-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sort ACM cert subject alternative names and domain validation opts #8708
Conversation
The SANs are no longer sorted alphabetically. Instead the order given by the user is preserved if possible. My apologies for the inconvenience caused by the earlier sorting. Anyway, it seems AWS is going to address the issue! (#8531 (comment)) |
It looks like the SANs are now possibly randomly sorted when the certificate is first created, but that order is then preserved afterwards. ref #8531 (comment) |
@tdmalone Thanks for investigating this matter in such detail. Based on your observation, I think this fix is still helpful because it would make the sorting unnecessary. However, I would suggest to wait for one or two weeks more to see if the problem still persists before asking for this PR to be merged. |
@jtsaito Great work, thanks! Is this expected to handle the case where SAN entries are in different zones? |
Update: in |
Anything else needed to see this PR merged? People are still facing the issue with |
@bflad When can we expect this to be merged? Even though this is a breaking change, the implicit changes made by AWS to cause this issue have already broken many users' terraform plans. We've been patiently waiting for a fix for a long while now. |
this is still a major headache, when is it getting merged? |
Hi everyone, there's some internal discussion we need to have about the underlying issue and preferred fixes. In general, anything labeled |
if err != nil { | ||
return resource.RetryableError(err) | ||
} | ||
sortDomainValidationOptions(d.Get("domain_name").(*string), sans, domainValidationOptions) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried to use this patch with terraform-provider-aws v2.23.0, but unfortunately it failed with an error.
I'm not an expert in golang, however it looks to me that d.Get("domain_name")
returns just string
, not *string
.
So changing the type of domainName
from *string
to string
worked for me.
sans := make([]string, 0) | ||
|
||
// intersection of all SANs, user defined (ud) and remote. ordered as user defined (ud) in state. | ||
for _, ud := range d.Get("subject_alternative_names").([]interface{}) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this idea to have the certificates ordered as defined by user.
Just want to highlight that when I tried to use this solution (with terraform 0.11.4 and based on terraform aws provider 2.23) SANs were not ordered as defined by user because d.Get("subject_alternative_names")
returned an empty list during the refresh.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried to use this PR as well, and had issues with it. I have created a new pull request that should address the problems: #10791
Just wanted to add to this discussion that I addressed the issues with this pull request, here: #10791 |
This pull request is similar to, and was based on, hashicorp#8708. However, it resolves a few issues I discovered with that patch. The certificate creation process is clearly asynchronous, and, given that the provider is attempting to read properties of an asynchronously created object, it must poll, retrying, until all critical information is available. hashicorp#8530, however, expects that this object creation succeeds BEFORE validation is complete, so, we cannot wait until the certificate is status succeeded, OR, wait until the domain validation is complete; however, terraform requires the state to be intact before returning succesfully from creation (as I understand it), and about the only way to assure the object is created successfully is to retry, which is what this resource does. My updates: - I added a retry in case the subject alternate names was empty. - I wait to Set the subject alternate names until after we've received all of the domain validation options (if any), so as to prevent side-effects from retrying. - Like hashicorp#8708, this patch sorts the SANs and DVOs according to the order in the original request / terraform state file, so that the order is predictable. This should address issue: hashicorp#8531. If this patch is applied, users will be required to either recreate their certificates, OR, manually edit the terraform state files to ensure that the order in the state file reflects the order in their terraform code. If found three places that must be edited: - Reorder domain_validation_options ''' "domain_validation_options.0.resource_record_name": "domain.com", "domain_validation_options.0.resource_record_type": "CNAME", "domain_validation_options.0.resource_record_value": "...", ''' Replace ".N." in the name with the zero-based index of each domain_validation_options. - Reorder subject_alternative_names ''' "subject_alternative_names.0": "*.domain.com" ''' Replace ".N" in the name with the zero-based index of each subject_alternative_name. - Reorder aws_route53_record validation resources: ''' "aws_route53_record.validation.1": { ''' Replace ".N" with the zero-based index of each route 53 record's domain. Kevin Burge Nice, Inc. (https://nice.com)
is this been released already? I am facing this issue ..i.e. if i add additional SAN names it is trying to recreate ACM validation again and tried to delete the old ACM one which has been already used in ALB https listener? |
This pull request is similar to, and was based on, hashicorp#8708. However, it resolves a few issues I discovered with that patch. The certificate creation process is clearly asynchronous, and, given that the provider is attempting to read properties of an asynchronously created object, it must poll, retrying, until all critical information is available. hashicorp#8530, however, expects that this object creation succeeds BEFORE validation is complete, so, we cannot wait until the certificate is status succeeded, OR, wait until the domain validation is complete; however, terraform requires the state to be intact before returning succesfully from creation (as I understand it), and about the only way to assure the object is created successfully is to retry, which is what this resource does. My updates: - I added a retry in case the subject alternate names was empty. - I wait to Set the subject alternate names until after we've received all of the domain validation options (if any), so as to prevent side-effects from retrying. - Like hashicorp#8708, this patch sorts the SANs and DVOs according to the order in the original request / terraform state file, so that the order is predictable. This should address issue: hashicorp#8531. If this patch is applied, users will be required to either recreate their certificates, OR, manually edit the terraform state files to ensure that the order in the state file reflects the order in their terraform code. If found three places that must be edited: - Reorder domain_validation_options ''' "domain_validation_options.0.resource_record_name": "domain.com", "domain_validation_options.0.resource_record_type": "CNAME", "domain_validation_options.0.resource_record_value": "...", ''' Replace ".N." in the name with the zero-based index of each domain_validation_options. - Reorder subject_alternative_names ''' "subject_alternative_names.0": "*.domain.com" ''' Replace ".N" in the name with the zero-based index of each subject_alternative_name. - Reorder aws_route53_record validation resources: ''' "aws_route53_record.validation.1": { ''' Replace ".N" with the zero-based index of each route 53 record's domain. Kevin Burge Nice, Inc. (https://nice.com)
This is ancient, so I'm closing this. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
This PR is an alternative implementation to #8657 addressing #8657 (comment). It ads a fix for #8531.
The advantage of this implementation in comparison to #8657 is that the subject alternative names (SANs) are also ordered and they will be ordered consistently with the DVOs.
We sort the SANs as specified in the Terraform file and subsequently sort the domain validation options (DVOs) such that the option for the certificate's domain name comes first and the remainder is sorted according to the order of the SANs.
I have included unit tests but I'm not sure if they belong here at all. (Obviously, the are passing.)
I would be grateful if someone could run the acceptance tests as I don't want to handle setting up the email validation.
Community Note
Fixes: #8531
Release note for CHANGELOG:
Output from acceptance testing:
I did not run the acc test on this because I did not want to setup the email validation. However, I tested the implementation by compiling and using it.