From a0e09673bb988da964aa5124ce3b4048de4cd81f Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Sun, 20 Sep 2020 18:51:43 -0400
Subject: [PATCH 1/7] r/aws_apigatewayv2_domain_name: Add
 'mutual_tls_authentication' attribute.

Acceptance test output:

$ make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayV2DomainName_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayV2DomainName_ -timeout 120m
=== RUN   TestAccAWSAPIGatewayV2DomainName_basic
=== PAUSE TestAccAWSAPIGatewayV2DomainName_basic
=== RUN   TestAccAWSAPIGatewayV2DomainName_disappears
=== PAUSE TestAccAWSAPIGatewayV2DomainName_disappears
=== RUN   TestAccAWSAPIGatewayV2DomainName_Tags
=== PAUSE TestAccAWSAPIGatewayV2DomainName_Tags
=== RUN   TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== PAUSE TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== RUN   TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== PAUSE TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayV2DomainName_basic
=== CONT  TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== CONT  TestAccAWSAPIGatewayV2DomainName_Tags
=== CONT  TestAccAWSAPIGatewayV2DomainName_disappears
=== CONT  TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
    resource_aws_apigatewayv2_domain_name_test.go:273: Step 1/3 error: terraform failed: exit status 1

        stderr:

        Error: error creating API Gateway v2 domain name: BadRequestException: The certificate provided must be issued by ACM and not imported. (Service: APIGateway; Status Code: 400; Error Code: BadRequestException; Request ID: TOopqAEdPHcEJsw=; Proxy: null)

--- FAIL: TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication (19.79s)
=== CONT  TestAccAWSAPIGatewayV2DomainName_disappears
    resource_aws_apigatewayv2_domain_name_test.go:115: [INFO] Got non-empty plan, as expected
--- PASS: TestAccAWSAPIGatewayV2DomainName_disappears (25.41s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_basic (65.41s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_Tags (115.63s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_UpdateCertificate (392.86s)
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	393.417s
FAIL
GNUmakefile:27: recipe for target 'testacc' failed
make: *** [testacc] Error 1
---
 aws/resource_aws_apigatewayv2_domain_name.go  |  74 +++++++-
 ...ource_aws_apigatewayv2_domain_name_test.go | 166 ++++++++++++++++--
 .../apigateway-domain-name-truststore-1.pem   |  35 ++++
 .../apigateway-domain-name-truststore-2.pem   |  35 ++++
 .../r/apigatewayv2_domain_name.html.markdown  |   7 +
 5 files changed, 297 insertions(+), 20 deletions(-)
 create mode 100644 aws/test-fixtures/apigateway-domain-name-truststore-1.pem
 create mode 100644 aws/test-fixtures/apigateway-domain-name-truststore-2.pem

diff --git a/aws/resource_aws_apigatewayv2_domain_name.go b/aws/resource_aws_apigatewayv2_domain_name.go
index 741094e5167..09658506467 100644
--- a/aws/resource_aws_apigatewayv2_domain_name.go
+++ b/aws/resource_aws_apigatewayv2_domain_name.go
@@ -84,6 +84,24 @@ func resourceAwsApiGatewayV2DomainName() *schema.Resource {
 					},
 				},
 			},
+			"mutual_tls_authentication": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"truststore_uri": {
+							Type:     schema.TypeString,
+							Required: true,
+							ForceNew: true,
+						},
+						"truststore_version": {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+					},
+				},
+			},
 			"tags": tagsSchema(),
 		},
 	}
@@ -95,6 +113,7 @@ func resourceAwsApiGatewayV2DomainNameCreate(d *schema.ResourceData, meta interf
 	req := &apigatewayv2.CreateDomainNameInput{
 		DomainName:               aws.String(d.Get("domain_name").(string)),
 		DomainNameConfigurations: expandApiGatewayV2DomainNameConfiguration(d.Get("domain_name_configuration").([]interface{})),
+		MutualTlsAuthentication:  expandApiGatewayV2MutualTlsAuthentication(d.Get("mutual_tls_authentication").([]interface{})),
 		Tags:                     keyvaluetags.New(d.Get("tags").(map[string]interface{})).IgnoreAws().Apigatewayv2Tags(),
 	}
 
@@ -138,6 +157,10 @@ func resourceAwsApiGatewayV2DomainNameRead(d *schema.ResourceData, meta interfac
 	if err != nil {
 		return fmt.Errorf("error setting domain_name_configuration: %s", err)
 	}
+	err = d.Set("mutual_tls_authentication", flattenApiGatewayV2MutualTlsAuthentication(resp.MutualTlsAuthentication))
+	if err != nil {
+		return fmt.Errorf("error setting mutual_tls_authentication: %s", err)
+	}
 	if err := d.Set("tags", keyvaluetags.Apigatewayv2KeyValueTags(resp.Tags).IgnoreAws().IgnoreConfig(ignoreTagsConfig).Map()); err != nil {
 		return fmt.Errorf("error setting tags: %s", err)
 	}
@@ -148,10 +171,27 @@ func resourceAwsApiGatewayV2DomainNameRead(d *schema.ResourceData, meta interfac
 func resourceAwsApiGatewayV2DomainNameUpdate(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*AWSClient).apigatewayv2conn
 
-	if d.HasChange("domain_name_configuration") {
+	if d.HasChanges("domain_name_configuration", "mutual_tls_authentication") {
 		req := &apigatewayv2.UpdateDomainNameInput{
-			DomainName:               aws.String(d.Id()),
-			DomainNameConfigurations: expandApiGatewayV2DomainNameConfiguration(d.Get("domain_name_configuration").([]interface{})),
+			DomainName: aws.String(d.Id()),
+		}
+
+		if d.HasChange("domain_name_configuration") {
+			req.DomainNameConfigurations = expandApiGatewayV2DomainNameConfiguration(d.Get("domain_name_configuration").([]interface{}))
+		}
+		if d.HasChange("mutual_tls_authentication") {
+			vMutualTlsAuthentication := d.Get("mutual_tls_authentication").([]interface{})
+
+			if len(vMutualTlsAuthentication) == 0 || vMutualTlsAuthentication[0] == nil {
+				// To disable mutual TLS for a custom domain name, remove the truststore from your custom domain name.
+				req.MutualTlsAuthentication = &apigatewayv2.MutualTlsAuthenticationInput{
+					TruststoreUri: aws.String(""),
+				}
+			} else {
+				req.MutualTlsAuthentication = &apigatewayv2.MutualTlsAuthenticationInput{
+					TruststoreVersion: aws.String(vMutualTlsAuthentication[0].(map[string]interface{})["truststore_version"].(string)),
+				}
+			}
 		}
 
 		log.Printf("[DEBUG] Updating API Gateway v2 domain name: %s", req)
@@ -258,3 +298,31 @@ func flattenApiGatewayV2DomainNameConfiguration(domainNameConfiguration *apigate
 		"target_domain_name": aws.StringValue(domainNameConfiguration.ApiGatewayDomainName),
 	}}
 }
+
+func expandApiGatewayV2MutualTlsAuthentication(vMutualTlsAuthentication []interface{}) *apigatewayv2.MutualTlsAuthenticationInput {
+	if len(vMutualTlsAuthentication) == 0 || vMutualTlsAuthentication[0] == nil {
+		return nil
+	}
+	mMutualTlsAuthentication := vMutualTlsAuthentication[0].(map[string]interface{})
+
+	mutualTlsAuthentication := &apigatewayv2.MutualTlsAuthenticationInput{
+		TruststoreUri: aws.String(mMutualTlsAuthentication["truststore_uri"].(string)),
+	}
+
+	if vTruststoreVersion, ok := mMutualTlsAuthentication["truststore_version"].(string); ok && vTruststoreVersion != "" {
+		mutualTlsAuthentication.TruststoreVersion = aws.String(vTruststoreVersion)
+	}
+
+	return mutualTlsAuthentication
+}
+
+func flattenApiGatewayV2MutualTlsAuthentication(mutualTlsAuthentication *apigatewayv2.MutualTlsAuthentication) []interface{} {
+	if mutualTlsAuthentication == nil {
+		return []interface{}{}
+	}
+
+	return []interface{}{map[string]interface{}{
+		"truststore_uri":     aws.StringValue(mutualTlsAuthentication.TruststoreUri),
+		"truststore_version": aws.StringValue(mutualTlsAuthentication.TruststoreVersion),
+	}}
+}
diff --git a/aws/resource_aws_apigatewayv2_domain_name_test.go b/aws/resource_aws_apigatewayv2_domain_name_test.go
index 71c9ef326fb..94790931ccf 100644
--- a/aws/resource_aws_apigatewayv2_domain_name_test.go
+++ b/aws/resource_aws_apigatewayv2_domain_name_test.go
@@ -91,6 +91,7 @@ func TestAccAWSAPIGatewayV2DomainName_basic(t *testing.T) {
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.target_domain_name"),
+					resource.TestCheckResourceAttr(resourceName, "mutual_tls_authentication.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
 				),
 			},
@@ -120,7 +121,7 @@ func TestAccAWSAPIGatewayV2DomainName_disappears(t *testing.T) {
 				Config: testAccAWSAPIGatewayV2DomainNameConfig_basic(rName, certificate, key, 1, 0),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSAPIGatewayV2DomainNameExists(resourceName, &v),
-					testAccCheckAWSAPIGatewayV2DomainNameDisappears(&v),
+					testAccCheckResourceDisappears(testAccProvider, resourceAwsApiGatewayV2DomainName(), resourceName),
 				),
 				ExpectNonEmptyPlan: true,
 			},
@@ -154,6 +155,7 @@ func TestAccAWSAPIGatewayV2DomainName_Tags(t *testing.T) {
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.target_domain_name"),
+					resource.TestCheckResourceAttr(resourceName, "mutual_tls_authentication.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "tags.%", "2"),
 					resource.TestCheckResourceAttr(resourceName, "tags.Key1", "Value1"),
 					resource.TestCheckResourceAttr(resourceName, "tags.Key2", "Value2"),
@@ -176,6 +178,7 @@ func TestAccAWSAPIGatewayV2DomainName_Tags(t *testing.T) {
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.target_domain_name"),
+					resource.TestCheckResourceAttr(resourceName, "mutual_tls_authentication.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
 				),
 			},
@@ -210,6 +213,7 @@ func TestAccAWSAPIGatewayV2DomainName_UpdateCertificate(t *testing.T) {
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.target_domain_name"),
+					resource.TestCheckResourceAttr(resourceName, "mutual_tls_authentication.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
 				),
 			},
@@ -225,6 +229,7 @@ func TestAccAWSAPIGatewayV2DomainName_UpdateCertificate(t *testing.T) {
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.target_domain_name"),
+					resource.TestCheckResourceAttr(resourceName, "mutual_tls_authentication.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
 				),
 			},
@@ -240,6 +245,7 @@ func TestAccAWSAPIGatewayV2DomainName_UpdateCertificate(t *testing.T) {
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.target_domain_name"),
+					resource.TestCheckResourceAttr(resourceName, "mutual_tls_authentication.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "tags.%", "2"),
 					resource.TestCheckResourceAttr(resourceName, "tags.Key1", "Value1"),
 					resource.TestCheckResourceAttr(resourceName, "tags.Key2", "Value2"),
@@ -254,6 +260,83 @@ func TestAccAWSAPIGatewayV2DomainName_UpdateCertificate(t *testing.T) {
 	})
 }
 
