-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_route53_record not updated when it depends on a aws_acm_certificate as shown in the aws_acm_certificate_validation docs #8599
Comments
Further to the above comments, it would appear that AWS no longer returns domain verification in a fixed order. This means the route 53 records we created previously are showing as changes, and that when validating more than one domain, it is pot luck as to whether the apply will work. |
@hazmeister I can confirm this issue as well. On a cert with tens of SANs, I'm seeing a different output with every plan, although this was working fine up until 15.05.19 (according to the output of several CI jobs). So, sometime after the 15th, AWS started shuffling the validation objects in their response. To avoid polluting various zones with incorrect DNS records, one could simply remove the resource for handling those records once the cert goes in 'Issued' state. By that time the DNS records played their part anyway and are not required anymore. I'm creating a support ticket with AWS about this right now and will report back what they reply. Update: no need to create a support ticket. See here: #8531 (comment) |
You beat me to it- looks like this is well in hand on ticket #8531 |
Closing as there has been many updates to the |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Terraform Version
Terraform v0.11.13
provider.aws v2.10.0
Affected Resource(s)
Terraform Configuration Files
See https://github.com/rahulk94/terraform-route53-potential-bug for a working repo that can be used to reproduce the issue.
or
Summary
When using AWS Route53 + an ACM Certificate as per the ACM Certificate Validation docs (https://www.terraform.io/docs/providers/aws/r/acm_certificate_validation.html), the Route53 record is not updated to a new value if changes are made which result in a new url being required after initial deployment. A new ACM Certificate will be generated as expected however a new Route53 record will not. This results in a couple things when deploying changes:
Steps to reproduce issue
** Alternatively running $ terraform apply -var-file=terraform.tfvars can be used to achieve the same thing and follow through with deployment.
Expected Behavior
All 3 resources should be made/modified. A new Route53 record should be created as there is now a new url it needs to be made for.
Actual Behavior
Only a new ACM Certificate and validation record will be made/modified (2 resources).
Speculation
It appears that the Route53 record is looking at the existing certificate ACM Certificate it corresponds to for what values it should have, rather than the ACM Certificate that is about to be generated. This is fine for an initial deployment as there's no ACM Certificate so the Route53 record is created with values corresponding to the certificate that is going to be created. But when modifying an existing environment this doesn't work.
Manual workaround
One workaround for this issue is to re-run
Terraform apply tfplan
after itfails. Sometimes two re-runs are needed... This isn't very elegant but you will see the Route53 entry will now be changed to the expected value on subsequent run.
The text was updated successfully, but these errors were encountered: