Retry ACM certificate domain validation

[jdenly]

When the DomainValidationOptions array is completely empty, retry the validation options retrieval.

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Closes #9596

Release note for CHANGELOG:

Resolves certification validation issues in AWS ap-southeast-2 region where the DomainValidationOptions array may be initially returned by AWS as completely empty.

Output from acceptance testing:

$ AWS_DEFAULT_REGION=ap-southeast-2 make testacc TESTARGS='-run=TestAccAWSAcmCertificate_dnsValidation'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -parallel 20 -run=TestAccAWSAcmCertificate_dnsValidation -timeout 120m
?       github.com/terraform-providers/terraform-provider-aws   [no test files]
=== RUN   TestAccAWSAcmCertificate_dnsValidation
=== PAUSE TestAccAWSAcmCertificate_dnsValidation
=== CONT  TestAccAWSAcmCertificate_dnsValidation
--- PASS: TestAccAWSAcmCertificate_dnsValidation (35.06s)
PASS
ok      github.com/terraform-providers/terraform-provider-aws/aws       35.091s

[bflad]

Hi @jdenly 👋 Thank you very much for this fix! It was correctly fixing the issue at hand for new ACM certificates, however one concern that we have noticed in real world usage with ACM is that DomainValidationOptions can sometimes disappear after awhile (months?) after validation. To combat this, I'm merging this in with a slight adjustment to the conditional, to verify that indeed the certificate is in the PENDING_VALIDATION state for returning this error:

if len(certificate.DomainValidationOptions) == 0 && aws.StringValue(certificate.Status) == acm.DomainStatusPendingValidation {

Output from acceptance testing:

--- PASS: TestAccAWSAcmCertificate_imported_IpAddress (9.37s)
--- PASS: TestAccAWSAcmCertificate_emailValidation (13.83s)
--- PASS: TestAccAWSAcmCertificate_imported_DomainName (14.90s)
--- PASS: TestAccAWSAcmCertificate_root_TrailingPeriod (14.93s)
--- PASS: TestAccAWSAcmCertificate_root (15.02s)
--- PASS: TestAccAWSAcmCertificate_wildcardAndRootSan (15.33s)
--- PASS: TestAccAWSAcmCertificate_dnsValidation (15.36s)
--- PASS: TestAccAWSAcmCertificate_san_single (15.55s)
--- PASS: TestAccAWSAcmCertificate_wildcard (17.23s)
--- PASS: TestAccAWSAcmCertificate_rootAndWildcardSan (17.71s)
--- PASS: TestAccAWSAcmCertificate_san_TrailingPeriod (18.28s)
--- PASS: TestAccAWSAcmCertificate_san_multiple (20.65s)
--- PASS: TestAccAWSAcmCertificate_tags (30.03s)

This also fixes up the aws_acm_certificate_validation testing as well.

[falgofrancis]

@jdenly @bflad Thank you very much for fixing the issue. What are the chances of an earlier release?

[ghost]

This has been released in version 2.23.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[falgofrancis]

Thank you

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!