+func TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication(t *testing.T) {
+	var v apigatewayv2.GetDomainNameOutput
+	resourceName := "aws_apigatewayv2_domain_name.test"
+	certResourceName := "aws_acm_certificate.test.0"
+	s3BucketObjectResourceName := "aws_s3_bucket_object.test"
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	key := tlsRsaPrivateKeyPem(2048)
+	domainName := fmt.Sprintf("%s.example.com", rName)
+	certificate := tlsRsaX509SelfSignedCertificatePem(key, domainName)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSAPIGatewayV2DomainNameDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSAPIGatewayV2DomainNameConfig_mututalTlsAuthentication(rName, certificate, key),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSAPIGatewayV2DomainNameExists(resourceName, &v),
+					testAccMatchResourceAttrRegionalARNNoAccount(resourceName, "arn", "apigateway", regexp.MustCompile(`/domainnames/.+`)),
+					resource.TestCheckResourceAttr(resourceName, "domain_name", domainName),
+					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.#", "1"),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name_configuration.0.certificate_arn", certResourceName, "arn"),
+					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.endpoint_type", "REGIONAL"),
+					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
+					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
+					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.target_domain_name"),
+					resource.TestCheckResourceAttr(resourceName, "mutual_tls_authentication.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "mutual_tls_authentication.0.truststore_uri", fmt.Sprintf("s3://%s/%s.1", rName, rName)),
+					resource.TestCheckResourceAttr(resourceName, "mutual_tls_authentication.0.truststore_version", ""),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
+				),
+			},
+			{
+				Config: testAccAWSAPIGatewayV2DomainNameConfig_mututalTlsAuthenticationUpdated(rName, certificate, key),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSAPIGatewayV2DomainNameExists(resourceName, &v),
+					testAccMatchResourceAttrRegionalARNNoAccount(resourceName, "arn", "apigateway", regexp.MustCompile(`/domainnames/.+`)),
+					resource.TestCheckResourceAttr(resourceName, "domain_name", domainName),
+					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.#", "1"),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name_configuration.0.certificate_arn", certResourceName, "arn"),
+					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.endpoint_type", "REGIONAL"),
+					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
+					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
+					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.target_domain_name"),
+					resource.TestCheckResourceAttr(resourceName, "mutual_tls_authentication.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "mutual_tls_authentication.0.truststore_uri", fmt.Sprintf("s3://%s/%s.2", rName, rName)),
+					resource.TestCheckResourceAttrPair(resourceName, "mutual_tls_authentication.0.truststore_version", s3BucketObjectResourceName, "version_id"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			// Test disabling mutual TLS authentication.
+			{
+				Config: testAccAWSAPIGatewayV2DomainNameConfig_basic(rName, certificate, key, 1, 0),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSAPIGatewayV2DomainNameExists(resourceName, &v),
+					testAccMatchResourceAttrRegionalARNNoAccount(resourceName, "arn", "apigateway", regexp.MustCompile(`/domainnames/.+`)),
+					resource.TestCheckResourceAttr(resourceName, "domain_name", domainName),
+					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.#", "1"),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name_configuration.0.certificate_arn", certResourceName, "arn"),
+					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.endpoint_type", "REGIONAL"),
+					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
+					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
+					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.target_domain_name"),
+					resource.TestCheckResourceAttr(resourceName, "mutual_tls_authentication.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckAWSAPIGatewayV2DomainNameDestroy(s *terraform.State) error {
 	conn := testAccProvider.Meta().(*AWSClient).apigatewayv2conn
 
@@ -278,18 +361,6 @@ func testAccCheckAWSAPIGatewayV2DomainNameDestroy(s *terraform.State) error {
 	return nil
 }
 
-func testAccCheckAWSAPIGatewayV2DomainNameDisappears(v *apigatewayv2.GetDomainNameOutput) resource.TestCheckFunc {
-	return func(s *terraform.State) error {
-		conn := testAccProvider.Meta().(*AWSClient).apigatewayv2conn
-
-		_, err := conn.DeleteDomainName(&apigatewayv2.DeleteDomainNameInput{
-			DomainName: v.DomainName,
-		})
-
-		return err
-	}
-}
-
 func testAccCheckAWSAPIGatewayV2DomainNameExists(n string, v *apigatewayv2.GetDomainNameOutput) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		rs, ok := s.RootModule().Resources[n]
@@ -332,7 +403,7 @@ resource "aws_acm_certificate" "test" {
 }
 
 func testAccAWSAPIGatewayV2DomainNameConfig_basic(rName, certificate, key string, count, index int) string {
-	return testAccAWSAPIGatewayV2DomainNameConfig_base(rName, certificate, key, count) + fmt.Sprintf(`
+	return composeConfig(testAccAWSAPIGatewayV2DomainNameConfig_base(rName, certificate, key, count), fmt.Sprintf(`
 resource "aws_apigatewayv2_domain_name" "test" {
   domain_name = "%[1]s.example.com"
 
@@ -342,11 +413,11 @@ resource "aws_apigatewayv2_domain_name" "test" {
     security_policy = "TLS_1_2"
   }
 }
-`, rName, index)
+`, rName, index))
 }
 
 func testAccAWSAPIGatewayV2DomainNameConfig_tags(rName, certificate, key string, count, index int) string {
-	return testAccAWSAPIGatewayV2DomainNameConfig_base(rName, certificate, key, count) + fmt.Sprintf(`
+	return composeConfig(testAccAWSAPIGatewayV2DomainNameConfig_base(rName, certificate, key, count), fmt.Sprintf(`
 resource "aws_apigatewayv2_domain_name" "test" {
   domain_name = "%[1]s.example.com"
 
