ACM Certificate - Recreating every-time when I have multiple subject alternative names in the cert

[mails2muki]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.14

Affected Resource(s)

aws_acm_certificate

Terraform Configuration Files

resource "aws_acm_certificate" "xxxx-xxxxx-broker-int-cert" {
  provider                  = "aws.local"
  domain_name               = "${aws_route53_record.strimzi-bootstrap-broker-int-dns.name}"
  subject_alternative_names = ["${local.broker_subject_alternative_names}"]
  validation_method         = "EMAIL"
  tags = "${local.tags}"

}

Debug Output

aws_acm_certificate.strimzi-bootstrap-broker-int-cert �[31m�[1m(new resource required)�[0m
�[0m id: "arn:aws:acm:us-east-1:690947714100:certificate/824bde02-ebd6-4553-94b5-4e00464f5703" => �[31m(forces new resource)�[0m
arn: "arn:aws:acm:us-east-1:690947714100:certificate/824bde02-ebd6-4553-94b5-4e00464f5703" =>
domain_name: "int-kafka-bootstrap.dev.us-east-1.ncpgismdic.nadq.ci" => "int-kafka-bootstrap.dev.us-east-1.ncpgismdic.nadq.ci"
domain_validation_options.#: "0" =>
subject_alternative_names.#: "5" => "5"
subject_alternative_names.0: "kafka-broker-2.dev.us-east-1.ncpgismdic.nadq.ci" => "kafka-broker-0.dev.us-east-1.ncpgismdic.nadq.ci" �[31m(forces new resource)�[0m
subject_alternative_names.1: "kafka-broker-1.dev.us-east-1.ncpgismdic.nadq.ci" => "kafka-broker-1.dev.us-east-1.ncpgismdic.nadq.ci"
subject_alternative_names.2: "kafka-broker-0.dev.us-east-1.ncpgismdic.nadq.ci" => "kafka-broker-2.dev.us-east-1.ncpgismdic.nadq.ci" �[31m(forces new resource)�[0m
subject_alternative_names.3: "kafka-broker-4.dev.us-east-1.ncpgismdic.nadq.ci" => "kafka-broker-3.dev.us-east-1.ncpgismdic.nadq.ci" �[31m(forces new resource)�[0m
subject_alternative_names.4: "kafka-broker-3.dev.us-east-1.ncpgismdic.nadq.ci" => "kafka-broker-4.dev.us-east-1.ncpgismdic.nadq.ci" �[31m(forces new resource)�[0m

Panic Output

Expected Behavior

Basically, whenever there is a change to the SAN and/or domain names the ACM should force a new resource.

Actual Behavior

But each time Terraform build is run the ACM is forcing a new resource even when there are no changes to the domain name and/or SAN names.

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[ZsoltPath]

Hi,

I have similar or same issue.

Terraform v0.12.19
provider.aws v2.48.0

As you can see from the Plan output the SAN names are already in the certificate, just in a "wrong order".
I think TF should handle that the order of the SAN names can be different.

For security reasons, I've replaced the actual domain names, but kept them matching.

resource "aws_acm_certificate" "main" {
      ~ arn                       = "arn:aws:acm:us-east-1:**********:certificate/1a7088e2-87b7-432b-8cbe-1406f90e1162" -> (known after apply)
        domain_name               = "stable.YYY.co.uk"
      ~ domain_validation_options = [
***** removed ******
        ] -> (known after apply)
      ~ id                        = "arn:aws:acm:us-east-1:***********:certificate/1a7088e2-87b7-432b-8cbe-1406f90e1162" -> (known after apply)
      ~ subject_alternative_names = [ # forces replacement
            "app.dev.XXX.co.uk",
          + "app.stable.XXX.co.uk",
            "www.dev.XXX.co.uk",
            "www.stable.XXX.co.uk",
            "www.stable.YYY.co.uk",
          - "app.stable.XXX.co.uk",
        ]
      - tags                      = {} -> null
      ~ validation_emails         = [] -> (known after apply)
        validation_method         = "DNS"

      - options {
          - certificate_transparency_logging_preference = "ENABLED" -> null
        }
    }

Oh, I forgot to add that the SAN names for my resource are coming from a map like this:
additional_domain_names = keys(var.redirect_aliases)
As far as I see TF always alfabeticaly sorts map items by the key. That why app* precedes www* in the expected list.
I don't know why and how AWS ACM API sorts the SAN names

But no surprise when I get the certificate from API:

$ aws acm describe-certificate --region us-east-1 --certificate-arn arn:aws:acm:us-east-1:*********:certifica
te/1a7088e2-87b7-432b-8cbe-1406f90e1162
{
    "Certificate": {
        "CertificateArn": "arn:aws:acm:us-east-1:********:certificate/1a7088e2-87b7-432b-8cbe-1406f90e1162",
        "DomainName": "stable.YYY.co.uk",
        "SubjectAlternativeNames": [
            "stable.YYY.co.uk",
            "app.dev.XXX.co.uk",
            "www.dev.XXX.co.uk",
            "www.stable.XXX.co.uk",
            "www.stable.YYY.co.uk",
            "app.stable.XXX.co.uk"
        ],
...

[bflad]

The fix to prevent ordering differences with the subject_alternative_names attribute in the aws_acm_certificate resource has been merged and will release with version 3.0.0 of the Terraform AWS Provider, likely in about two weeks.

[ghost]

This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!