-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix update of imported ACM certificates #9685
Fix update of imported ACM certificates #9685
Conversation
…ted-certificates-update
f65576f
to
21dd050
Compare
…o fix-imported-certificates-update
…' into fix-imported-certificates-update
Remove an extra empty line
…ted-certificates-update
…ted-certificates-update
…ted-certificates-update
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pulling this in as part of our 3.0.0 work, thanks @julienduchesne 🚀 Please note that the major version will not include the DiffSuppressFunc
(and some logic to not call the API on hash removal only updates) to encourage updating the state immediately. 👍
Output from acceptance testing (failure related to other upcoming 3.0.0 work):
--- FAIL: TestAccAWSAcmCertificate_san_multiple (23.72s)
--- PASS: TestAccAWSAcmCertificate_disableCTLogging (14.97s)
--- PASS: TestAccAWSAcmCertificate_dnsValidation (16.95s)
--- PASS: TestAccAWSAcmCertificate_emailValidation (18.91s)
--- PASS: TestAccAWSAcmCertificate_imported_DomainName (28.06s)
--- PASS: TestAccAWSAcmCertificate_imported_IpAddress (11.75s)
--- PASS: TestAccAWSAcmCertificate_privateCert (20.73s)
--- PASS: TestAccAWSAcmCertificate_root (14.59s)
--- PASS: TestAccAWSAcmCertificate_root_TrailingPeriod (15.02s)
--- PASS: TestAccAWSAcmCertificate_rootAndWildcardSan (15.84s)
--- PASS: TestAccAWSAcmCertificate_san_single (19.04s)
--- PASS: TestAccAWSAcmCertificate_san_TrailingPeriod (19.81s)
--- PASS: TestAccAWSAcmCertificate_tags (39.78s)
--- PASS: TestAccAWSAcmCertificate_wildcard (20.89s)
--- PASS: TestAccAWSAcmCertificate_wildcardAndRootSan (19.73s)
…cate_body, certificate_chain, and private_key arguments Reference: #9685 Reference: #13053 Reference: #13406 Output from acceptance testing (failure related to other upcoming 3.0.0 work): ``` --- FAIL: TestAccAWSAcmCertificate_san_multiple (23.72s) --- PASS: TestAccAWSAcmCertificate_disableCTLogging (14.97s) --- PASS: TestAccAWSAcmCertificate_dnsValidation (16.95s) --- PASS: TestAccAWSAcmCertificate_emailValidation (18.91s) --- PASS: TestAccAWSAcmCertificate_imported_DomainName (28.06s) --- PASS: TestAccAWSAcmCertificate_imported_IpAddress (11.75s) --- PASS: TestAccAWSAcmCertificate_privateCert (20.73s) --- PASS: TestAccAWSAcmCertificate_root (14.59s) --- PASS: TestAccAWSAcmCertificate_root_TrailingPeriod (15.02s) --- PASS: TestAccAWSAcmCertificate_rootAndWildcardSan (15.84s) --- PASS: TestAccAWSAcmCertificate_san_single (19.04s) --- PASS: TestAccAWSAcmCertificate_san_TrailingPeriod (19.81s) --- PASS: TestAccAWSAcmCertificate_tags (39.78s) --- PASS: TestAccAWSAcmCertificate_wildcard (20.89s) --- PASS: TestAccAWSAcmCertificate_wildcardAndRootSan (19.73s) ```
This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
The update for the ACM certificates did not work for imported (external) certificates. The reason for that is that only the hash of the certificates was stored in the state. The API call requires all three parts (chain, body and private key) of a certificate when updating.
Therefore, an update would only work if you changed all three parts, otherwise, it would try to send the hash instead of the actual certificate.
I tried to hack something together with
CustomizeDiff
but I couldn't manage to force Terraform to go re-read the source of the unchanged parts instead of getting them from the state when one of the three parts has changed.The way I made it work was by putting the certificate in the state
Output from acceptance testing: