ACM Certificate Replace subjectAlternativeNames #1384

mark-bixler · 2021-03-09T01:00:17Z

Running a new pulumi preview against my 2 SAN's results in Pulumi wanting to replace my Certificate.

I've noticed a past issue #1022 but that was closed and resolved.

I'm on the latest versions:

v2.22.0
@pulumi/aws@3.32.0

Expected behavior

Expected behavior is to not detect any changes. List has stayed static. No changes between up / preview

Current behavior

Pulumi tries to replace resource.

The text was updated successfully, but these errors were encountered:

lukehoban · 2021-03-09T01:17:39Z

What property does the update say has changed, and from what to what? Can you share the preview --diff output?

mark-bixler · 2021-03-09T04:56:09Z

For sure!...some names have been replaced with generic.

╰─❯ pulumi preview --diff
Previewing update (dev)

View Live: https://app.pulumi.com/mark-bixler/example.io/dev/previews/88331707-f555-441f-860a-aa709eb8cf20

  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:dev::example.io::pulumi:pulumi:Stack::example.io-dev]
    +-aws:acm/certificate:Certificate: (replace)
        [id=arn:aws:acm:us-east-1:208123456789:certificate/678536c4-2b68-4dc4-a74c-5239ef541758]
        [urn=urn:pulumi:dev::example.io::aws:acm/certificate:Certificate::example.io-cert]
        [provider=urn:pulumi:dev::example.io::pulumi:providers:aws::secondary::9ce33a40-5ee3-4c1c-afa4-36bcec07fe0e]
      ~ subjectAlternativeNames: [
          + [0]: "example.io"
        ]
    --outputs:--        
  ~ certArn            : "arn:aws:acm:us-east-1:208123456789:certificate/678536c4-2b68-4dc4-a74c-5239ef541758" => output<string>
    + aws:s3/bucketPolicy:BucketPolicy: (create)
        [urn=urn:pulumi:dev::example.io::aws:s3/bucketPolicy:BucketPolicy::bucketPolicy]
        [provider=urn:pulumi:dev::example.io::pulumi:providers:aws::default_3_32_0::948060e5-ede3-4862-bf87-e2bfbc26d127]
        bucket    : "example.io"
        policy    : "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":[\"s3:GetObject\"],\"Resource\":[\"arn:aws:s3:::example.io/*\"]}]}"
    ~ aws:cloudfront/distribution:Distribution: (update)
        [id=EBBYHAD0APXL8]
        [urn=urn:pulumi:dev::example.io::aws:cloudfront/distribution:Distribution::example.io-cf-distro]
        [provider=urn:pulumi:dev::example.io::pulumi:providers:aws::primary::ac20fd92-9f83-422c-8c3c-c947763de93b]
      ~ viewerCertificate: {
          ~ acmCertificateArn           : "arn:aws:acm:us-east-1:208123456789:certificate/678536c4-2b68-4dc4-a74c-5239ef541758" => output<string>
          ~ cloudfrontDefaultCertificate: false => true
        }
    - aws:acm/certificateValidation:CertificateValidation: (delete)
        [id=2021-03-09 00:33:06 +0000 UTC]
        [urn=urn:pulumi:dev::example.io::aws:acm/certificateValidation:CertificateValidation::example.io-cert-validation]
        [provider=urn:pulumi:dev::example.io::pulumi:providers:aws::secondary::9ce33a40-5ee3-4c1c-afa4-36bcec07fe0e]
        certificateArn       : "arn:aws:acm:us-east-1:208123456789:certificate/678536c4-2b68-4dc4-a74c-5239ef541758"
        validationRecordFqdns: [
            [0]: "_9ca52926eee1c50c11627e3f8f6a2746.example.io"
        ]
    - aws:route53/record:Record: (delete)
        [id=Z065202617WF6N3Z5GA22__9ca52926eee1c50c11627e3f8f6a2746.example.io._CNAME]
        [urn=urn:pulumi:dev::example.io::aws:route53/record:Record::example.io-validation-record]
        [provider=urn:pulumi:dev::example.io::pulumi:providers:aws::secondary::9ce33a40-5ee3-4c1c-afa4-36bcec07fe0e]
        name                      : "_9ca52926eee1c50c11627e3f8f6a2746.example.io."
        records                   : [
            [0]: "_8b6c64a336a9f5a2b9770f3b007f0a0c.nfyddsqlcy.acm-validations.aws."
        ]
        ttl                       : 60
        type                      : "CNAME"
        zoneId                    : "Z065202617WF6N3Z5GA22"
Resources:
    + 1 to create
    ~ 1 to update
    - 2 to delete
    +-1 to replace
    5 changes. 6 unchanged

