aws_acm_certificate - how to make terraform wait until certificate status is ISSUED?

Question

I use the following resource to produce SSL certificates in AWS Certificate Manager:

resource "aws_acm_certificate" "certificate" {
    domain_name               = var.certificate
    key_algorithm             = "EC_secp384r1"
    validation_method         = "DNS"

    options {
        certificate_transparency_logging_preference = "DISABLED"
    }

    lifecycle {
        create_before_destroy = true
    }
    
    tags = module.label.tags
}

resource "aws_acm_certificate_validation" "certificate_validation" {
    certificate_arn   = aws_acm_certificate.certificate.arn
}

It works fine and the certificate is issued - however, terraform continues processing other resources even if the certificate is still in PENDING_VALIDATION state (waiting for validation). Because of this, "apply" fails - and I have to re-run it to continue from the point where it failed.

How can I persuade terraform to wait until certificate status is ISSUED (no longer PENDING)?

status = "ISSUED" can't be added to the resource, because "its value will be decided automatically based on the result of applying this configuration".

The error I'm getting when i.e. replacing a certificate is:

│ Error: modifying ELBv2 Listener (arn:aws:elasticloadbalancing:eu-west-1:...............): UnsupportedCertificate: The certificate 'arn:aws:acm:eu-west-1:...............' must have a fully-qualified domain name, a supported signature, and a supported key size.
│       status code: 400, request id: aaa-bbb-ccc
│ 
│   with aws_lb_listener.listener_https,
│   on main.tf line 97, in resource "aws_lb_listener" "listener_https":
│   97: resource "aws_lb_listener" "listener_https" {

When I re-run a minute or so later, it removes the old certificate and finishes correctly.

aws_acm_certificate - how to make terraform wait until certificate status is ISSUED?

Answers (1)

Related Questions