Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot plan when aws_acm_certificate validation window has expired #17799

Closed
devonbleak opened this issue Feb 24, 2021 · 4 comments · Fixed by #17869
Closed

Cannot plan when aws_acm_certificate validation window has expired #17799

devonbleak opened this issue Feb 24, 2021 · 4 comments · Fixed by #17869
Labels
bug Addresses a defect in current functionality. service/acm Issues and PRs that pertain to the acm service.
Milestone
v3.31.0

Comments

@devonbleak
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.5

  • provider registry.terraform.io/hashicorp/archive v2.1.0
  • provider registry.terraform.io/hashicorp/aws v3.29.1
  • provider registry.terraform.io/hashicorp/template v2.2.0

Affected Resource(s)

  • aws_acm_certificate

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

####################################
# Website CF Distro Certs
####################################
resource "aws_acm_certificate" "nonprod_cert" {
  provider                  = aws.east
  domain_name               = "nonprod.media.somedomain.com"
  subject_alternative_names = ["www.nonprod.media.somedomain.com"]
  validation_method         = "DNS"

  lifecycle {
    create_before_destroy = true
  }

  tags = local.somedomain_tags
}

Debug Output

Panic Output

No panic.

Expected Behavior

Terraform should be able to plan in order to recreate the certificate

Actual Behavior

TF tries to DescribeCertificate multiple times (can see it in the trace output) until it finally gives up with error:

Error: asynchronous ACM service domain validation assignment not complete, need to retry: {
  DomainName: "nonprod.media.somedomain.com",
  ValidationDomain: "nonprod.media.somedomain.com",
  ValidationMethod: "DNS",
  ValidationStatus: "PENDING_VALIDATION"
}

Steps to Reproduce

  1. create the certificate
  2. wait 72 hours
  3. terraform plan

terraform refresh is also impacted.

Important Factoids

Culprit seems to be in func convertValidationOptions

References

  • #0000
@ghost ghost added the service/acm Issues and PRs that pertain to the acm service. label Feb 24, 2021
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Feb 24, 2021
@devonbleak
Copy link
Contributor Author

devonbleak commented Feb 24, 2021
edited
Loading

FYI here's the response that was coming back from the DescribeCertificate calls:

{
  "Certificate": {
    "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/some-uuid-here",
    "CreatedAt": 1613782427,
    "DomainName": "nonprod.media.somedomain.com",
    "DomainValidationOptions": [
      {
        "DomainName": "nonprod.media.somedomain.com",
        "ValidationDomain": "nonprod.media.somedomain.com",
        "ValidationMethod": "DNS",
        "ValidationStatus": "PENDING_VALIDATION"
      },
      {
        "DomainName": "www.nonprod.media.somedomain.com",
        "ValidationDomain": "www.nonprod.media.somedomain.com",
        "ValidationMethod": "DNS",
        "ValidationStatus": "FAILED"
      }
    ],
    "ExtendedKeyUsages": [],
    "FailureReason": "OTHER",
    "InUseBy": [],
    "Issuer": "Amazon",
    "KeyAlgorithm": "RSA-2048",
    "KeyUsages": [],
    "Options": {
      "CertificateTransparencyLoggingPreference": "ENABLED"
    },
    "RenewalEligibility": "INELIGIBLE",
    "SignatureAlgorithm": "SHA256WITHRSA",
    "Status": "VALIDATION_TIMED_OUT",
    "Subject": "CN=nonprod.media.somedomain.com",
    "SubjectAlternativeNames": [
      "nonprod.media.somedomain.com",
      "www.nonprod.media.somedomain.com"
    ],
    "Type": "AMAZON_ISSUED"
  }
}

@bflad bflad added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Mar 1, 2021
bflad added a commit that referenced this issue Mar 1, 2021
@bflad
resource/aws_acm_certificate: Trigger resource recreation on VALIDATI…
6d92656 
…ON_TIMED_OUT status

Reference: #17799

This change is not pragmatic for acceptance testing as it requires 72 hours to trigger the behavior, but acceptance testing is used for finding any regresions.

Output from acceptance testing:

```
--- PASS: TestAccAWSAcmCertificate_disableCTLogging (28.63s)
--- PASS: TestAccAWSAcmCertificate_dnsValidation (33.31s)
--- PASS: TestAccAWSAcmCertificate_emailValidation (26.54s)
--- PASS: TestAccAWSAcmCertificate_imported_DomainName (46.51s)
--- PASS: TestAccAWSAcmCertificate_imported_IpAddress (19.45s)
--- PASS: TestAccAWSAcmCertificate_privateCert (22.21s)
--- PASS: TestAccAWSAcmCertificate_PrivateKey_Tags (34.60s)
--- PASS: TestAccAWSAcmCertificate_root (33.01s)
--- PASS: TestAccAWSAcmCertificate_root_TrailingPeriod (4.08s)
--- PASS: TestAccAWSAcmCertificate_rootAndWildcardSan (26.85s)
--- PASS: TestAccAWSAcmCertificate_san_multiple (35.05s)
--- PASS: TestAccAWSAcmCertificate_san_single (28.67s)
--- PASS: TestAccAWSAcmCertificate_san_TrailingPeriod (38.97s)
--- PASS: TestAccAWSAcmCertificate_SubjectAlternativeNames_EmptyString (4.00s)
--- PASS: TestAccAWSAcmCertificate_tags (60.14s)
--- PASS: TestAccAWSAcmCertificate_wildcard (25.46s)
--- PASS: TestAccAWSAcmCertificate_wildcardAndRootSan (29.57s)
```
@bflad bflad mentioned this issue Mar 1, 2021
Merged
@bflad
Copy link
Contributor

bflad commented Mar 1, 2021

Thank you for raising this, @devonbleak, I have submitted a fix for this here: #17869

bflad added a commit that referenced this issue Mar 4, 2021
@bflad
resource/aws_acm_certificate: Trigger resource recreation on VALIDATI…
fed3b30 
…ON_TIMED_OUT status (#17869)

Reference: #17799

This change is not pragmatic for acceptance testing as it requires 72 hours to trigger the behavior, but acceptance testing is used for finding any regresions.

Output from acceptance testing:

```
--- PASS: TestAccAWSAcmCertificate_disableCTLogging (28.63s)
--- PASS: TestAccAWSAcmCertificate_dnsValidation (33.31s)
--- PASS: TestAccAWSAcmCertificate_emailValidation (26.54s)
--- PASS: TestAccAWSAcmCertificate_imported_DomainName (46.51s)
--- PASS: TestAccAWSAcmCertificate_imported_IpAddress (19.45s)
--- PASS: TestAccAWSAcmCertificate_privateCert (22.21s)
--- PASS: TestAccAWSAcmCertificate_PrivateKey_Tags (34.60s)
--- PASS: TestAccAWSAcmCertificate_root (33.01s)
--- PASS: TestAccAWSAcmCertificate_root_TrailingPeriod (4.08s)
--- PASS: TestAccAWSAcmCertificate_rootAndWildcardSan (26.85s)
--- PASS: TestAccAWSAcmCertificate_san_multiple (35.05s)
--- PASS: TestAccAWSAcmCertificate_san_single (28.67s)
--- PASS: TestAccAWSAcmCertificate_san_TrailingPeriod (38.97s)
--- PASS: TestAccAWSAcmCertificate_SubjectAlternativeNames_EmptyString (4.00s)
--- PASS: TestAccAWSAcmCertificate_tags (60.14s)
--- PASS: TestAccAWSAcmCertificate_wildcard (25.46s)
--- PASS: TestAccAWSAcmCertificate_wildcardAndRootSan (29.57s)
```
@github-actions github-actions bot added this to the v3.31.0 milestone Mar 4, 2021
@ghost
Copy link

ghost commented Mar 5, 2021

This has been released in version 3.31.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Apr 4, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Apr 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/acm Issues and PRs that pertain to the acm service.
Projects
None yet
Milestone
v3.31.0
2 participants
@bflad @devonbleak