The code block for cert (did not change..was just adding a new bucket policy)..

const cert = new aws.acm.Certificate(
	  `${bucketName}-cert`,
	  {
	    domainName: bucketName,
	    subjectAlternativeNames: [
	      bucketName, `*.${bucketName}`
	    ],
	    tags,
	    validationMethod: 'DNS',
	  },
	  {
	    provider: secondary,
	  },
	);

flo-kn · 2022-07-20T16:46:29Z

Experiencing the same. Issues still seems to exist on pulumi version v3.36.0. Any updates on a solution / workaround?


     Type                              Name                                 Plan        Info
     pulumi:pulumi:Stack               whatever                   2 messages
 +-  ├─ aws:acm:Certificate            myservice-certificate                    replace     [diff: ~subjectAlternativeNames]
 +-  ├─ aws:acm:CertificateValidation  myservice-certificate-validation         replace     [diff: ~certificateArn]
 +-  └─ aws:route53:Record             myservice-certificate-validation-record  replace     [diff: ~name,records]

Even get it when just feeding in one value into the subjectAlternativeNames array.

t0yv0 · 2024-03-28T19:49:15Z

If anyone has an example program here to reproduce, that would make it much easier. Thank you!

flo-kn · 2024-04-18T08:46:36Z

Not 100% sure anymore. Would have a hard time to repro the scenario again today. But don't want to leave it unanswered:

It must have been in the broader context of providing certs to pulumi-helm (very vague, I know). As said not sure but hope that it helps, must have been something similar to this that produced the issue:

const cert = new aws.acm.Certificate(`myservice-certificate`, {
    domainName: `myService.myDomainName`,
    validationMethod: "DNS",
    subjectAlternativeNames: [`${config.targetDomain}`]
});

const validationRecord = new aws.route53.Record(
    `myservice-certificate-validation-record`,
    {
      type: aws.route53.RecordType.CNAME,
      name: recordName,
      records: [recordValue],
      zoneId,
      ttl: 1800,
});

const configCertValidation = new aws.acm.CertificateValidation(
    `myservice-certificate-validation`,
    {
      certificateArn: cert.arn,
    }
);

t0yv0 · 2024-09-13T21:36:00Z

Closing this as stale as we still couldn't quite reproduce. If you're experiencing something similar, opening a new issue with a self-contained repro would be very helpful!

mark-bixler added the kind/bug Some behavior is incorrect or out of spec label Mar 9, 2021

t0yv0 added the bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. label Dec 13, 2023

t0yv0 added the needs-repro Needs repro steps before it can be triaged or fixed label Mar 28, 2024

t0yv0 added needs-triage Needs attention from the triage team and removed needs-repro Needs repro steps before it can be triaged or fixed labels Apr 18, 2024

corymhall assigned t0yv0 Apr 19, 2024

t0yv0 added this to the 0.104 milestone Apr 19, 2024

t0yv0 removed the needs-triage Needs attention from the triage team label Apr 19, 2024

mikhailshilkov removed this from the 0.104 milestone Jun 5, 2024

t0yv0 added the resolution/no-repro This issue wasn't able to be reproduced label Sep 13, 2024

t0yv0 closed this as completed Sep 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ACM Certificate Replace subjectAlternativeNames #1384

ACM Certificate Replace subjectAlternativeNames #1384

mark-bixler commented Mar 9, 2021

lukehoban commented Mar 9, 2021

mark-bixler commented Mar 9, 2021

flo-kn commented Jul 20, 2022 •

edited

Loading

t0yv0 commented Mar 28, 2024

flo-kn commented Apr 18, 2024

t0yv0 commented Sep 13, 2024

ACM Certificate Replace subjectAlternativeNames #1384

ACM Certificate Replace subjectAlternativeNames #1384

Comments

mark-bixler commented Mar 9, 2021

Expected behavior

Current behavior

lukehoban commented Mar 9, 2021

mark-bixler commented Mar 9, 2021

flo-kn commented Jul 20, 2022 • edited Loading

t0yv0 commented Mar 28, 2024

flo-kn commented Apr 18, 2024

t0yv0 commented Sep 13, 2024

flo-kn commented Jul 20, 2022 •

edited

Loading