aws_acm_certificate resource fails when subjectAlternativeNames list member contains a trailing period

[RulerOf]

This is very similar to #3836

Description

My aws_acm_certificate resource specifies a one-element list for subject_alternative_names that contains a trailing dot since it's sourced from the name attribute coming out of an aws_route53_zone data source.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

23:51 $ terraform -v
Terraform v0.11.7
+ provider.aws v1.17.0
+ provider.postgresql v0.1.1
+ provider.template v1.0.0

Affected Resource(s)

• resource: aws_acm_certificate
• data: aws_route53_zone

Terraform Configuration Files

data "aws_route53_zone" "public" {
  name = "${var.public_zone_name}"
}

data "aws_route53_zone" "private" {
  zone_id = "${var.private_zone_id}"
}

resource "aws_acm_certificate" "cert" {
  domain_name               = "jenkins.${data.aws_route53_zone.public.name}"
  subject_alternative_names = ["jenkins.${data.aws_route53_zone.private.name}"]
  validation_method         = "DNS"
}

Portions of the domain names have been changed. It wasn't really necessary but they're irrelevant anyway.

Expected Behavior

The provider's aws_acm_certificate resource should be able to accept the name attribute from an aws_route53_zone resource or data source.

Actual Behavior

Portion of terraform plan output:

Terraform will perform the following actions:

  + module.bq-jenkins.aws_acm_certificate.cert
      id:                                      <computed>
      arn:                                     <computed>
      domain_name:                             "jenkins.partially.redacted.net."
      domain_validation_options.#:             <computed>
      subject_alternative_names.#:             "1"
      subject_alternative_names.0:             "jenkins.also.redacted.com."
      validation_emails.#:                     <computed>
      validation_method:                       "DNS"

Terraform apply

23:50 $ terraform apply "plan.out"
module.bq-jenkins.aws_acm_certificate.cert: Creating...
  arn:                         "" => "<computed>"
  domain_name:                 "" => "jenkins.partially.redacted.net."
  domain_validation_options.#: "" => "<computed>"
  subject_alternative_names.#: "" => "1"
  subject_alternative_names.0: "" => "jenkins.also.redacted.com."
  validation_emails.#:         "" => "<computed>"
  validation_method:           "" => "DNS"

Error: Error applying plan:

1 error(s) occurred:

* module.bq-jenkins.aws_acm_certificate.cert: 1 error(s) occurred:

* aws_acm_certificate.cert: Error requesting certificate: ValidationException: 2 validation errors detected: Value '[jenkins.west.us.preprod.bq-s.com.]' at 'subjectAlternativeNames' failed to satisfy constraint: Member must satisfy constraint: [Member must have length less than or equal to 253, Member must have length greater than or equal to 1, Member must satisfy regular expression pattern: ^(\*\.)?(((?!-)[A-Za-z0-9-]{0,62}[A-Za-z0-9])\.)+((?!-)[A-Za-z0-9-]{1,62}[A-Za-z0-9])$]; Value 'jenkins.preprod.buyerquest.net.' at 'domainName' failed to satisfy constraint: Member must satisfy regular expression pattern: ^(\*\.)?(((?!-)[A-Za-z0-9-]{0,62}[A-Za-z0-9])\.)+((?!-)[A-Za-z0-9-]{1,62}[A-Za-z0-9])$
	status code: 400, request id: 9c2c602b-54ce-11e8-a5f9-adc5947a1e01

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Steps to Reproduce

1. Create an aws_acm_certificate resource where the subject_alternative_names list contains at least one entry that is the name attribute from an aws_route53_zone data source.
2. Run terraform apply

References

• aws_ses_domain_identity: Invalid domain name (trailing dot) #3836

[RulerOf]

Nevermind. This is a classic case of "I'm doing it wrong," and appear to have gone down the wrong path during troubleshooting.

I had confused zones and records when I decided to file this issue. ¯\_(ツ)_/¯

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!