terraform-aws-acm-certificate icon indicating copy to clipboard operation
terraform-aws-acm-certificate copied to clipboard

Published 20 hours ago verified publisher icon azavea

New validation every apply, no changes

Open kyeotic opened this issue 6 years ago • 6 comments

I'm applying the following configuration.

module "cert_kye" {
  source = "github.com/azavea/terraform-aws-acm-certificate?ref=1.0.0"

  providers = {
    aws.acm_account     = "aws.certs"
    aws.route53_account = "aws"
  }

  domain_name           = "example.com"
  subject_alternative_names = ["sub.example.com", "www.example.com"]
  hosted_zone_id        = "${data.aws_route53_zone.kye_dev.zone_id}"
  validation_record_ttl = "60"
}

After succeeding, if I plan again immediately I get the following change on every cert

-/+ module.cert_kye.aws_route53_record.validation[1] (new resource required)
      id:                                            "Z1G38T8OFRJIAB__f26c4116acfd0fc3aceb0b36b055c68c.kye.dev._CNAME" => <computed> (forces new resource)

kyeotic avatar May 11 '19 17:05 kyeotic

This looks like it could be related to https://github.com/azavea/terraform-aws-acm-certificate/pull/8. Does the behavior persist if you use the 1.1.0 release of this Terraform module?

hectcastro avatar May 13 '19 03:05 hectcastro

Didn't realize a new version was out. I re-ran this after updating the module and the first time it gaves me 3 changes, as opposed to the 6 it had done previously. The next run found 6 again, then 0, then 4... I don't know what's up.

kyeotic avatar May 13 '19 04:05 kyeotic

Hm. What version of the Terraform AWS provider are you on? For reference, we're using the 1.1.0 version of this module with the following version of the AWS provider:

provider "aws" {
  region  = "${var.aws_region}"
  version = "~> 2.7.0"
}

...

module "cert" {
  source = "github.com/azavea/terraform-aws-acm-certificate?ref=1.1.0"

  providers = {
    aws.acm_account     = "aws"
    aws.route53_account = "aws"
  }

  domain_name               = "${var.r53_public_hosted_zone}"
  subject_alternative_names = ["*.${var.r53_public_hosted_zone}"]
  hosted_zone_id            = "${aws_route53_zone.external.zone_id}"
  validation_record_ttl     = "60"
}

hectcastro avatar May 14 '19 11:05 hectcastro

Hi!

Suffering from the same problem here :(

provider "aws" {
  version = "~> 2.7.0"
  alias      = "certs"
  region     = "us-east-1"
}

module "auth_cert" {
  providers = {
    aws.acm_account         = "aws.certs"
    aws.route53_account     = "aws.certs"
  }
  source = "github.com/azavea/terraform-aws-acm-certificate?ref=1.1.0"
  domain_name               = <CUT>
  hosted_zone_id            = "${data.aws_route53_zone.external.zone_id}"
  validation_record_ttl     = "60"
  subject_alternative_names = [
    <CUT>
    ]
}

panovitch avatar May 20 '19 13:05 panovitch

Hm. How about Terraform version? We are currently using v0.11.11. Another question is, what do your subject_alternative_names look like? Are there multiple and are they all subdomains of domain_name?

hectcastro avatar May 23 '19 01:05 hectcastro 

provider.aws: version = "~> 2.10"
Terraform v0.11.13

I have a single subject_alternative_names and its the "www" to the domain_names apex (no subdomain)

kyeotic avatar May 23 '19 03:05 kyeotic