@@ -361,5 +432,66 @@ resource "aws_apigatewayv2_domain_name" "test" {
     Key2 = "Value2"
   }
 }
-`, rName, index)
+`, rName, index))
+}
+
+func testAccAWSAPIGatewayV2DomainNameConfig_mututalTlsAuthentication(rName, certificate, key string) string {
+	return composeConfig(testAccAWSAPIGatewayV2DomainNameConfig_base(rName, certificate, key, 1), fmt.Sprintf(`
+resource "aws_s3_bucket" "test" {
+  bucket = %[1]q
+}
+
+resource "aws_s3_bucket_object" "test" {
+  bucket = aws_s3_bucket.test.id
+  key    = "%[1]s.1"
+  source = "test-fixtures/apigateway-domain-name-truststore-1.pem"
+}
+
+resource "aws_apigatewayv2_domain_name" "test" {
+  domain_name = "%[1]s.example.com"
+
+  domain_name_configuration {
+    certificate_arn = aws_acm_certificate.test[0].arn
+    endpoint_type   = "REGIONAL"
+    security_policy = "TLS_1_2"
+  }
+
+  mutual_tls_authentication {
+    truststore_uri = "s3://${aws_s3_bucket_object.test.bucket}/${aws_s3_bucket_object.test.key}"
+  }
+}
+`, rName))
+}
+
+func testAccAWSAPIGatewayV2DomainNameConfig_mututalTlsAuthenticationUpdated(rName, certificate, key string) string {
+	return composeConfig(testAccAWSAPIGatewayV2DomainNameConfig_base(rName, certificate, key, 1), fmt.Sprintf(`
+resource "aws_s3_bucket" "test" {
+  bucket = %[1]q
+
+  versioning {
+    enabled = true
+  }
+}
+
+resource "aws_s3_bucket_object" "test" {
+  bucket = aws_s3_bucket.test.id
+  key    = "%[1]s.2"
+  source = "test-fixtures/apigateway-domain-name-truststore-2.pem"
+}
+
+resource "aws_apigatewayv2_domain_name" "test" {
+  domain_name = "%[1]s.example.com"
+
+  domain_name_configuration {
+    certificate_arn = aws_acm_certificate.test[0].arn
+    endpoint_type   = "REGIONAL"
+    security_policy = "TLS_1_2"
+  }
+
+  mutual_tls_authentication {
+    truststore_uri     = "s3://${aws_s3_bucket_object.test.bucket}/${aws_s3_bucket_object.test.key}"
+    truststore_version = aws_s3_bucket_object.test.version_id
+  }
+}
+`, rName))
 }
diff --git a/aws/test-fixtures/apigateway-domain-name-truststore-1.pem b/aws/test-fixtures/apigateway-domain-name-truststore-1.pem
new file mode 100644
index 00000000000..4255d7dad5a
--- /dev/null
+++ b/aws/test-fixtures/apigateway-domain-name-truststore-1.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGGTCCBAGgAwIBAgIUMZS5fdMXOz4Z2iJYTgB69BL9MQowDQYJKoZIhvcNAQEL
+BQAwgZoxCzAJBgNVBAYTAlRGMRIwEAYDVQQIDAlUZXJyYWZvcm0xEDAOBgNVBAcM
+B1Rlc3RpbmcxHzAdBgNVBAoMFlRlcnJhZm9ybSBBV1MgUHJvdmlkZXIxGTAXBgNV
+BAsMEEFjY2VwdGFuY2UgVGVzdHMxKTAnBgNVBAMMIEFQSUdhdGV3YXlWMkRvbWFp
+bk5hbWUgUm9vdCBDQSAxMCAXDTIwMDkyMDIxNTYxMloYDzIxMjAwODI3MjE1NjEy
+WjCBmjELMAkGA1UEBhMCVEYxEjAQBgNVBAgMCVRlcnJhZm9ybTEQMA4GA1UEBwwH
+VGVzdGluZzEfMB0GA1UECgwWVGVycmFmb3JtIEFXUyBQcm92aWRlcjEZMBcGA1UE
+CwwQQWNjZXB0YW5jZSBUZXN0czEpMCcGA1UEAwwgQVBJR2F0ZXdheVYyRG9tYWlu
+TmFtZSBSb290IENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCe
+Pz8a3hzKnnf8KqGkdkaxsI2dFzWkJ85375cFe1NHvLaNpwb+R+YnqtCVNYK9q5SM
+twWa3laejB6hiwlsdeiyGuVJpkTL6Uo/sWEFwyp+AJpdFBj094JlS/sBZsWOWem7
+YZ3WVbraNcc0GSmyrx0jJy/xXA4L1D7WA0w92lPcraNA3w/zXQ33YLefHP8BNS9f
+vZSwPrzgD8WlhNyq1+OlZg5eeGk4ObLnggMMN1OoCvCpi41vAfXp5wuIBAchr8LT
+3Cl/RvMsAu/urNGPEDgkEeWiagH5XdyHK0poeHRrGGR+dhBxxx19iX4oEftQSQQw
+3O0AhbMlU6bkqtvXwLS1o32ZNzbSvao80jB62r0cTqtFFGPS6R+5BfwE6f9biMJz
+E7pWWsLpDXNEZGQLThyx9ZCa8qDrll8Dh1fbkZlmuCmePgmAxo9vT7NIgO97ZNvf
+M1y02pIJuWOjKaOB3jkeBRwuabYE+KP/knud462HV1sVcFXpvy1mKAqMlNLmCglb
+cn8HXa1I8UzuHnDFGaK5Z30+eLaTSv4Pe5uxp0o5Mc+qagYFj/DmE/PUe6k7IkYE
+xcFwUkFr8F7IVbELply8EH/dtU5q0pE76UXsoNEm58aJdlslhtP9eojLO+uYKr78
+XDUq7EvskX/gGTfa9Q6fx1O+OZMCADjBywLbTqi9vQIDAQABo1MwUTAdBgNVHQ4E
+FgQU7T9VwVVrE5SbZdif6pB44wnuRwIwHwYDVR0jBBgwFoAU7T9VwVVrE5SbZdif
+6pB44wnuRwIwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAUJti
++twQMA26nSSQhjfNwnJjT23SdLoe7E3mcTlh4o81B8ynU3uyLZfqt9AWilovFf6A
+67fxyGTpDwLwh/rGF7fvGlW9WQ8IWWlTCkurnVNXlFw/zVMQJQ2VzX+muidTrFRm
+xrJcvuYyKrANi2GE4FvCgnaz5TXf9LLznqyQg09OQmmHDa2kiADZYqPdWmefUCq3
++QhRUMY0qWwUiH8UqHBqqMXu0gAVGQc4mT+juoZ6/Rk85ajue7JC1aVi9imztUOi
+uRD7DQft+fP0GuaIi6XUUDpgnXrKZqxPDzbIs8BUEMWVqReetKf0tIlFkWlObJmB
+uWDDpA/bH59Fzfw32xRQBQDsQSpf8mVwWgaqkj4fHDMFpmtm21Pz1CPa4BPM67A7
+EIq/alZ1fwPbXjOScXsbt/v+rx3J6IN9GYkVvN7mHSaHtRDmd/Lcmj3exnzwTMcY
+SDB7npz17/OI9jA5zN6m+D9wa8JmYrkxS1NIZOqh7fd7QuZO1nBTNm8RQGpV5ULo
+Hl9ry5bAIV43Q8uSVrLdjuK5ase1Zc4QcnhZP1rACgQYsEoBWyj2tgvmVKc1x4Zv
+TdClB7uCN7V+NBnifwKzI2P1nRCTCgfl9ZhhrWyRco3xpNDJa+cgzk7FmlL3icLG
+vvJTi2cJ12ZmIbATqiaA40+j1VAS/GByUH5QSBU=
+-----END CERTIFICATE-----
diff --git a/aws/test-fixtures/apigateway-domain-name-truststore-2.pem b/aws/test-fixtures/apigateway-domain-name-truststore-2.pem
new file mode 100644
index 00000000000..77846ee1adb
--- /dev/null
+++ b/aws/test-fixtures/apigateway-domain-name-truststore-2.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGGTCCBAGgAwIBAgIUTUQUSlpm7PsI32Kn09q4TnExEJAwDQYJKoZIhvcNAQEL
+BQAwgZoxCzAJBgNVBAYTAlRGMRIwEAYDVQQIDAlUZXJyYWZvcm0xEDAOBgNVBAcM
+B1Rlc3RpbmcxHzAdBgNVBAoMFlRlcnJhZm9ybSBBV1MgUHJvdmlkZXIxGTAXBgNV
+BAsMEEFjY2VwdGFuY2UgVGVzdHMxKTAnBgNVBAMMIEFQSUdhdGV3YXlWMkRvbWFp
+bk5hbWUgUm9vdCBDQSAyMCAXDTIwMDkyMDIxNTcwNVoYDzIxMjAwODI3MjE1NzA1
+WjCBmjELMAkGA1UEBhMCVEYxEjAQBgNVBAgMCVRlcnJhZm9ybTEQMA4GA1UEBwwH
+VGVzdGluZzEfMB0GA1UECgwWVGVycmFmb3JtIEFXUyBQcm92aWRlcjEZMBcGA1UE
+CwwQQWNjZXB0YW5jZSBUZXN0czEpMCcGA1UEAwwgQVBJR2F0ZXdheVYyRG9tYWlu
+TmFtZSBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDH
+ByWBSlN1hpEMJkiLVvz/SynI6hRRuhP8cKsX0rEf9suqpBrdgklBr9RDYreEfB8z
+p7AI91OIR9KdUTORkOPBIvqRxscyHFRIVn35VsQtDcB78YqoPpTfAv68irXWxIYv
+XPygLxky30JpRf7N10Th4r5QfBnJZU0Y5/RSmoz71kwQPMdJXlfKZoS3j1hFVuRt
+1h99W2R91GvpmIMJCb/bV3oQyncuQmwT1mAB9oKr87uLPYCWtm7C7rJOHjLav1RG
+alGSqsYxOQU9qIg0ibsLoDKIIniJoiqgogYY5+jPKpt2vZYi7vJFed/JL9NKhH8a
+KOO/J6lC5YSMY5YgU6un7r3gbXjCMl7XagZA3OjwJoojIKoJysNYtfF9kNa87m2n
+ZFS6JWMtNFKsnqacuXzhIhp87GrB3In60BVBqUKSAMHoo+sk2w7QcGH1btfhfq+w
+8vVhYth104b8h3zl+GvvJwq1fgZuK6QH2eN5Si2uDP5rmV8QT6n7qi3du3d8f2Bt
+mlQt5JMvmhGG3jmt0brlC+Llsw4cLBVD+Te/DA/i9YKcXtSKk6VPmULArzdxU1xz
+yj1UWG1METOOvvjxhs2NfemfiljQwf9SI4QYv977PDRk28cK9LYLGV+VL5Ppq8Z9
+gWBiaZ7xE6gJ8J4YuLhTiXlYcs/fGelz04EuPFXaUQIDAQABo1MwUTAdBgNVHQ4E
+FgQU/F3MOO9q29CfbO5cEcP+stEps2AwHwYDVR0jBBgwFoAU/F3MOO9q29CfbO5c
+EcP+stEps2AwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAQ1zA
+lrr2wSjKjJDUEVQwMapfFFft1xc4pJRzkMMCwPQnR9iaZJagjjuNFfqdcDjv/lTZ
+9iiZ26Aci6RWwTQsjmU39XPTrTUstOjKTel2tbL8TXZKMTXQivfuyHSLUXtihG5E
+ODnyjM6kKi4PaBxcNzeyApEBg+Ak1cr0y/aSSt40eIXSGz79IRXO7jDgnt3KtW/H
+/qXtTb+snz5+Kzpoq7leYxIOuMlDHjiK2OYQ8o9IQXHz7mGcIrWeDyZSPi4hh7WR
+00LNczYxWpFYEUulEhXVJEwbMDZnER+WuZgGOb0lwpnPHfJtlLmc7qRh0V2Y4c2J
+2yF+9KhYN//79OOww2VCmaAv+6xahATGua+FWsGPC2TD9YcSrvJDiFWyC7EXwvfi
+C0MwdaTR9LbX5n2bEIKU89VhHqrK9Wi+JBklH1JGI0hhyFvsCHP8fntj8nMPc4zw
+8G0QGQIBrRl522MBJQacUUELZuwVNpjuk5HPbzXDSTEwI1eFhjJmZTFtc5HDarGP
+gpZ1wseK10zUwWw+BO+/pxXkuNzDtrkxHHTYowSJniKOWPU86c+FLoTUde14rliv
+iyJOp5m3ebYxUpLSF6zhypQI0Ix4sF64MNmQB8mUGDqVNXQ3t0r70ljRIwQEedR2
+hQE5U8uyYWyK12pmufHRPsvk0fKL5mFqEG0XZKI=
+-----END CERTIFICATE-----
diff --git a/website/docs/r/apigatewayv2_domain_name.html.markdown b/website/docs/r/apigatewayv2_domain_name.html.markdown
index 3c99c8a2143..fdbf97be265 100644
--- a/website/docs/r/apigatewayv2_domain_name.html.markdown
+++ b/website/docs/r/apigatewayv2_domain_name.html.markdown
@@ -62,6 +62,7 @@ The following arguments are supported:
 
