CODEWITHSUNDEEP
amazon-web-servicesterraformterraform-provider-awsaws-acm
Assaf
Assaf

Reputation: 69

Terraform insists on changing ACM cert

I have a Terraform setup that provisions the required resources to serve a web-server hosted on AWS.

When I do not change anything locally within the .tf files and simply input Terraform Plan, Terraform insists on changing the SSL certificate:

Terraform used the selected providers to generate the following
execution plan. Resource actions are indicated with the following
symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_acm_certificate.resume-app-cert will be updated in-place
  ~ resource "aws_acm_certificate" "resume-app-cert" {
        id                        = "arn:aws:acm:us-east-1:**redacted**"
        tags                      = {
            "Name" = "resume-app-ssl-cert"
        }
        # (15 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

The ACM.tf file looks like this:

resource "aws_acm_certificate" "resume-app-cert" {
  domain_name       = var.domain_name
  validation_method = "DNS"

  subject_alternative_names = [var.wildcard_domain_name]

  tags = {
    Name = var.aws_certificate_name
  }
}

resource "aws_acm_certificate_validation" "resume-app-cert" {
  certificate_arn         = aws_acm_certificate.resume-app-cert.arn
  validation_record_fqdns = [for record in aws_route53_record.cname-validation : record.fqdn]
}

The variables hold these values:

var.domain_name = redacted.com
var.wildcard_domain_name = *.redacted.com

I saw a couple posts on Stack and different places suggesting a fix, but to me it seems like that fix is already implemented in my configuration, more specifically that the SAN shouldn't include the root domain name, such as:

subject_alternative_names = [var.domain_name, var.wildcard_domain_name]

Here's a reference to the supposed fix, that doesn't seem to work for me: Terraform forces replacement of 'aws_acm_certificate' with multiple 'subject_alternative_names'

Basically I expect that running Terraform Plan without changing anything will not try to replace the SSL cert.

Upvotes: 0

Views: 384

Answers (1)

Assaf
Assaf

Reputation: 69

I managed to resolve this, there are 2 things that I believe solved this:

  1. Updating Terraform. I was running 1.5.7 and upgraded to 1.8.5
  2. Following this thread: Terraform forces replacement of 'aws_acm_certificate' with multiple 'subject_alternative_names'

This isn't necessarily the desired behavior, but now when I run tf plan I get:

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Upvotes: 0

Related Questions