ACM domain_validation_options output not stable

[edulop91]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.11.11

Affected Resource(s)

aws_acm_certificate

Terraform Configuration Files

Using this module

Debug Output

Panic Output

Expected Behavior

I expect that the domain_validation_options remain stable between terraform runs when there are neither code changes nor aws console changes.

Actual Behavior

The order of items in aws_acm_cert.x.domain_validation_options seems to be unstable. If we are creating other resources using a count on this list (example) then we get spurious diffs.

first run:

[
  {
    "domain_name": "F",
    "resource_record_name": "<redacted>",
    "resource_record_type": "CNAME",
    "resource_record_value": "<redacted>"
  },
  {
    "domain_name": "A",
    "resource_record_name": "<redacted>",
    "resource_record_type": "CNAME",
    "resource_record_value": "<redacted>"
  },
  {
    "domain_name": "B",
    "resource_record_name": "<redacted>",
    "resource_record_type": "CNAME",
    "resource_record_value": "<redacted>"
  },
  {
    "domain_name": "C",
    "resource_record_name": "<redacted>",
    "resource_record_type": "CNAME",
    "resource_record_value": "<redacted>"
  },
  {
    "domain_name": "D",
    "resource_record_name": "<redacted>",
    "resource_record_type": "CNAME",
    "resource_record_value": "<redacted>"
  },
  {
    "domain_name": "E",
    "resource_record_name": "<redacted>",
    "resource_record_type": "CNAME",
    "resource_record_value": "<redacted>"
  }
]

second run:

[
  {
    "domain_name": "A",
    "resource_record_name": "<redacted>",
    "resource_record_type": "CNAME",
    "resource_record_value": "<redacted>"
  },
  {
    "domain_name": "B",
    "resource_record_name": "<redacted>",
    "resource_record_type": "CNAME",
    "resource_record_value": "<redacted>"
  },
  {
    "domain_name": "C",
    "resource_record_name": "<redacted>",
    "resource_record_type": "CNAME",
    "resource_record_value": "<redacted>"
  },
  {
    "domain_name": "D",
    "resource_record_name": "<redacted>",
    "resource_record_type": "CNAME",
    "resource_record_value": "<redacted>"
  },
  {
    "domain_name": "E",
    "resource_record_name": "<redacted>",
    "resource_record_type": "CNAME",
    "resource_record_value": "<redacted>"
  },
  {
    "domain_name": "F",
    "resource_record_name": "<redacted>",
    "resource_record_type": "CNAME",
    "resource_record_value": "<redacted>"
  }
]

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[edulop91]

Realize the terraform 0.12 for_each might actually fix this

[blimmer]

For those looking for a workaround -

locals {
  zonemap = "${zipmap(aws_route53_zone.hosted-zones.*.name, aws_route53_zone.hosted-zones.*.zone_id)}"
}

and then in your R53 record block:

resource "aws_route53_record" "domain-validations" {
  count = "${length(var.domain_names)}"
  zone_id = "${lookup(local.zonemap, "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "domain_name")}.")}"
  ... the rest of the params...
}

shoutout to @onyxraven for this solution

NOTE: This does seem to force a recreate on each run, but at least it works until there's an upstream solution.

[tdmalone]

Possible duplicate of #8531

[edulop91]

Closing since duplicate of #8531

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!