Not possible to disable certificate_transparency_logging_preference in aws provider

[zioalex]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.9

• provider.aws v2.28.1
• provider.local v1.3.0
• provider.null v2.1.2

Affected Resource(s)

• aws_acm_certificate

Terraform Configuration Files

resource "aws_acm_certificate" "cloudhsm_client_cert" {
  private_key      = "${data.local_file.client_key_file.content}"
  certificate_body = "${data.local_file.client_cert_file.content}"
  certificate_chain = "${data.local_file.cloudhsm_cert_chain.content}"
  # see herehttps://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency
  # and here https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html?shortFooter=true#best-practices-transparency
  options {
    certificate_transparency_logging_preference = "DISABLED"
  }
}

Debug Output

It is not possible to include it due to sensitive data.

Panic Output

Expected Behavior

The new ACM certificate will be created with the certificate_transparency_logging_preference option disabled.
I'd been forced to add this option because if I do not, every time I apply the code I get:

  # aws_acm_certificate.cloudhsm_client_cert must be replaced
-/+ resource "aws_acm_certificate" "cloudhsm_client_cert" {
      ~ arn                       = "arn:aws:acm:XXXXXXXXXXXXXXXXXXX" -> (known after apply)
      ~ certificate_body          = "YYYYYYYYYYYYYYYYYYY" -> (known after apply)
      ~ certificate_chain         = "ZZZZZZZZZZZZZZZZZ" -> (known after apply)
      ~ domain_name               = "client1.domain.tld" -> (known after apply)
      ~ domain_validation_options = [] -> (known after apply)
      ~ id                        = "arn:aws:acm:XXXXXXXXXXXXXXXXXXXXXXXXX" -> (known after apply)
      ~ private_key               = (sensitive value)
      ~ subject_alternative_names = [] -> (known after apply)
      - tags                      = {} -> null
      ~ validation_emails         = [] -> (known after apply)
      ~ validation_method         = "NONE" -> (known after apply)

      - options {
          - certificate_transparency_logging_preference = "DISABLED" -> null # forces replacement
        }
    }

recreating every time the certificate.

If I run a plan I get:

  # aws_acm_certificate.cloudhsm_server_cert will be created
  + resource "aws_acm_certificate" "cloudhsm_server_cert" {
      + arn                       = (known after apply)
      + certificate_body          = (known after apply)
      + certificate_chain         = (known after apply)
      + domain_name               = (known after apply)
      + domain_validation_options = (known after apply)
      + id                        = (known after apply)
      + private_key               = (sensitive value)
      + subject_alternative_names = (known after apply)
      + validation_emails         = (known after apply)
      + validation_method         = (known after apply)

      + options {
          + certificate_transparency_logging_preference = "DISABLED"
        }
    }

I see here 2 different problems:

1. If the option is not defined the resource will be recreated because it sees:
   certificate_transparency_logging_preference = "DISABLED" -> null # forces replacement

2. If I try to set such option to DISABLED I get:
   Error: "options.0.certificate_transparency_logging_preference": conflicts with private_key

looking the code here https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_acm_certificate.go
I see (line 129):

Elem: &schema.Resource{
					Schema: map[string]*schema.Schema{
						"certificate_transparency_logging_preference": {
							Type:          schema.TypeString,
							Optional:      true,
							Default:       acm.CertificateTransparencyLoggingPreferenceEnabled,
							ForceNew:      true,
							ConflictsWith: []string{"private_key", "certificate_body", "certificate_chain"},
							ValidateFunc: validation.StringInSlice([]string{
								acm.CertificateTransparencyLoggingPreferenceEnabled,
								acm.CertificateTransparencyLoggingPreferenceDisabled,
							}, false),
						},
					},
				},

even though I Didn't find any reason for the ConflictsWith.

Actual Behavior

Error: "options.0.certificate_transparency_logging_preference": conflicts with private_key

  on main.tf line 117, in resource "aws_acm_certificate" "cloudhsm_server_cert":
 117: resource "aws_acm_certificate" "cloudhsm_server_cert" {

Error: "options.0.certificate_transparency_logging_preference": conflicts with private_key

  on main.tf line 128, in resource "aws_acm_certificate" "cloudhsm_client_cert":
 128: resource "aws_acm_certificate" "cloudhsm_client_cert" {

Steps to Reproduce

Add the option certificate_transparency_logging_preference in the aws_acm_certificate definition:

options {
    certificate_transparency_logging_preference = "DISABLED"
  }

1. terraform apply

Important Factoids

References

• #0000

[JulianCBC]

If those certificates are used by a load balancer, then replacing them doesn't work as it tries to delete them without removing them from the load balancer. See #10233.

These issues effectively prevent people from using LetsEncrypt derived certificates with load balancers on AWS. E.g. for test or development environments.

[JulianCBC]

You can hack around the issue of the certificate being re-created every time by adding a lifecycle block like this to make it ignore the options block:

resource "aws_acm_certificate" "certificate" {
  private_key       = var.private_key_pem
  certificate_body  = var.certificate_pem
  certificate_chain = var.issuer_pem

  lifecycle {
    ignore_changes = [
      options,
    ]
  }
}

[mattburgess]

As the author of the code that introduced this issue I'd like to apologize/explain :)

As you noted from the console, when you initially import a certificate, CT Logging is enabled (and at import time you have no way of changing this). Only after the fact, can you update the options on the certificate to disable CT Logging. However, at this point your certificate may already have been added to the public CT logs. So, disabling CT Logging may not have the effect you think it will, as explained at https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency:

Once a certificate has been logged, it cannot be removed from the log. Opting out at that point will have no effect.

The console is mirroring the AWS API exactly here, which I'll admit would appear to be somewhat lacking. As explained at https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_acm_certificate.go#L117-L144 when you import a certificate, there's no way in the API to specify whether you want to opt in or out of CT Logging, and the default is to be opted in.

I could look at issuing an UpdateCertificateOptions() call if the certificate_transparency_logging_preference argument is set to DISABLED on imported certs but I worry that might lead people to assume the certificate isn't in any public CT Logs when it might be. I'll admit though, that I don't know how automatic that process of publishing is...maybe if the options are updated quickly enough after the import then they never will make it to the CT Logs?

[bflad]

Hi folks 👋 Thank you @zioalex for filing the issue and thank you @mattburgess for the detailed explanation above.

Given that the ACM API effectively does not support preventing Certificate Transparency logs being sent during the ImportCertificate API call and that calling UpdateCertificateOptions after the fact will not remove the Certificate Transparency logs, we would be very hesitant to relax the Terraform resource restriction of specifying the option to disable the logs. We would not want to give the impression that this configuration works as expected to prevent the Certificate Transparency logs from appearing at all, which seems it would prompt security and bug reports against the Terraform AWS Provider.

As such, we are going to close this issue for now, since the ACM API requires potential updates. Once the API has been updated, we can revisit this request in the Terraform AWS Provider. 👍

Our best recommendation would be to contact AWS via a new support case or via your Technical Account Manager (if you have one), to recommend ImportCertificate API support include the ability to never send the Certificate Transparency logs.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!