 * `domain_name` - (Required) The domain name.
 * `domain_name_configuration` - (Required) The domain name configuration.
+* `mutual_tls_authentication` - (Optional) The mutual TLS authentication configuration for the domain name.
 * `tags` - (Optional) A map of tags to assign to the domain name.
 
 The `domain_name_configuration` object supports the following:
@@ -73,6 +74,12 @@ Use the [`aws_acm_certificate`](/docs/providers/aws/r/acm_certificate.html) reso
 * `hosted_zone_id` - (Computed) The Amazon Route 53 Hosted Zone ID of the endpoint.
 * `target_domain_name` - (Computed) The target domain name.
 
+The `mutual_tls_authentication` object supports the following:
+
+* `truststore_uri` - (Required) An Amazon S3 URL that specifies the truststore for mutual TLS authentication, for example, `s3://bucket-name/key-name`.
+The truststore can contain certificates from public or private certificate authorities. To update the truststore, upload a new version to S3, and then update your custom domain name to use the new version.
+* `truststore_version` - (Optional) The version of the S3 object that contains the truststore. To specify a version, you must have versioning enabled for the S3 bucket.
+
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:

From 457463406f9b47c41d7322fcf687efcfe9af01e9 Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Thu, 24 Sep 2020 17:04:09 -0400
Subject: [PATCH 2/7] r/aws_apigatewayv2_domain_name: Test mutual
 authentication with ACM issued private certificate.

---
 ...ource_aws_apigatewayv2_domain_name_test.go | 114 ++++++++++++++----
 1 file changed, 90 insertions(+), 24 deletions(-)

diff --git a/aws/resource_aws_apigatewayv2_domain_name_test.go b/aws/resource_aws_apigatewayv2_domain_name_test.go
index 94790931ccf..c9f63b1f978 100644
--- a/aws/resource_aws_apigatewayv2_domain_name_test.go
+++ b/aws/resource_aws_apigatewayv2_domain_name_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/acmpca"
 	"github.com/aws/aws-sdk-go/service/apigatewayv2"
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
@@ -262,27 +263,34 @@ func TestAccAWSAPIGatewayV2DomainName_UpdateCertificate(t *testing.T) {
 
 func TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication(t *testing.T) {
 	var v apigatewayv2.GetDomainNameOutput
+	var ca acmpca.CertificateAuthority
 	resourceName := "aws_apigatewayv2_domain_name.test"
-	certResourceName := "aws_acm_certificate.test.0"
+	acmCAResourceName := "aws_acmpca_certificate_authority.test"
+	acmCertificateResourceName := "aws_acm_certificate.test"
 	s3BucketObjectResourceName := "aws_s3_bucket_object.test"
 	rName := acctest.RandomWithPrefix("tf-acc-test")
-	key := tlsRsaPrivateKeyPem(2048)
-	domainName := fmt.Sprintf("%s.example.com", rName)
-	certificate := tlsRsaX509SelfSignedCertificatePem(key, domainName)
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckAWSAPIGatewayV2DomainNameDestroy,
 		Steps: []resource.TestStep{
+			// We need to create and activate the CA before issuing a certificate.
 			{
-				Config: testAccAWSAPIGatewayV2DomainNameConfig_mututalTlsAuthentication(rName, certificate, key),
+				Config: testAccAWSAPIGatewayV2DomainNameConfigRootCA(rName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsAcmpcaCertificateAuthorityExists(acmCAResourceName, &ca),
+					testAccCheckAwsAcmpcaCertificateAuthorityActivateCA(&ca),
+				),
+			},
+			{
+				Config: testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthentication(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSAPIGatewayV2DomainNameExists(resourceName, &v),
 					testAccMatchResourceAttrRegionalARNNoAccount(resourceName, "arn", "apigateway", regexp.MustCompile(`/domainnames/.+`)),
-					resource.TestCheckResourceAttr(resourceName, "domain_name", domainName),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name", acmCertificateResourceName, "domain_name"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.#", "1"),
-					resource.TestCheckResourceAttrPair(resourceName, "domain_name_configuration.0.certificate_arn", certResourceName, "arn"),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name_configuration.0.certificate_arn", acmCertificateResourceName, "arn"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.endpoint_type", "REGIONAL"),
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
@@ -294,13 +302,13 @@ func TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication(t *testing.T) {
 				),
 			},
 			{
-				Config: testAccAWSAPIGatewayV2DomainNameConfig_mututalTlsAuthenticationUpdated(rName, certificate, key),
+				Config: testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationUpdated(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSAPIGatewayV2DomainNameExists(resourceName, &v),
 					testAccMatchResourceAttrRegionalARNNoAccount(resourceName, "arn", "apigateway", regexp.MustCompile(`/domainnames/.+`)),
-					resource.TestCheckResourceAttr(resourceName, "domain_name", domainName),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name", acmCertificateResourceName, "domain_name"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.#", "1"),
-					resource.TestCheckResourceAttrPair(resourceName, "domain_name_configuration.0.certificate_arn", certResourceName, "arn"),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name_configuration.0.certificate_arn", acmCertificateResourceName, "arn"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.endpoint_type", "REGIONAL"),
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
@@ -318,13 +326,13 @@ func TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication(t *testing.T) {
 			},
 			// Test disabling mutual TLS authentication.
 			{
-				Config: testAccAWSAPIGatewayV2DomainNameConfig_basic(rName, certificate, key, 1, 0),
+				Config: testAccAWSAPIGatewayV2DomainNameConfigBasicWithPrivateCert(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSAPIGatewayV2DomainNameExists(resourceName, &v),
 					testAccMatchResourceAttrRegionalARNNoAccount(resourceName, "arn", "apigateway", regexp.MustCompile(`/domainnames/.+`)),
-					resource.TestCheckResourceAttr(resourceName, "domain_name", domainName),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name", acmCertificateResourceName, "domain_name"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.#", "1"),
-					resource.TestCheckResourceAttrPair(resourceName, "domain_name_configuration.0.certificate_arn", certResourceName, "arn"),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name_configuration.0.certificate_arn", acmCertificateResourceName, "arn"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.endpoint_type", "REGIONAL"),
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
@@ -333,6 +341,14 @@ func TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
 				),
 			},
+			{
+				Config: testAccAWSAPIGatewayV2DomainNameConfigBasicWithPrivateCert(rName),
+				Check: resource.ComposeTestCheckFunc(
+					// CA must be DISABLED for deletion.
+					testAccCheckAwsAcmpcaCertificateAuthorityDisableCA(&ca),
+				),
+				ExpectNonEmptyPlan: true,
+			},
 		},
 	})
 }
@@ -387,7 +403,7 @@ func testAccCheckAWSAPIGatewayV2DomainNameExists(n string, v *apigatewayv2.GetDo
 	}
 }
 
-func testAccAWSAPIGatewayV2DomainNameConfig_base(rName, certificate, key string, count int) string {
+func testAccAWSAPIGatewayV2DomainNameConfigImportedCerts(rName, certificate, key string, count int) string {
 	return fmt.Sprintf(`
 resource "aws_acm_certificate" "test" {
   count = %[4]d
@@ -402,8 +418,35 @@ resource "aws_acm_certificate" "test" {
 `, rName, certificate, key, count)
 }
 
