aws_api_gateway_domain_name: uploading certificates is not supported for REGIONAL.

[senfbrot]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.11
+ provider.aws v1.52.0
+ provider.null v1.0.0
+ provider.template v1.0.0

Affected Resource(s)

• aws_api_gateway_domain_name

Terraform Configuration Files

Simply taken from the example in https://www.terraform.io/docs/providers/aws/r/api_gateway_domain_name.html#regional-uploaded-certificate-, section Regional (Uploaded Certificate)

resource "aws_api_gateway_domain_name" "example" {
  certificate_body          = "${file("${path.module}/example.com/example.crt")}"
  certificate_chain         = "${file("${path.module}/example.com/ca.crt")}"
  certificate_private_key   = "${file("${path.module}/example.com/example.key")}"
  domain_name               = "api.example.com"
  regional_certificate_name = "example-api"

  endpoint_configuration {
    types = ["REGIONAL"]
  }
}

Expected Behavior

Either that

• the certificate is uploaded and an API Gateway Custom Domain Name is created if this feature should be working as written in the documentation
  or
• the documentation is updated in case that this is not possible and the documentation is actually wrong

Actual Behavior

Error: Error applying plan:

1 error(s) occurred:

* aws_api_gateway_domain_name.datalake_api: 1 error(s) occurred:

* aws_api_gateway_domain_name.datalake_api: Error creating API Gateway Domain Name: BadRequestException: Uploading certificates is not supported for REGIONAL.
	status code: 400, request id: c62996b5-0436-11e9-bdd0-9f59928e338a

Steps to Reproduce

1. terraform apply

References

• https://www.terraform.io/docs/providers/aws/r/api_gateway_domain_name.html#regional-uploaded-certificate-

[bflad]

Hi @senfbrot 👋 Sorry for any confusion. This is a limitation of API Gateway, depending on which region you are in: https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html

To provide a certificate for a regional custom domain name in a region where ACM is supported, you must request a certificate from ACM. To provide a certificate for a regional custom domain name in a region where ACM is not supported, you must import a certificate to API Gateway in that region.

We should probably change the note about ACM in our resource documentation to include this specific information as well.

[senfbrot]

Hi @bflad thanks for the update. In my case the region is eu-central-1. Using the AWS console, I have successfully imported a certificate to ACM (in eu-central-1) and created an API Gateway Custom Domain Name with that certificate. So this should be working with respect to the region.

[bflad]

The API Gateway functionality for uploading certificates predates ACM: https://aws.amazon.com/about-aws/whats-new/2017/03/amazon-api-gateway-integrates-with-aws-certificate-manager-acm/

If I had to guess since its not called out in the AWS documentation, certificate uploading in API Gateway is implemented via IAM Server Certificates. The certificate name, body, etc. parameters are marked deprecated in the API Reference.

To support the workflow you mention above in the Terraform AWS provider, we'll need to merge in ACM certificate import support like #5453.

[bflad]

This can also be verified via the AWS CLI: https://docs.aws.amazon.com/cli/latest/reference/apigateway/create-domain-name.html

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!