aws_acm_certificate_validation forces new resource every time we run terraform plan

[ani-patel]

Hi,

I am facing an issue where my aws_acm_certificate_validation is forcing new resource every time I do a terraform plan or terraform apply and as a result even the route 53 records are updated with their Guids

To replicate the issue below is a sample code:

resource "aws_acm_certificate" "cert" {
  domain_name               = "${var.domain_name}"
  validation_method         = "DNS"
  subject_alternative_names = "${var.subject_alternative_names}"

  lifecycle {
    create_before_destroy = true
  }
}

# Creates route 53 records for validation of DNS
resource "aws_route53_record" "cert_validation" {
  # The number of records to be created
  count   = "${length(var.subject_alternative_names) + 1}"
  name    = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_name")}"
  type    = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_type")}"
  records = ["${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_value")}"]
  zone_id = "${var.zone_id}"
  ttl     = 60
}

#  Validates the ACM certificate
resource "aws_acm_certificate_validation" "cert" {
  certificate_arn         = "${aws_acm_certificate.cert.arn}"
  validation_record_fqdns = ["${aws_route53_record.cert_validation.*.fqdn}"]
}

resource "null_resource" "dependency_setter" {
  depends_on = [
    "aws_acm_certificate_validation.cert",
  ]
}

This was not happening until a week back but we are facing these issues since then

[nickdgriffin]

Duplicate of #8531 I believe.

[nywilken]

@ani-patel thanks for opening this issue, and sorry you are running into trouble here. This is a duplicate of #8531 so I am going to close this issue and ask that any new comments be tracked on the existing thread. If you haven't already done so please upvote #8531

[ani-patel]

Hi Nick, This is different than #8531. My affected resource is "aws_acm_certificate_validation". The certificate is not recreated every time but instead the validation is performed again and again

…

On Mon, May 20, 2019 at 4:30 PM Nick Griffin ***@***.***> wrote: Duplicate of #8531 <#8531> I believe. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#8714>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AC7ZBOCRELVTUOSBSHMPVN3PWKAD7ANCNFSM4HOAVQYQ> .

[MeMan-MasterOfTheUniverse]

@nywilken

Please reopen this issue. It is not a duplicate of 8531. As @ani-patel mentioned, this issue is specific to the certificate validation, NOT the certificate itself.

Thank you!

[nywilken]

@MeMan-MasterOfTheUniverse @ani-patel thanks for the additional information here, and my apologies for any confusion. I reopened the issue and have applied the needs-triage label. Have you tried reproducing this issue with Terraform 0.12? If so can you please provide a redacted version of the plan output.

[johnhpatton]

I am also experiencing this. Validation is forcing a new resource every time and can take up to 45 minutes before it errors out. Environment: terraform 0.12.9 with aws provider 2.32, using the same method to create a cert found in this module:
https://github.com/cloudposse/terraform-aws-acm-request-certificate

implementation:

module "cert" {
  source                      = "git::https://github.com/cloudposse/terraform-aws-acm-request-certificate.git?ref=0.4.0"
  zone_name                   = "examplezone.com"
  domain_name                 = "myhost.examplezone.com"
  validation_record_ttl       = 60
  wait_for_certificate_issued = true
}

We used real zone and domain_name entries, of course. The first apply eventually succeeds, but what we see on the second apply and beyond is the following unless we destroy and apply:

module.cert.aws_acm_certificate_validation.default[0]: Still creating... [16m10s elapsed]
module.cert.aws_acm_certificate_validation.default[0]: Still creating... [16m20s elapsed]
...
module.cert.aws_acm_certificate_validation.default[0]: Still creating... [45m0s elapsed]

Error: Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION

[vlechemin]

As a workaround, I added ignore_changes on the field id which was the current date/time:

resource "aws_acm_certificate_validation" "certificate" {
    [...]

    lifecycle {
        ignore_changes = [
            "id",
        ]
    }
}

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.