+func testAccAWSAPIGatewayV2DomainNameConfigRootCA(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_acmpca_certificate_authority" "test" {
+  permanent_deletion_time_in_days = 7
+  type                            = "ROOT"
+
+  certificate_authority_configuration {
+    key_algorithm     = "RSA_4096"
+	signing_algorithm = "SHA512WITHRSA"
+
+    subject {
+      common_name = "%[1]s.com"
+    }
+  }
+}
+`, rName)
+}
+
+func testAccAWSAPIGatewayV2DomainNameConfigPrivateCert(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_acm_certificate" "test" {
+  domain_name               = "test.%[1]s.com"
+  certificate_authority_arn = aws_acmpca_certificate_authority.test.arn
+}
+`, rName)
+}
+
 func testAccAWSAPIGatewayV2DomainNameConfig_basic(rName, certificate, key string, count, index int) string {
-	return composeConfig(testAccAWSAPIGatewayV2DomainNameConfig_base(rName, certificate, key, count), fmt.Sprintf(`
+	return composeConfig(testAccAWSAPIGatewayV2DomainNameConfigImportedCerts(rName, certificate, key, count), fmt.Sprintf(`
 resource "aws_apigatewayv2_domain_name" "test" {
   domain_name = "%[1]s.example.com"
 
@@ -417,7 +460,7 @@ resource "aws_apigatewayv2_domain_name" "test" {
 }
 
 func testAccAWSAPIGatewayV2DomainNameConfig_tags(rName, certificate, key string, count, index int) string {
-	return composeConfig(testAccAWSAPIGatewayV2DomainNameConfig_base(rName, certificate, key, count), fmt.Sprintf(`
+	return composeConfig(testAccAWSAPIGatewayV2DomainNameConfigImportedCerts(rName, certificate, key, count), fmt.Sprintf(`
 resource "aws_apigatewayv2_domain_name" "test" {
   domain_name = "%[1]s.example.com"
 
@@ -435,8 +478,28 @@ resource "aws_apigatewayv2_domain_name" "test" {
 `, rName, index))
 }
 
-func testAccAWSAPIGatewayV2DomainNameConfig_mututalTlsAuthentication(rName, certificate, key string) string {
-	return composeConfig(testAccAWSAPIGatewayV2DomainNameConfig_base(rName, certificate, key, 1), fmt.Sprintf(`
+func testAccAWSAPIGatewayV2DomainNameConfigBasicWithPrivateCert(rName string) string {
+	return composeConfig(
+		testAccAWSAPIGatewayV2DomainNameConfigRootCA(rName),
+		testAccAWSAPIGatewayV2DomainNameConfigPrivateCert(rName),
+		fmt.Sprintf(`
+resource "aws_apigatewayv2_domain_name" "test" {
+  domain_name = aws_acm_certificate.test.domain_name
+
+  domain_name_configuration {
+    certificate_arn = aws_acm_certificate.test.arn
+    endpoint_type   = "REGIONAL"
+    security_policy = "TLS_1_2"
+  }
+}
+`))
+}
+
+func testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthentication(rName string) string {
+	return composeConfig(
+		testAccAWSAPIGatewayV2DomainNameConfigRootCA(rName),
+		testAccAWSAPIGatewayV2DomainNameConfigPrivateCert(rName),
+		fmt.Sprintf(`
 resource "aws_s3_bucket" "test" {
   bucket = %[1]q
 }
@@ -448,10 +511,10 @@ resource "aws_s3_bucket_object" "test" {
 }
 
 resource "aws_apigatewayv2_domain_name" "test" {
-  domain_name = "%[1]s.example.com"
+  domain_name = aws_acm_certificate.test.domain_name
 
   domain_name_configuration {
-    certificate_arn = aws_acm_certificate.test[0].arn
+    certificate_arn = aws_acm_certificate.test.arn
     endpoint_type   = "REGIONAL"
     security_policy = "TLS_1_2"
   }
@@ -463,8 +526,11 @@ resource "aws_apigatewayv2_domain_name" "test" {
 `, rName))
 }
 
-func testAccAWSAPIGatewayV2DomainNameConfig_mututalTlsAuthenticationUpdated(rName, certificate, key string) string {
-	return composeConfig(testAccAWSAPIGatewayV2DomainNameConfig_base(rName, certificate, key, 1), fmt.Sprintf(`
+func testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationUpdated(rName string) string {
+	return composeConfig(
+		testAccAWSAPIGatewayV2DomainNameConfigRootCA(rName),
+		testAccAWSAPIGatewayV2DomainNameConfigPrivateCert(rName),
+		fmt.Sprintf(`
 resource "aws_s3_bucket" "test" {
   bucket = %[1]q
 
@@ -480,10 +546,10 @@ resource "aws_s3_bucket_object" "test" {
 }
 
 resource "aws_apigatewayv2_domain_name" "test" {
-  domain_name = "%[1]s.example.com"
+  domain_name = aws_acm_certificate.test.domain_name
 
   domain_name_configuration {
-    certificate_arn = aws_acm_certificate.test[0].arn
+    certificate_arn = aws_acm_certificate.test.arn
     endpoint_type   = "REGIONAL"
     security_policy = "TLS_1_2"
   }

From ee22ef29663496f9316d88997c32e20775042ceb Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Fri, 9 Oct 2020 16:49:11 -0400
Subject: [PATCH 3/7] Revert "r/aws_acmpca_certificate_authority: Add
 'testAccCheckAwsAcmpcaCertificateAuthorityDisableCA'."

This reverts commit aa6d1a451d6ef108aa878f8b9ecbe3e50d8f5501.
---
 ...esource_aws_acmpca_certificate_authority_test.go | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/aws/resource_aws_acmpca_certificate_authority_test.go b/aws/resource_aws_acmpca_certificate_authority_test.go
index 915d38c260b..6e1e9412e07 100644
--- a/aws/resource_aws_acmpca_certificate_authority_test.go
+++ b/aws/resource_aws_acmpca_certificate_authority_test.go
@@ -577,19 +577,6 @@ func testAccCheckAwsAcmpcaCertificateAuthorityActivateCA(certificateAuthority *a
 	}
 }
 
-func testAccCheckAwsAcmpcaCertificateAuthorityDisableCA(certificateAuthority *acmpca.CertificateAuthority) resource.TestCheckFunc {
-	return func(s *terraform.State) error {
-		conn := testAccProvider.Meta().(*AWSClient).acmpcaconn
-
-		_, err := conn.UpdateCertificateAuthority(&acmpca.UpdateCertificateAuthorityInput{
-			CertificateAuthorityArn: certificateAuthority.Arn,
-			Status:                  aws.String(acmpca.CertificateAuthorityStatusDisabled),
-		})
-
-		return err
-	}
-}
-
 func listAcmpcaCertificateAuthorities(conn *acmpca.ACMPCA) ([]*acmpca.CertificateAuthority, error) {
 	certificateAuthorities := []*acmpca.CertificateAuthority{}
 	input := &acmpca.ListCertificateAuthoritiesInput{}

From 5e275b30deacb32ef391996623927be9cf11cbb7 Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Fri, 9 Oct 2020 17:50:55 -0400
Subject: [PATCH 4/7] r/aws_apigatewayv2_domain_name: Use Amazon Issued ACM
 certificate for mutual TLS acceptance tests.

---
 ...ource_aws_apigatewayv2_domain_name_test.go | 107 ++++++++++--------
 docs/MAINTAINING.md                           |   1 +
 2 files changed, 63 insertions(+), 45 deletions(-)

diff --git a/aws/resource_aws_apigatewayv2_domain_name_test.go b/aws/resource_aws_apigatewayv2_domain_name_test.go
index c9f63b1f978..92ff5e8e23d 100644
--- a/aws/resource_aws_apigatewayv2_domain_name_test.go
+++ b/aws/resource_aws_apigatewayv2_domain_name_test.go
@@ -3,11 +3,11 @@ package aws
 import (
 	"fmt"
 	"log"
+	"os"
 	"regexp"
 	"testing"
 
 	"github.com/aws/aws-sdk-go/aws"
-	"github.com/aws/aws-sdk-go/service/acmpca"
 	"github.com/aws/aws-sdk-go/service/apigatewayv2"
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
@@ -262,11 +262,14 @@ func TestAccAWSAPIGatewayV2DomainName_UpdateCertificate(t *testing.T) {
 }
 
 func TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication(t *testing.T) {
+	key := "AWS_APIGATEWAYV2_CERTIFICATE_DOMAIN_NAME"
+	domainName := os.Getenv(key)
+	if domainName == "" {
+		t.Skipf("Environment variable %s is not set", key)
+	}
+
 	var v apigatewayv2.GetDomainNameOutput
-	var ca acmpca.CertificateAuthority
 	resourceName := "aws_apigatewayv2_domain_name.test"
-	acmCAResourceName := "aws_acmpca_certificate_authority.test"
-	acmCertificateResourceName := "aws_acm_certificate.test"
 	s3BucketObjectResourceName := "aws_s3_bucket_object.test"
 	rName := acctest.RandomWithPrefix("tf-acc-test")
 
