console is mirroring the AWS API exactly here, which I'll admit would appear to be somewhat lacking. As explained at https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_acm_certificate.go#L117-L144 when you import a certificate, there's no way in the API to specify whether you want to opt in or out of CT Logging, and the default is to be opted in. I could look at issuing an |
Hi folks 👋 Thank you @zioalex for filing the issue and thank you @mattburgess for the detailed explanation above. Given that the ACM API effectively does not support preventing Certificate Transparency logs being sent during the As such, we are going to close this issue for now, since the ACM API requires potential updates. Once the API has been updated, we can revisit this request in the Terraform AWS Provider. 👍 Our best recommendation would be to contact AWS via a new support case or via your Technical Account Manager (if you have one), to recommend |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Terraform Version
Terraform v0.12.9
Affected Resource(s)
Terraform Configuration Files
Debug Output
It is not possible to include it due to sensitive data.
Panic Output
Expected Behavior
The new ACM certificate will be created with the certificate_transparency_logging_preference option disabled.
I'd been forced to add this option because if I do not, every time I apply the code I get:
recreating every time the certificate.
If I run a plan I get:
I see here 2 different problems:
If the option is not defined the resource will be recreated because it sees:
certificate_transparency_logging_preference = "DISABLED" -> null # forces replacement
If I try to set such option to DISABLED I get:
Error: "options.0.certificate_transparency_logging_preference": conflicts with private_key
looking the code here https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_acm_certificate.go
I see (line 129):
even though I Didn't find any reason for the ConflictsWith.
Actual Behavior
Steps to Reproduce
Add the option certificate_transparency_logging_preference in the aws_acm_certificate definition:
terraform apply
Important Factoids
References
The text was updated successfully, but these errors were encountered: