resource/aws_acm_certificate: Error with chain argument when updating an imported certificate

[rdublenych]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.13

• provider.acme v1.5.0
• provider.aws v2.7.0
• provider.cloudflare v1.18.1
• provider.tls v2.1.1

Affected Resource(s)

• aws_acm_certificate

Terraform Configuration Files

terraform {
  required_version = "= 0.12.13"
}

provider "aws" {
  region  = "us-east-1"
  version = "2.7"
}

provider "acme" {
  version = "1.5.0"
  server_url = "https://acme-v02.api.letsencrypt.org/directory"
}

provider "cloudflare" {
  version = "1.18.1"
  api_token = "<cloudlfare_api_token>"
}

provider "tls" {
  version = "2.1.1"
}

resource "tls_private_key" "private_key" {
  algorithm = "RSA"
}

resource "acme_registration" "reg" {
  account_key_pem = tls_private_key.private_key.private_key_pem
  email_address   = "some_email_address_to_contact"
}

resource "acme_certificate" "certificate" {
  account_key_pem = acme_registration.reg.account_key_pem
  common_name               = "your_domain_name"
  # will force acme certificate re-generation for the next `terraform apply`
  min_days_remaining = 300

  dns_challenge {
    provider = "cloudflare"
  }
}

resource "aws_acm_certificate" "certificate" {
  certificate_body = acme_certificate.certificate.certificate_pem
  certificate_chain = acme_certificate.certificate.issuer_pem
  private_key = acme_certificate.certificate.private_key_pem
}

Debug Output

https://gist.github.com/rdublenych/33205d1664f88db3709e0712ab5054d0

Expected Behavior

aws_acm certificate resource should be updated with the given certificate data

Actual Behavior

aws_acm_certificate.cert: Error updating certificate: ValidationException:  
com.amazonaws.pki.acm.exceptions.external.ValidationException:
Could not validate the certificate with the certificate chain.
status code: 400, request id:

Steps to Reproduce

1. terraform apply (to import certificate)
2. terraform apply (to update imported certificate)

Important Factoids

1. Creating new aws_acm_certificate resources with the generated certificate data works well.
2. Updating already imported certificate trough AWS Console with the generated certificate data works.
3. I am thinking that provider sends the certificate data in the same format as stored (hash of the source data) if fields were not modified, instead of sending the source data of certificate - key, certificate body, and chain:

run terraform apply first time (import new certificate)

...
ACM Certificate Import
   Certificate: <binary> len 1976,
   CertificateChain: <binary> len 1647,
   PrivateKey: <binary> len 1675
...

run terraform apply second time (update imported certificate):
only certificate body was updated, chain and private key remain the same - see the length of CertificateChain and PrivateKey:

...
ApplyResourceChange
ACM Certificate Import: {
  Certificate: <binary> len 1976,
  CertificateArn: "already_existing_arn",
  CertificateChain: <binary> len 40,
  PrivateKey: <binary> len 40
...

References

1. similar issue related to private key - resource/aws_acm_certificate: Error with private_key argument when updating an imported certificate #7401

[edahlseng]

This may be related to #9809.

[bflad]

Hi folks 👋 The fix for this, saving the full attribute values in the Terraform state instead of hashed values, has been merged and will release with version 3.0.0 of the Terraform AWS Provider, likely in two weeks.

The version 3 upgrade guide will outline some details about a one-time terraform apply behavior that will occur after upgrade for the aws_acm_certificate resource:

Previously when the certificate_body, certificate_chain, and private_key arguments were stored in state, they were stored as a hash of the actual value. This prevented Terraform from properly updating the resource when necessary and the hashing has been removed. The Terraform AWS Provider will show an update to these arguments on the first apply after upgrading to version 3.0.0, which is fixing the Terraform state to remove the hash. Since the private_key attribute is marked as sensitive, the values in the update will not be visible in the Terraform output. If the non-hashed values have not changed, then no update is occurring other than the Terraform state update. If these arguments are the only updates and they all match the hash removal, the apply will occur without submitting API calls.

If you have trouble after upgrading to version 3.0.0 of the Terraform AWS Provider, please create a new issue and we will take a look. Thanks so much and apologies for the frustrating behavior in the meantime.

[ghost]

This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!