@@ -275,22 +278,14 @@ func TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication(t *testing.T) {
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckAWSAPIGatewayV2DomainNameDestroy,
 		Steps: []resource.TestStep{
-			// We need to create and activate the CA before issuing a certificate.
-			{
-				Config: testAccAWSAPIGatewayV2DomainNameConfigRootCA(rName),
-				Check: resource.ComposeTestCheckFunc(
-					testAccCheckAwsAcmpcaCertificateAuthorityExists(acmCAResourceName, &ca),
-					testAccCheckAwsAcmpcaCertificateAuthorityActivateCA(&ca),
-				),
-			},
 			{
-				Config: testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthentication(rName),
+				Config: testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthentication(rName, domainName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSAPIGatewayV2DomainNameExists(resourceName, &v),
 					testAccMatchResourceAttrRegionalARNNoAccount(resourceName, "arn", "apigateway", regexp.MustCompile(`/domainnames/.+`)),
-					resource.TestCheckResourceAttrPair(resourceName, "domain_name", acmCertificateResourceName, "domain_name"),
+					resource.TestCheckResourceAttr(resourceName, "domain_name", domainName),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.#", "1"),
-					resource.TestCheckResourceAttrPair(resourceName, "domain_name_configuration.0.certificate_arn", acmCertificateResourceName, "arn"),
+					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.certificate_arn"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.endpoint_type", "REGIONAL"),
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
@@ -302,13 +297,13 @@ func TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication(t *testing.T) {
 				),
 			},
 			{
-				Config: testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationUpdated(rName),
+				Config: testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationUpdated(rName, domainName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSAPIGatewayV2DomainNameExists(resourceName, &v),
 					testAccMatchResourceAttrRegionalARNNoAccount(resourceName, "arn", "apigateway", regexp.MustCompile(`/domainnames/.+`)),
-					resource.TestCheckResourceAttrPair(resourceName, "domain_name", acmCertificateResourceName, "domain_name"),
+					resource.TestCheckResourceAttr(resourceName, "domain_name", domainName),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.#", "1"),
-					resource.TestCheckResourceAttrPair(resourceName, "domain_name_configuration.0.certificate_arn", acmCertificateResourceName, "arn"),
+					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.certificate_arn"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.endpoint_type", "REGIONAL"),
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
@@ -326,13 +321,13 @@ func TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication(t *testing.T) {
 			},
 			// Test disabling mutual TLS authentication.
 			{
-				Config: testAccAWSAPIGatewayV2DomainNameConfigBasicWithPrivateCert(rName),
+				Config: testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationMissing(domainName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSAPIGatewayV2DomainNameExists(resourceName, &v),
 					testAccMatchResourceAttrRegionalARNNoAccount(resourceName, "arn", "apigateway", regexp.MustCompile(`/domainnames/.+`)),
-					resource.TestCheckResourceAttrPair(resourceName, "domain_name", acmCertificateResourceName, "domain_name"),
+					resource.TestCheckResourceAttr(resourceName, "domain_name", domainName),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.#", "1"),
-					resource.TestCheckResourceAttrPair(resourceName, "domain_name_configuration.0.certificate_arn", acmCertificateResourceName, "arn"),
+					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.certificate_arn"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.endpoint_type", "REGIONAL"),
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
@@ -341,14 +336,6 @@ func TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
 				),
 			},
-			{
-				Config: testAccAWSAPIGatewayV2DomainNameConfigBasicWithPrivateCert(rName),
-				Check: resource.ComposeTestCheckFunc(
-					// CA must be DISABLED for deletion.
-					testAccCheckAwsAcmpcaCertificateAuthorityDisableCA(&ca),
-				),
-				ExpectNonEmptyPlan: true,
-			},
 		},
 	})
 }
@@ -495,13 +482,18 @@ resource "aws_apigatewayv2_domain_name" "test" {
 `))
 }
 
-func testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthentication(rName string) string {
-	return composeConfig(
-		testAccAWSAPIGatewayV2DomainNameConfigRootCA(rName),
-		testAccAWSAPIGatewayV2DomainNameConfigPrivateCert(rName),
-		fmt.Sprintf(`
+func testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthentication(rName, domainName string) string {
+	return fmt.Sprintf(`
+data "aws_acm_certificate" "test" {
+  domain      = %[2]q
+  types       = ["AMAZON_ISSUED"]
+  most_recent = true
+}
+
 resource "aws_s3_bucket" "test" {
   bucket = %[1]q
+
+  force_destroy = true
 }
 
 resource "aws_s3_bucket_object" "test" {
@@ -511,10 +503,10 @@ resource "aws_s3_bucket_object" "test" {
 }
 
 resource "aws_apigatewayv2_domain_name" "test" {
-  domain_name = aws_acm_certificate.test.domain_name
+  domain_name = %[2]q
 
   domain_name_configuration {
-    certificate_arn = aws_acm_certificate.test.arn
+    certificate_arn = data.aws_acm_certificate.test.arn
     endpoint_type   = "REGIONAL"
     security_policy = "TLS_1_2"
   }
@@ -523,17 +515,22 @@ resource "aws_apigatewayv2_domain_name" "test" {
     truststore_uri = "s3://${aws_s3_bucket_object.test.bucket}/${aws_s3_bucket_object.test.key}"
   }
 }
-`, rName))
+`, rName, domainName)
+}
+
+func testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationUpdated(rName, domainName string) string {
+	return fmt.Sprintf(`
+data "aws_acm_certificate" "test" {
+  domain      = %[2]q
+  types       = ["AMAZON_ISSUED"]
+  most_recent = true
 }
 
-func testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationUpdated(rName string) string {
-	return composeConfig(
-		testAccAWSAPIGatewayV2DomainNameConfigRootCA(rName),
-		testAccAWSAPIGatewayV2DomainNameConfigPrivateCert(rName),
-		fmt.Sprintf(`
 resource "aws_s3_bucket" "test" {
   bucket = %[1]q
 
+  force_destroy = true
+
   versioning {
     enabled = true
   }
@@ -546,10 +543,10 @@ resource "aws_s3_bucket_object" "test" {
 }
 
 resource "aws_apigatewayv2_domain_name" "test" {
-  domain_name = aws_acm_certificate.test.domain_name
+  domain_name = %[2]q
 
   domain_name_configuration {
-    certificate_arn = aws_acm_certificate.test.arn
+    certificate_arn = data.aws_acm_certificate.test.arn
     endpoint_type   = "REGIONAL"
     security_policy = "TLS_1_2"
   }
@@ -559,5 +556,25 @@ resource "aws_apigatewayv2_domain_name" "test" {
     truststore_version = aws_s3_bucket_object.test.version_id
   }
 }
-`, rName))
+`, rName, domainName)
+}
+
+func testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationMissing(domainName string) string {
+	return fmt.Sprintf(`
+data "aws_acm_certificate" "test" {
+  domain      = %[1]q
+  types       = ["AMAZON_ISSUED"]
+  most_recent = true
+}
+
+resource "aws_apigatewayv2_domain_name" "test" {
+  domain_name = %[1]q
+
+  domain_name_configuration {
+    certificate_arn = data.aws_acm_certificate.test.arn
+    endpoint_type   = "REGIONAL"
+    security_policy = "TLS_1_2"
+  }
+}
+`, domainName)
 }
diff --git a/docs/MAINTAINING.md b/docs/MAINTAINING.md
index f30a296d7fd..b5c2111af45 100644
--- a/docs/MAINTAINING.md
+++ b/docs/MAINTAINING.md
@@ -398,6 +398,7 @@ Environment variables (beyond standard AWS Go SDK ones) used by acceptance testi
 | `AWS_API_GATEWAY_DOMAIN_NAME_CERTIFICATE_CHAIN` | Certificate chain of publicly trusted certificate for API Gateway Domain Name testing. |
 | `AWS_API_GATEWAY_DOMAIN_NAME_CERTIFICATE_PRIVATE_KEY` | Private key of publicly trusted certificate for API Gateway Domain Name testing. |
 | `AWS_API_GATEWAY_DOMAIN_NAME_REGIONAL_CERTIFICATE_NAME_ENABLED` | Flag to enable API Gateway Domain Name regional certificate upload testing. |
+| `AWS_APIGATEWAYV2_CERTIFICATE_DOMAIN_NAME` | Domain Name of Amazon Issued ACM Certificate in the acceptance test region for API Gateway v2 testing. |
 | `AWS_CODEBUILD_BITBUCKET_SOURCE_LOCATION` | BitBucket source URL for CodeBuild testing. CodeBuild must have access to this repository via OAuth or Source Credentials. Defaults to `https://terraform@bitbucket.org/terraform/aws-test.git`. |
 | `AWS_CODEBUILD_GITHUB_SOURCE_LOCATION` | GitHub source URL for CodeBuild testing. CodeBuild must have access to this repository via OAuth or Source Credentials. Defaults to `https://github.com/hashibot-test/aws-test.git`. |
 | `AWS_COGNITO_USER_POOL_DOMAIN_CERTIFICATE_ARN` | Amazon Resource Name of ACM Certificate in `us-east-1` for Cognito User Pool Domain Name testing. |

From b60662e9bba53b9cb8652a505ba3d5932d882c43 Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Sat, 10 Oct 2020 08:41:18 -0400
Subject: [PATCH 5/7] Remove unused code.

