aws_acm_certificate SAN treatment doesn't match API if domain_name is duplicated

[akerl]

Terraform Version

❯ terraform -v
Terraform v0.11.3
+ provider.aws v1.10.0
+ provider.awscreds (unversioned)

Affected Resource(s)

• aws_acm_certificate

Terraform Configuration Files

Example config that will recreate the cert on every run:

variable "domains" {
  type = "list"
}

resource "aws_acm_certificate" "certificate" {
  domain_name = "${var.domains[0]}"
  subject_alternative_names = "${var.domains}"
  validation_method = "DNS"
}

Example config that works as expected:

variable "domains" {
  type = "list"
}

resource "aws_acm_certificate" "certificate" {
  domain_name = "baloney.${var.domains[0]}"
  subject_alternative_names = "${var.domains}"
  validation_method = "DNS"
}

Or the slightly more complex but less baloney option of slicing the list:

variable "domains" {
  type = "list"
}

resource "aws_acm_certificate" "certificate" {
  domain_name = "${var.domains[0]}"
  subject_alternative_names = "${slice(var.domains, 1, length(var.domains))}"
  validation_method = "DNS"
}

Expected Behavior

Terraform should make the cert once and then stop.

Actual Behavior

AWS silently dedupes the primary domain name from the SANs list, even though they're including the primary domain name in the actual x509 cert's SAN field. This means that if you have a list of domains and use the first domain as primary, and the full list as SANs, the terraform applies as expected, creating a cert valid for all domains, but on subsequent runs, terraform will check for the full domain list in the list of SANs, find a mismatch, and always try to recreate the cert.

I suspect the "right" behavior here would be to always concat the primary domain and SAN fields on both sides and dedupe before comparing the SAN field, since in the cert itself will always contain the primary domain as an actual SAN attribute.

Steps to Reproduce

1. terraform apply

[john-delivuk]

It's been an open issue for a year, has this been addressed, or noticed?

[tdmalone]

I'd been getting around this by building the SANs from something like this, because my primary wasn't always the first in the list:

subject_alternative_names = "${split(",", "${replace(join(",", local.domain_names), ",${local.primary_domain_name},", ",")}")}"

It's far from ideal though, because if the primary is first (or last) in the list, it's not gonna fly.

But on rethinking this, we could probably just use ignore_changes for subject_alternative_names? It's not like that's ever going to legitimately change on an existing certificate.

[non7top]

Still happens with

Terraform v0.12.2

• provider.aws v2.16.0

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.