terraform-aws-modules
ACM Module ImportCertificate Error with AWS Provider v6.0.0
Description
It appears terraform-aws-modules/acm module incorrectly calls the AWS ImportCertificate API instead of RequestCertificate when using AWS Provider v6.0.0, resulting in validation errors for DNS-validated certificates.
- [x] β I have searched the open/closed issues and my issue is not listed.
- [x] I've re-init'd a few times
Versions
% terraform version
Terraform v1.11.4
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v6.0.0
+ provider registry.terraform.io/hashicorp/helm v3.0.2
+ provider registry.terraform.io/hashicorp/kubernetes v2.37.1
+ provider registry.terraform.io/hashicorp/null v3.2.4
+ provider registry.terraform.io/hashicorp/random v3.7.2
+ provider registry.terraform.io/hashicorp/tls v4.1.0
AWS Provider Version: 6.0.0
ACM Module Version: ~> 6.0.0
Reproduction Code [Required]
# Environment-Specific Base Certificate
module "acm_environment" {
source = "terraform-aws-modules/acm/aws"
version = "~> 6.0.0"
domain_name = "${var.env_build}.${var.dns_zone}"
zone_id = data.aws_route53_zone.selected.zone_id
subject_alternative_names = [
"api.${var.env_build}.${var.dns_zone}",
"app.${var.env_build}.${var.dns_zone}",
]
wait_for_validation = true
validation_method = "DNS"
tags = merge(var.tags, {
Name = "${var.project}-${var.env_build}-cert"
Module = "security"
Type = "acm-certificate"
Environment = var.env_build
})
}
# Route53 Zone Data Source for DNS validation
data "aws_route53_zone" "selected" {
name = "${var.dns_zone}."
private_zone = var.zone_private
}
# Find a certificate issued by (not imported into) ACM
data "aws_acm_certificate" "amazon_issued" {
domain = var.dns_zone
types = ["AMAZON_ISSUED"]
most_recent = true
}
Steps to reproduce the behavior:
- tf init, plan apply
- the first time it worked; wait for about 30 minutes
- run another plan/apply, it now fails with this message:
β Error: importing ACM Certificate: operation error ACM: ImportCertificate, https response error StatusCode: 400, RequestID: 4d2dbe9c-251c-483b-be9d-8acda5c0154b, api error ValidationException: 2 validation errors detected: Value at 'privateKey' failed to satisfy constraint: Member must have length greater than or equal to 1; Value at 'certificate' failed to satisfy constraint: Member must have length greater than or equal to 1
β
β with module.eks.module.acm_environment.aws_acm_certificate.this[0],
β on .terraform/modules/eks.acm_environment/main.tf line 19, in resource "aws_acm_certificate" "this":
β 19: resource "aws_acm_certificate" "this" {
Then it wouldn't work any longer; truly confusing.
Expected behavior
I'm not an expert but if it works at all, I would expect it to keep working forever.
This is all being done in a private lab. I can retest if needed.
that is either a provider level issue or possibly an AWS API issue; we don't define those fields in this module (yet)
This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue was automatically closed because of stale in 10 days
I'm going to lock this issue because it has been closed for 30 days β³. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.