---
 ...ource_aws_apigatewayv2_domain_name_test.go | 44 -------------------
 1 file changed, 44 deletions(-)

diff --git a/aws/resource_aws_apigatewayv2_domain_name_test.go b/aws/resource_aws_apigatewayv2_domain_name_test.go
index 92ff5e8e23d..def60eb46c3 100644
--- a/aws/resource_aws_apigatewayv2_domain_name_test.go
+++ b/aws/resource_aws_apigatewayv2_domain_name_test.go
@@ -405,33 +405,6 @@ resource "aws_acm_certificate" "test" {
 `, rName, certificate, key, count)
 }
 
-func testAccAWSAPIGatewayV2DomainNameConfigRootCA(rName string) string {
-	return fmt.Sprintf(`
-resource "aws_acmpca_certificate_authority" "test" {
-  permanent_deletion_time_in_days = 7
-  type                            = "ROOT"
-
-  certificate_authority_configuration {
-    key_algorithm     = "RSA_4096"
-	signing_algorithm = "SHA512WITHRSA"
-
-    subject {
-      common_name = "%[1]s.com"
-    }
-  }
-}
-`, rName)
-}
-
-func testAccAWSAPIGatewayV2DomainNameConfigPrivateCert(rName string) string {
-	return fmt.Sprintf(`
-resource "aws_acm_certificate" "test" {
-  domain_name               = "test.%[1]s.com"
-  certificate_authority_arn = aws_acmpca_certificate_authority.test.arn
-}
-`, rName)
-}
-
 func testAccAWSAPIGatewayV2DomainNameConfig_basic(rName, certificate, key string, count, index int) string {
 	return composeConfig(testAccAWSAPIGatewayV2DomainNameConfigImportedCerts(rName, certificate, key, count), fmt.Sprintf(`
 resource "aws_apigatewayv2_domain_name" "test" {
@@ -465,23 +438,6 @@ resource "aws_apigatewayv2_domain_name" "test" {
 `, rName, index))
 }
 
-func testAccAWSAPIGatewayV2DomainNameConfigBasicWithPrivateCert(rName string) string {
-	return composeConfig(
-		testAccAWSAPIGatewayV2DomainNameConfigRootCA(rName),
-		testAccAWSAPIGatewayV2DomainNameConfigPrivateCert(rName),
-		fmt.Sprintf(`
-resource "aws_apigatewayv2_domain_name" "test" {
-  domain_name = aws_acm_certificate.test.domain_name
-
-  domain_name_configuration {
-    certificate_arn = aws_acm_certificate.test.arn
-    endpoint_type   = "REGIONAL"
-    security_policy = "TLS_1_2"
-  }
-}
-`))
-}
-
 func testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthentication(rName, domainName string) string {
 	return fmt.Sprintf(`
 data "aws_acm_certificate" "test" {

From c6c8dbf8690222bf053c1e37c4662482da9e063a Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Wed, 11 Nov 2020 16:57:30 -0500
Subject: [PATCH 6/7] Revert "Revert "r/aws_acmpca_certificate_authority: Add
 'testAccCheckAwsAcmpcaCertificateAuthorityDisableCA'.""

This reverts commit ee22ef29663496f9316d88997c32e20775042ceb.
---
 ...esource_aws_acmpca_certificate_authority_test.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/aws/resource_aws_acmpca_certificate_authority_test.go b/aws/resource_aws_acmpca_certificate_authority_test.go
index 6e1e9412e07..915d38c260b 100644
--- a/aws/resource_aws_acmpca_certificate_authority_test.go
+++ b/aws/resource_aws_acmpca_certificate_authority_test.go
@@ -577,6 +577,19 @@ func testAccCheckAwsAcmpcaCertificateAuthorityActivateCA(certificateAuthority *a
 	}
 }
 
+func testAccCheckAwsAcmpcaCertificateAuthorityDisableCA(certificateAuthority *acmpca.CertificateAuthority) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		conn := testAccProvider.Meta().(*AWSClient).acmpcaconn
+
+		_, err := conn.UpdateCertificateAuthority(&acmpca.UpdateCertificateAuthorityInput{
+			CertificateAuthorityArn: certificateAuthority.Arn,
+			Status:                  aws.String(acmpca.CertificateAuthorityStatusDisabled),
+		})
+
+		return err
+	}
+}
+
 func listAcmpcaCertificateAuthorities(conn *acmpca.ACMPCA) ([]*acmpca.CertificateAuthority, error) {
 	certificateAuthorities := []*acmpca.CertificateAuthority{}
 	input := &acmpca.ListCertificateAuthoritiesInput{}

From 0d931f1675ce7aae8d472ac2aa76dc661f1e321d Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Wed, 11 Nov 2020 17:30:47 -0500
Subject: [PATCH 7/7] r/aws_apigatewayv2_domain_name: Create public ACM
 certificate for testing mutual TLS (relates: #16139).

Acceptance test output:

$ ACM_CERTIFICATE_ROOT_DOMAIN=<domain name> make testacc TEST=./aws TESTARGS='-run=TestAccAWSAPIGatewayV2DomainName_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAPIGatewayV2DomainName_ -timeout 120m
=== RUN   TestAccAWSAPIGatewayV2DomainName_basic
=== PAUSE TestAccAWSAPIGatewayV2DomainName_basic
=== RUN   TestAccAWSAPIGatewayV2DomainName_disappears
=== PAUSE TestAccAWSAPIGatewayV2DomainName_disappears
=== RUN   TestAccAWSAPIGatewayV2DomainName_Tags
=== PAUSE TestAccAWSAPIGatewayV2DomainName_Tags
=== RUN   TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== PAUSE TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== RUN   TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== PAUSE TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayV2DomainName_basic
=== CONT  TestAccAWSAPIGatewayV2DomainName_UpdateCertificate
=== CONT  TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
=== CONT  TestAccAWSAPIGatewayV2DomainName_Tags
=== CONT  TestAccAWSAPIGatewayV2DomainName_disappears
--- PASS: TestAccAWSAPIGatewayV2DomainName_disappears (22.46s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_Tags (83.52s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication (207.72s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_basic (240.48s)
--- PASS: TestAccAWSAPIGatewayV2DomainName_UpdateCertificate (758.06s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	758.484s
---
 ...ource_aws_apigatewayv2_domain_name_test.go | 137 +++++++++++-------
 docs/MAINTAINING.md                           |   1 -
 2 files changed, 87 insertions(+), 51 deletions(-)

diff --git a/aws/resource_aws_apigatewayv2_domain_name_test.go b/aws/resource_aws_apigatewayv2_domain_name_test.go
index def60eb46c3..5efe6323f62 100644
--- a/aws/resource_aws_apigatewayv2_domain_name_test.go
+++ b/aws/resource_aws_apigatewayv2_domain_name_test.go
@@ -3,7 +3,6 @@ package aws
 import (
 	"fmt"
 	"log"
-	"os"
 	"regexp"
 	"testing"
 
@@ -262,14 +261,12 @@ func TestAccAWSAPIGatewayV2DomainName_UpdateCertificate(t *testing.T) {
 }
 
 func TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication(t *testing.T) {
-	key := "AWS_APIGATEWAYV2_CERTIFICATE_DOMAIN_NAME"
-	domainName := os.Getenv(key)
-	if domainName == "" {
-		t.Skipf("Environment variable %s is not set", key)
-	}
+	rootDomain := testAccAwsAcmCertificateDomainFromEnv(t)
+	domain := testAccAwsAcmCertificateRandomSubDomain(rootDomain)
 
 	var v apigatewayv2.GetDomainNameOutput
 	resourceName := "aws_apigatewayv2_domain_name.test"
+	acmCertificateResourceName := "aws_acm_certificate.test"
 	s3BucketObjectResourceName := "aws_s3_bucket_object.test"
 	rName := acctest.RandomWithPrefix("tf-acc-test")
 
@@ -279,13 +276,13 @@ func TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication(t *testing.T) {
 		CheckDestroy: testAccCheckAWSAPIGatewayV2DomainNameDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthentication(rName, domainName),
+				Config: testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthentication(rootDomain, domain, rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSAPIGatewayV2DomainNameExists(resourceName, &v),
 					testAccMatchResourceAttrRegionalARNNoAccount(resourceName, "arn", "apigateway", regexp.MustCompile(`/domainnames/.+`)),
-					resource.TestCheckResourceAttr(resourceName, "domain_name", domainName),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name", acmCertificateResourceName, "domain_name"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.#", "1"),
-					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.certificate_arn"),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name_configuration.0.certificate_arn", acmCertificateResourceName, "arn"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.endpoint_type", "REGIONAL"),
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
@@ -297,13 +294,13 @@ func TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication(t *testing.T) {
 				),
 			},
 			{
-				Config: testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationUpdated(rName, domainName),
+				Config: testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationUpdated(rootDomain, domain, rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSAPIGatewayV2DomainNameExists(resourceName, &v),
 					testAccMatchResourceAttrRegionalARNNoAccount(resourceName, "arn", "apigateway", regexp.MustCompile(`/domainnames/.+`)),
-					resource.TestCheckResourceAttr(resourceName, "domain_name", domainName),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name", acmCertificateResourceName, "domain_name"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.#", "1"),
-					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.certificate_arn"),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name_configuration.0.certificate_arn", acmCertificateResourceName, "arn"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.endpoint_type", "REGIONAL"),
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
@@ -321,13 +318,13 @@ func TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication(t *testing.T) {
 			},
 			// Test disabling mutual TLS authentication.
 			{
-				Config: testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationMissing(domainName),
+				Config: testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationMissing(rootDomain, domain),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAWSAPIGatewayV2DomainNameExists(resourceName, &v),
 					testAccMatchResourceAttrRegionalARNNoAccount(resourceName, "arn", "apigateway", regexp.MustCompile(`/domainnames/.+`)),
-					resource.TestCheckResourceAttr(resourceName, "domain_name", domainName),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name", acmCertificateResourceName, "domain_name"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.#", "1"),
-					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.certificate_arn"),
+					resource.TestCheckResourceAttrPair(resourceName, "domain_name_configuration.0.certificate_arn", acmCertificateResourceName, "arn"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.endpoint_type", "REGIONAL"),
 					resource.TestCheckResourceAttrSet(resourceName, "domain_name_configuration.0.hosted_zone_id"),
 					resource.TestCheckResourceAttr(resourceName, "domain_name_configuration.0.security_policy", "TLS_1_2"),
@@ -405,8 +402,58 @@ resource "aws_acm_certificate" "test" {
 `, rName, certificate, key, count)
 }
 
