Resource aws_acm_certificate does not have attribute 'domain_validation_options.0.resource_record_value'

[ksoviero-medici]

I'm trying to create a set of verification records for my ACM certs using Terraform, and I'm running into a strange issue.

resource "aws_acm_certificate" "cert" {
  domain_name = "${element(var.domains, count.index)}"
  count = "${length(var.domains)}"

  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_route53_record" "cert-record" {
  name = "${element(aws_acm_certificate.cert.*.domain_validation_options.0.resource_record_name, count.index)}"
  type = "${element(aws_acm_certificate.cert.*.domain_validation_options.0.resource_record_type, count.index)}"
  zone_id = "${var.zone-id}"
  count = "${length(var.domains)}"
  ttl = 30

  records = [
    "${element(aws_acm_certificate.cert.*.domain_validation_options.0.resource_record_value, count.index)}"
  ]

  depends_on = [
    "aws_acm_certificate.cert"
  ]
}

Whenever I run that, I get the following set of errors:

Error: Error running plan: 1 error occurred:
	* module.swarm.module.certs.aws_route53_record.cert-record: 5 errors occurred:
	* module.swarm.module.certs.aws_route53_record.cert-record[0]: Resource 'aws_acm_certificate.cert' does not have attribute 'domain_validation_options.0.resource_record_type' for variable 'aws_acm_certificate.cert.*.domain_validation_options.0.resource_record_type'
	* module.swarm.module.certs.aws_route53_record.cert-record[4]: Resource 'aws_acm_certificate.cert' does not have attribute 'domain_validation_options.0.resource_record_value' for variable 'aws_acm_certificate.cert.*.domain_validation_options.0.resource_record_value'
	* module.swarm.module.certs.aws_route53_record.cert-record[3]: Resource 'aws_acm_certificate.cert' does not have attribute 'domain_validation_options.0.resource_record_name' for variable 'aws_acm_certificate.cert.*.domain_validation_options.0.resource_record_name'
	* module.swarm.module.certs.aws_route53_record.cert-record[2]: Resource 'aws_acm_certificate.cert' does not have attribute 'domain_validation_options.0.resource_record_type' for variable 'aws_acm_certificate.cert.*.domain_validation_options.0.resource_record_type'
	* module.swarm.module.certs.aws_route53_record.cert-record[1]: Resource 'aws_acm_certificate.cert' does not have attribute 'domain_validation_options.0.resource_record_value' for variable 'aws_acm_certificate.cert.*.domain_validation_options.0.resource_record_value'

What's odd is that this is almost a carbon copy of the example in the docs, just modified to use the "count" attribute and iterate a list of hostnames automatically.

https://www.terraform.io/docs/providers/aws/r/acm_certificate_validation.html#dns-validation-with-route-53

Debug Notes:

$ ../terraform -v
Terraform v0.11.14
+ provider.aws v2.19.0
+ provider.postgresql v1.1.0

[lpfeup]

I'm having the same problem (provider.aws 2.21.0)

[obourdon]

On my side, this error just appeared end of last week but I am sometimes able to just relaunch deployment and it works but I am not able to tell when it will work and when not. This was working perfectly well before end of last week as I have been doing quite a lot of identical deployments over last few months without any issues
Terraform 0.11.14
aws provider 2.16.0

[obourdon]

please also note that on my side, I made some more experiments today and I'd like to make some more statements here.

1. this is now reproductible 100% of the time aka 1st launch on non-existing infra => failure 2nd launch => goes on while waiting for certificate validation
2. my case is much more straightforward as only 1 certificate required aka no count/index (see code below)
3. no zone as compared to official example at https://www.terraform.io/docs/providers/aws/r/acm_certificate_validation.html#dns-validation-with-route-53 (see code below)
4. again this code was working perfectly well for the last 3 months and has not been touched since the problem occurred (over this week-end as friday Aug 2nd everything was still OK)

resource "aws_acm_certificate" "internal" {
  domain_name       = "*.internal.${local.domain}"
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_route53_record" "internal_cert_validation" {
  zone_id = "${local.domain_zone_id}"
  name    = "${aws_acm_certificate.internal.domain_validation_options.0.resource_record_name}"
  type    = "${aws_acm_certificate.internal.domain_validation_options.0.resource_record_type}"
  records = ["${aws_acm_certificate.internal.domain_validation_options.0.resource_record_value}"]
  ttl     = 60
}

resource "aws_acm_certificate_validation" "internal" {
  certificate_arn         = "${aws_acm_certificate.internal.arn}"
  validation_record_fqdns = ["${aws_route53_record.internal_cert_validation.fqdn}"]

  timeouts {
    create = "60m"
  }
}

this definitely seems like a timing issue on an API which is now returning faster/with more incomplete result...

[obourdon]

And the complete error I am getting:

(line 230) aws_acm_certificate.internal: Creating...
(line 400) aws_acm_certificate.internal: Creation complete after 3s (ID: arn:aws:acm:eu-west-1:...)
(line 1455) aws_route53_record.root: Creating...
(line 1474) aws_route53_record.root: Still creating... (10s elapsed)
...
(line 1494) aws_route53_record.root: Creation complete after 32s (ID: ...)
...
1 error occurred:
(line 1615)	* aws_route53_record.internal_cert_validation: Resource 'aws_acm_certificate.internal' does not have attribute 'domain_validation_options.0.resource_record_value' for variable 'aws_acm_certificate.internal.domain_validation_options.0.resource_record_value'

[bflad]

Hi folks 👋 Thanks for reporting this and sorry you are having trouble with the Terraform aws_acm_certificate resource. This does appear to be related to an ACM API change that is problematic for the Terraform resource. In an effort to consolidate discussions and efforts into one location, I'm going to opt to close this issue in favor of #9596 just since more discussion has already occurred there. Please follow #9596 for continued updated on this issue. 👍

[obourdon]

Just to confirm what I thought. If I add some retry condition within the following lines in the code so that when domainValidationOptions is nil, we retry then the error goes away 100% of the time

This is definitely a timing issue in AWS provider exchanges with AWS API
HTH

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!