-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide a resource which is an ACM certificate with builtin route53 DNS validation #9589
Comments
@alex Is there a workaround a fix is pushed? |
There is no workaround for this at the moment. |
Hi folks 👋 Thanks for this feature request, although it looks to be in relation to an ACM API change that we just pushed a bug fix for: #9596 / #9598. That fix will be released with version 2.23.0 of the Terraform AWS Provider, later this week. Regarding the potential of creating a new resource that combines requesting the ACM certificate and Route 53 records, creating Terraform resources that interact with multiple AWS services is not a pattern that is suited well in Terraform or the Terraform AWS Provider. Terraform itself is designed for tracking singular units of infrastructure and attempting to work outside that framework would introduces unnecessary code complexity and maintenance burden into the project. Since ACM itself allows any DNS provider for verification, we prefer to offer a single Terraform resource for using their generic domain validation implementation so operators can create the necessary DNS infrastructure for passing validation separately from requesting the certificate itself. Thanks again for submitting this and please follow #9596 for updates about the release of the domain validation options fix or any further discussions on that topic. |
This has been released in version 2.23.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
@bflad Thanks! Glad the API change has been addressed. That unfortunately doesn't address the problem pointed out in this issue. I understand the desire to not provide an integrated resource. Is there an open item tracking the problem elsewhere? I'd like to understand how we can use Terraform for ACM certificate DNS validation. Needing to run partial plans sounds like a problem. (Especially when using Terraform in an automated manner) |
Just to add to the above implementation, iterating over
You'll need to compile a list of |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Description
Currently you can create an ACM certificate, and then use
domain_validation_options
in order to use terraform resources to create DNS records to fulfill the validation. This looks something like this:If you run this you'll immediately find that it doesn't work -- because
aws_route53_record.website_cert_validation.count
relies on the apply step for another resource, you can't actuallyterraform plan
this. No worries, there's a workaround! Change that resource to be:length(aws_acm_certificate.cert.domain_validation_options)
should always be the same aslength(var.domain_names)
, right? Wrong! ACM is able to cache validation in some cases, so it won't ask you to prove ownership of a domain if you already have. This produces an error like:Unfortunately, I don't believe it's possible to resolve this with the functionality in terraform today --
count
fundamentally must be derived from the certificate resource, it's the only thing that knows how many validation records are required.To solve this, I believe terraform-provider-aws needs to include a resource that is an AWS ACM certificate that holds the cycle of creating DNS records to respond to the request internally, because you can't express the workflow properly in HCL.
New or Affected Resource(s)
aws_acm_domain_validated_certificate
Potential Terraform Configuration
References
The text was updated successfully, but these errors were encountered: