ACM Module ImportCertificate Error with AWS Provider v6.0.0 #157
Description
Description
It appears terraform-aws-modules/acm module incorrectly calls the AWS ImportCertificate API instead of RequestCertificate when using AWS Provider v6.0.0, resulting in validation errors for DNS-validated certificates.
- ✋ I have searched the open/closed issues and my issue is not listed.
- I've re-init'd a few times
Versions
% terraform version
Terraform v1.11.4
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v6.0.0
+ provider registry.terraform.io/hashicorp/helm v3.0.2
+ provider registry.terraform.io/hashicorp/kubernetes v2.37.1
+ provider registry.terraform.io/hashicorp/null v3.2.4
+ provider registry.terraform.io/hashicorp/random v3.7.2
+ provider registry.terraform.io/hashicorp/tls v4.1.0
AWS Provider Version: 6.0.0
ACM Module Version: ~> 6.0.0 Reproduction Code [Required]
# Environment-Specific Base Certificate
module "acm_environment" {
source = "terraform-aws-modules/acm/aws"
version = "~> 6.0.0"
domain_name = "${var.env_build}.${var.dns_zone}"
zone_id = data.aws_route53_zone.selected.zone_id
subject_alternative_names = [
"api.${var.env_build}.${var.dns_zone}",
"app.${var.env_build}.${var.dns_zone}",
]
wait_for_validation = true
validation_method = "DNS"
tags = merge(var.tags, {
Name = "${var.project}-${var.env_build}-cert"
Module = "security"
Type = "acm-certificate"
Environment = var.env_build
})
}
# Route53 Zone Data Source for DNS validation
data "aws_route53_zone" "selected" {
name = "${var.dns_zone}."
private_zone = var.zone_private
}
# Find a certificate issued by (not imported into) ACM
data "aws_acm_certificate" "amazon_issued" {
domain = var.dns_zone
types = ["AMAZON_ISSUED"]
most_recent = true
}Steps to reproduce the behavior:
- tf init, plan apply
- the first time it worked; wait for about 30 minutes
- run another plan/apply, it now fails with this message:
│ Error: importing ACM Certificate: operation error ACM: ImportCertificate, https response error StatusCode: 400, RequestID: 4d2dbe9c-251c-483b-be9d-8acda5c0154b, api error ValidationException: 2 validation errors detected: Value at 'privateKey' failed to satisfy constraint: Member must have length greater than or equal to 1; Value at 'certificate' failed to satisfy constraint: Member must have length greater than or equal to 1
│
│ with module.eks.module.acm_environment.aws_acm_certificate.this[0],
│ on .terraform/modules/eks.acm_environment/main.tf line 19, in resource "aws_acm_certificate" "this":
│ 19: resource "aws_acm_certificate" "this" {Then it wouldn't work any longer; truly confusing.
Expected behavior
I'm not an expert but if it works at all, I would expect it to keep working forever.
This is all being done in a private lab. I can retest if needed.