Reputation: 10355
Terraform constantly forces recreation of aws_iam_server_certificate resource
✦ ➜ terraform --version
Terraform v0.12.28
+ provider.aws v2.60.0
+ provider.kubernetes v1.11.3
+ provider.local v1.4.0
+ provider.null v2.1.2
+ provider.random v2.2.1
+ provider.template v2.1.2
Just put 2 new files for SSL certificate
# module.ssl-certificate.aws_iam_server_certificate.cert must be replaced
+/- resource "aws_iam_server_certificate" "cert" {
~ arn = "arn:aws:iam::XXX:server-certificate/xxx-ssl-certxxx" -> (known after apply)
~ certificate_body = "721e444119806928d19ef830740057c52580ba71" -> "cd6882dff1edb0223a20fe5f1c2b4b594f07526f" # forces replacement
- certificate_chain = "7e85cb3e40dff5a9f83ff75576d71fd98fdfdd89" -> null # forces replacement
~ id = "XXX" -> (known after apply)
~ name = "XXX-ssl-cert20200716210119477600000001" -> (known after apply)
name_prefix = "XXX-ssl-cert"
path = "/"
private_key = (sensitive value)
}
And each time I run terraform apply I always asked to "replace" the certificate. Each time a new one is created.
Files (crt, key) are not changing
/main.tf
module "ssl-certificate" {
source = "./modules/certificates"
certificate = {
name = "xxx-ssl-cert"
body = file("assets/ssl/_.xxx.com/xxx.crt")
private_key = file("assets/ssl/_.xxx.com/xxx.key")
}
team = var.team
project = var.project
component = ""
environment = var.environment
tags = module.project_config.tags
}
/modules/certificates/main.tf
resource "aws_iam_server_certificate" "cert" {
name_prefix = var.certificate.name
certificate_body = var.certificate.body
private_key = var.certificate.private_key
lifecycle {
create_before_destroy = true
}
}
What is wrong? Prior to this I had self-signed cert, and never had this behavior. Added new certs - and started to get these "recreate" required plans in apply.
Any ideas?
Upvotes: 4
Views: 1480
Answers (3)
Reputation: 148
As @beta mentioned, the solution is to run dos2unix command on your cert file in order to convert it from DOS to UNIX format, especially the end of line char.
Upvotes: 0
Reputation: 1
To prevent terraform from recreating certificate when certificate contents don't change,
Move certificate chain contents from "certificate_body" to "certificate_chain" terraform argument inside "aws_iam_server_certificate" resource &
Ensure line endings in certificate_body & certificate_contents are same as actual(for my use case, line endings in cert was LF)
Upvotes: 0
Reputation: 106
I would suggest to use lifecycle for ignore_changes.
Example: lifecycle {
ignore_changes = [certificate_body]
}
Upvotes: 3
Related Questions
- Terraform forces replacement of 'aws_acm_certificate' with multiple 'subject_alternative_names'
- Issue with 'aws_acm_certificate_validation' resource importing to terraform state file?
- How to Terraform Create and Validate AWS Certificate
- Terraform - issue with aws_acm_certificate_validation
- ACM Certificate with count=0 & aws_acm_certificate_validation fails due to for_each
- Terraform & AWS: ACM Certificate Never Validated
- Error with terraform init in a docker container -- x509: certificate signed by unknown authority
- terraform aws_acm_certificate_validation.cert_api: Still creating... [4m21s elapsed] until timeout
- Aws_acm_certificate.app_cert.domain_validation_options is a set of object, known only after apply
- AWS ACM certificate not validating