Expose status attribute for aws_acm_certificate resource for automated removal of cert verification DNS record

[samjgalbraith]

What I want to be able to do is illustrated by the below config: I want to have the DNS record which is used to demonstrate domain ownership have a count of 0 once the certificate is issued, so that the record will go away automatically and not clutter my DNS records. However, status does not seem to be exposed on the aws_acm_certificate resource. If I try to use the aws_acm_certificate data source, I can not seem to get this information either. If I apply a filter on the data source, then the apply operation fails whenever the filter condition returns an empty result, so I can't use this either. The cleanest solution seems to be exposing status on the certificate resource. This should be easy enough to add, as I see it's part of the describe-certificate response in the AWS cli and API:
https://docs.aws.amazon.com/cli/latest/reference/acm/describe-certificate.html

Terraform Version

Terraform v0.11.3

• provider.aws v1.11.0

Affected Resource(s)

• aws_acm_certificate

Terraform Configuration Files

data "aws_route53_zone" "services" {
  name = "${local.domain_name}"
}

resource "aws_acm_certificate" "service_internet_facing" {
  domain_name = "${aws_route53_record.service.name}"
  validation_method = "DNS"
}

# Certificate domain ownership validation by DNS involves putting a DNS record in to prove that you have access to DNS management.
resource "aws_route53_record" "service_cert_validation_by_dns" {
  count = "${aws_acm_certificate.status == "ISSUED" ? 0 : 1}"
  name = "${aws_acm_certificate.service_internet_facing.domain_validation_options.0.resource_record_name}"
  type = "${aws_acm_certificate.service_internet_facing.domain_validation_options.0.resource_record_type}"
  zone_id = "${data.aws_route53_zone.services.zone_id}"
  records = ["${aws_acm_certificate.service_internet_facing.domain_validation_options.0.resource_record_value}"]
  ttl = 60
}

resource "aws_acm_certificate_validation" "service_internet_facing" {
  certificate_arn = "${aws_acm_certificate.service_internet_facing.arn}"
  validation_record_fqdns = ["${aws_route53_record.service_cert_validation_by_dns.fqdn}"]
}

[stszap]

But what about renewal? If I understand correctly it wouldn't work if you delete validation dns record.

[bflad]

Support for the status attribute has been merged and will release with version 2.65.0 of the Terraform AWS Provider, likely later today. 👍

[ghost]

This has been released in version 2.65.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!