+func testAccAWSAPIGatewayV2DomainNameConfigPublicCert(rootDomain, domain string) string {
+	return fmt.Sprintf(`
+data "aws_route53_zone" "test" {
+  name         = %[1]q
+  private_zone = false
+}
+
+resource "aws_acm_certificate" "test" {
+  domain_name       = %[2]q
+  validation_method = "DNS"
+}
+
+ #
+ # for_each acceptance testing requires:
+ # https://github.com/hashicorp/terraform-plugin-sdk/issues/536
+ #
+ # resource "aws_route53_record" "test" {
+ #   for_each = {
+ #     for dvo in aws_acm_certificate.test.domain_validation_options: dvo.domain_name => {
+ #       name   = dvo.resource_record_name
+ #       record = dvo.resource_record_value
+ #       type   = dvo.resource_record_type
+ #     }
+ #   }
+ #   allow_overwrite = true
+ #   name            = each.value.name
+ #   records         = [each.value.record]
+ #   ttl             = 60
+ #   type            = each.value.type
+ #   zone_id         = data.aws_route53_zone.test.zone_id
+ # }
+
+resource "aws_route53_record" "test" {
+  allow_overwrite = true
+  name            = tolist(aws_acm_certificate.test.domain_validation_options)[0].resource_record_name
+  records         = [tolist(aws_acm_certificate.test.domain_validation_options)[0].resource_record_value]
+  ttl             = 60
+  type            = tolist(aws_acm_certificate.test.domain_validation_options)[0].resource_record_type
+  zone_id         = data.aws_route53_zone.test.zone_id
+}
+
+resource "aws_acm_certificate_validation" "test" {
+  certificate_arn         = aws_acm_certificate.test.arn
+  validation_record_fqdns = [aws_route53_record.test.fqdn]
+}
+`, rootDomain, domain)
+}
+
 func testAccAWSAPIGatewayV2DomainNameConfig_basic(rName, certificate, key string, count, index int) string {
-	return composeConfig(testAccAWSAPIGatewayV2DomainNameConfigImportedCerts(rName, certificate, key, count), fmt.Sprintf(`
+	return composeConfig(
+		testAccAWSAPIGatewayV2DomainNameConfigImportedCerts(rName, certificate, key, count),
+		fmt.Sprintf(`
 resource "aws_apigatewayv2_domain_name" "test" {
   domain_name = "%[1]s.example.com"
 
@@ -420,7 +467,9 @@ resource "aws_apigatewayv2_domain_name" "test" {
 }
 
 func testAccAWSAPIGatewayV2DomainNameConfig_tags(rName, certificate, key string, count, index int) string {
-	return composeConfig(testAccAWSAPIGatewayV2DomainNameConfigImportedCerts(rName, certificate, key, count), fmt.Sprintf(`
+	return composeConfig(
+		testAccAWSAPIGatewayV2DomainNameConfigImportedCerts(rName, certificate, key, count),
+		fmt.Sprintf(`
 resource "aws_apigatewayv2_domain_name" "test" {
   domain_name = "%[1]s.example.com"
 
@@ -438,14 +487,10 @@ resource "aws_apigatewayv2_domain_name" "test" {
 `, rName, index))
 }
 
-func testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthentication(rName, domainName string) string {
-	return fmt.Sprintf(`
-data "aws_acm_certificate" "test" {
-  domain      = %[2]q
-  types       = ["AMAZON_ISSUED"]
-  most_recent = true
-}
-
+func testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthentication(rootDomain, domain, rName string) string {
+	return composeConfig(
+		testAccAWSAPIGatewayV2DomainNameConfigPublicCert(rootDomain, domain),
+		fmt.Sprintf(`
 resource "aws_s3_bucket" "test" {
   bucket = %[1]q
 
@@ -459,10 +504,10 @@ resource "aws_s3_bucket_object" "test" {
 }
 
 resource "aws_apigatewayv2_domain_name" "test" {
-  domain_name = %[2]q
+  domain_name = aws_acm_certificate.test.domain_name
 
   domain_name_configuration {
-    certificate_arn = data.aws_acm_certificate.test.arn
+    certificate_arn = aws_acm_certificate_validation.test.certificate_arn
     endpoint_type   = "REGIONAL"
     security_policy = "TLS_1_2"
   }
@@ -471,17 +516,13 @@ resource "aws_apigatewayv2_domain_name" "test" {
     truststore_uri = "s3://${aws_s3_bucket_object.test.bucket}/${aws_s3_bucket_object.test.key}"
   }
 }
-`, rName, domainName)
-}
-
-func testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationUpdated(rName, domainName string) string {
-	return fmt.Sprintf(`
-data "aws_acm_certificate" "test" {
-  domain      = %[2]q
-  types       = ["AMAZON_ISSUED"]
-  most_recent = true
+`, rName))
 }
 
+func testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationUpdated(rootDomain, domain, rName string) string {
+	return composeConfig(
+		testAccAWSAPIGatewayV2DomainNameConfigPublicCert(rootDomain, domain),
+		fmt.Sprintf(`
 resource "aws_s3_bucket" "test" {
   bucket = %[1]q
 
@@ -499,10 +540,10 @@ resource "aws_s3_bucket_object" "test" {
 }
 
 resource "aws_apigatewayv2_domain_name" "test" {
-  domain_name = %[2]q
+  domain_name = aws_acm_certificate.test.domain_name
 
   domain_name_configuration {
-    certificate_arn = data.aws_acm_certificate.test.arn
+    certificate_arn = aws_acm_certificate_validation.test.certificate_arn
     endpoint_type   = "REGIONAL"
     security_policy = "TLS_1_2"
   }
@@ -512,25 +553,21 @@ resource "aws_apigatewayv2_domain_name" "test" {
     truststore_version = aws_s3_bucket_object.test.version_id
   }
 }
-`, rName, domainName)
-}
-
-func testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationMissing(domainName string) string {
-	return fmt.Sprintf(`
-data "aws_acm_certificate" "test" {
-  domain      = %[1]q
-  types       = ["AMAZON_ISSUED"]
-  most_recent = true
+`, rName))
 }
 
+func testAccAWSAPIGatewayV2DomainNameConfigMututalTlsAuthenticationMissing(rootDomain, domain string) string {
+	return composeConfig(
+		testAccAWSAPIGatewayV2DomainNameConfigPublicCert(rootDomain, domain),
+		`
 resource "aws_apigatewayv2_domain_name" "test" {
-  domain_name = %[1]q
+  domain_name = aws_acm_certificate.test.domain_name
 
   domain_name_configuration {
-    certificate_arn = data.aws_acm_certificate.test.arn
+    certificate_arn = aws_acm_certificate_validation.test.certificate_arn
     endpoint_type   = "REGIONAL"
     security_policy = "TLS_1_2"
   }
 }
-`, domainName)
+`)
 }
diff --git a/docs/MAINTAINING.md b/docs/MAINTAINING.md
index b5c2111af45..f30a296d7fd 100644
--- a/docs/MAINTAINING.md
+++ b/docs/MAINTAINING.md
@@ -398,7 +398,6 @@ Environment variables (beyond standard AWS Go SDK ones) used by acceptance testi
 | `AWS_API_GATEWAY_DOMAIN_NAME_CERTIFICATE_CHAIN` | Certificate chain of publicly trusted certificate for API Gateway Domain Name testing. |
 | `AWS_API_GATEWAY_DOMAIN_NAME_CERTIFICATE_PRIVATE_KEY` | Private key of publicly trusted certificate for API Gateway Domain Name testing. |
 | `AWS_API_GATEWAY_DOMAIN_NAME_REGIONAL_CERTIFICATE_NAME_ENABLED` | Flag to enable API Gateway Domain Name regional certificate upload testing. |
-| `AWS_APIGATEWAYV2_CERTIFICATE_DOMAIN_NAME` | Domain Name of Amazon Issued ACM Certificate in the acceptance test region for API Gateway v2 testing. |
 | `AWS_CODEBUILD_BITBUCKET_SOURCE_LOCATION` | BitBucket source URL for CodeBuild testing. CodeBuild must have access to this repository via OAuth or Source Credentials. Defaults to `https://terraform@bitbucket.org/terraform/aws-test.git`. |
 | `AWS_CODEBUILD_GITHUB_SOURCE_LOCATION` | GitHub source URL for CodeBuild testing. CodeBuild must have access to this repository via OAuth or Source Credentials. Defaults to `https://github.com/hashibot-test/aws-test.git`. |
 | `AWS_COGNITO_USER_POOL_DOMAIN_CERTIFICATE_ARN` | Amazon Resource Name of ACM Certificate in `us-east-1` for Cognito User Pool Domain Name testing. |