aws_acm_certificate resource fails when requesting cert validation with a trailing period .

[brianabston001]

This is very similar to #3836

Description

Apply is failing due to a trailing . being added but looks like the API is not accepting it.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.8
+ provider.atlas v0.1.1
+ provider.aws v1.40.0
+ provider.random v2.0.0

Affected Resource(s)

• resource: aws_acm_certificate
• data: aws_route53_zone

Terraform Configuration Files

resource "aws_route53_zone" "public_io" {
  name = "${var.environment}-public.io"

  tags {
    Name        = "${var.environment}-public.io"
    Environment = "${var.environment}"
  }

  lifecycle {
    prevent_destroy = true
  }
}

resource "aws_acm_certificate" "integration_cert" {
  domain_name = "api.${aws_route53_zone.public_io.name}"
  validation_method = "DNS"

  tags {
    Name        = "${var.environment}-integration-cert"
    Environment = "${var.environment}"
  }
}

resource "aws_route53_record" "integration_cert_validation" {
  name = "${aws_acm_certificate.integration_cert.domain_validation_options.0.resource_record_name}"
  type = "${aws_acm_certificate.integration_cert.domain_validation_options.0.resource_record_type}"
  zone_id = "${aws_route53_zone.public_io.id}"
  records = ["${aws_acm_certificate.integration_cert.domain_validation_options.0.resource_record_value}"]
  ttl = 60
}

resource "aws_acm_certificate_validation" "integration_cert" {
  certificate_arn = "${aws_acm_certificate.integration_cert.arn}"
  validation_record_fqdns = ["${aws_route53_record.integration_cert_validation.fqdn}"]
}

It is adding a trailing . to the end of the domain name.

Expected Behavior

The trailing . is added before the interpolation. While this is the correct behavior, the upstream API appears not accepting this.

Actual Behavior

Portion of the terraform plan output

  + module.route53.aws_acm_certificate.integration_cert
      id:                                <computed>
      arn:                               <computed>
      domain_name:                       "api.dev-public.io."
      domain_validation_options.#:       <computed>
      tags.%:                            "2"
      tags.Environment:                  "dev"
      tags.Name:                         "dev-integration-cert"
      validation_emails.#:               <computed>
      validation_method:                 "DNS" 

+ module.route53.aws_acm_certificate_validation.integration_cert
      id:                                <computed>
      certificate_arn:                   "${aws_acm_certificate.integration_cert.arn}"
      validation_record_fqdns.#:         <computed>

-/+ module.route53.aws_route53_record.integration_cert_validation (new resource required)
      id:                                "Z3OPNEP7FSVESQ__14aacb5736eb47429d525d83bc5af041.api.dev-public.io._CNAME" => <computed> (forces new resource)
      allow_overwrite:                   "true" => "true"
      fqdn:                              "_14aacb5736eb47429d525d83bc5af041.api.dev-public.io" => <computed>
      name:                              "_14aacb5736eb47429d525d83bc5af041.api.dev-public.io" => "${aws_acm_certificate.integration_cert.domain_validation_options.0.resource_record_name}" (forces new resource)
      records.#:                         "1" => <computed>
      ttl:                               "60" => "60"
      type:                              "CNAME" => "${aws_acm_certificate.integration_cert.domain_validation_options.0.resource_record_type}"
      zone_id:                           "Z3XXXEP7FSXXX" => "Z3XXXEP7FSXXX"

Terraform apply

Error: Error applying plan:

1 error(s) occurred:

* module.route53.aws_acm_certificate.integration_cert: 1 error(s) occurred:

* aws_acm_certificate.integration_cert: Error requesting certificate: ValidationException: 1 validation error detected: Value 'api.dev-public.io.' at 'domainName' failed to satisfy constraint: Member must satisfy regular expression pattern: ^(\*\.)?(((?!-)[A-Za-z0-9-]{0,62}[A-Za-z0-9])\.)+((?!-)[A-Za-z0-9-]{1,62}[A-Za-z0-9])$
	status code: 400, request id: 65dd1d06-ecb7-11e8-8448-496e491f2929

Important Factoids

This was working when I had the version 1.40.0 pinned. I tried to go to the latest 1.46.0 and started seeing the problems. I deleted the .terraform dir and pinned back to 1.40.0 and it will not work again. I was told this was an issue and was fixed in 1.41.0 but looks like I am still having it.

References

• aws_ses_domain_identity: Invalid domain name (trailing dot) #3836

[brianabston001]

To get around this I am having to do a replace on code which is not ideal.

resource "aws_acm_certificate" "integration_cert" {
  domain_name = "api.${replace(aws_route53_zone.public_io.name, "/.$/", "")}"
  validation_method = "DNS"

  tags {
    Name        = "${var.environment}-integration-cert"
    Environment = "${var.environment}"
  }
}

[bflad]

Pull request submitted to have the aws_acm_certificate resource automatically trim a trailing period for domain_name and subject_alternative_names: #6844

[bflad]

The above has been released in version 1.52.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!