Data Source: aws_acm_certificate flagging up change to id field on every run

[daveshepherd]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Affected Resource(s)

• Data Source: aws_acm_certificate

Terraform Configuration Files

terraform {
  required_version = ">= 0.13.3"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.6"
    }
  }
}

provider "aws" {
  region  = "us-east-1"
}

data aws_acm_certificate somecertificate {
  domain   = "somecertificate.example.com"
}

Debug Output

https://gist.github.com/daveshepherd/6b46ab6c443ae9089f1d2e9f32b36435

Expected Behavior

When running terraform plan or terraform apply repeatedly, no changes should be shown for this data object.

Actual Behavior

Each time terraform plan or terraform apply is run it flags up a change with the id field on the defined aws_acm_certificate data object. The id appears to be the current timestamp.

Steps to Reproduce

1. Create a AWS certificate either via the console of via Terraform
2. Define a terraform project as per the definition above, using the domain name of the certificate you created
3. Run terraform init
4. Run terraform apply
5. Run terraform plan - changes are highlighted, despite only just applying terraform and no changes have been made to this certificate.

Important Factoids

This has only become apparent since moving to terraform 0.13, presumably because 'The terraform plan and terraform apply commands will now detect and report changes to root module outputs as needing to be applied even if there are no resource changes in the plan.' This was also present with the AWS provider version 2.55 when running with terraform 0.13.

'id' is not defined as an attribute in the documentation for the acm_certificate data source. However, the acm_certificate resource does define the 'id' attribute as 'The ARN of the certificate' which is inconsistent with the data object, if nothing else.

References

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/acm_certificate
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate
• https://github.com/hashicorp/terraform/blob/v0.13/CHANGELOG.md#0130-august-10-2020

[anGie44]

Hi @daveshepherd, thank you for reporting this issue!

There were some unexpected changes with data source handling that occurred in the Terraform CLI version 0.13.0 release that are causing this additional data source output in addition to the unstable id attribute in the output. There are now larger tracking issues for both sides of this so to consolidate efforts and discussions:

hashicorp/terraform#25812
#14579
Please upvote and subscribe to those for further updates. 👍

[bflad]

@daveshepherd out of curiosity, does configuring most_recent = false in the data source help at all as a workaround? e.g.

data "aws_acm_certificate" "somecertificate" {
  domain      = "somecertificate.example.com"
  most_recent = false
}

[daveshepherd]

@bflad - I've set most_recent to both true and false and these changes are not longer highlighted. Thanks.

[bflad]

Okay great to hear there is at least a temporary workaround, thank you for following up. This is definitely a problem we would like to prevent going forward and we will provide additional updates as soon as we can.

[isurfbecause]

Thank you for the workaround! This was driving me crazy.

[f3d0r]

@daveshepherd out of curiosity, does configuring most_recent = false in the data source help at all as a workaround? e.g.

data "aws_acm_certificate" "somecertificate" {
  domain      = "somecertificate.example.com"
  most_recent = false
}

This worked for me, thanks!

[sarahhodne]

This is possibly related to hashicorp/terraform-provider-tls#79, which is showing a very similar diff.

[bflad]

Is anyone still having this problem after upgrading to version 3.10.0 or later of the Terraform AWS Provider? The id attribute was stabilized in that release, which may have eliminated this particular issue.

[bflad]

Given the lack of response to my above question, I'm going to close this out as fixed. If you're still having this problem, please feel free to open a new issue and complete all of the information requested in the Bug Report template so that we can attempt to understand and reproduce the problem.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!