Can't update API Gateway v2 domain name mTLS truststore version: BadRequestException: Invalid input. Expected one domain name configuration

[dotcarls]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

# terraform -v
Terraform v0.14.5
+ provider registry.terraform.io/hashicorp/aws v3.32.0
+ provider registry.terraform.io/hashicorp/helm v2.0.3
+ provider registry.terraform.io/hashicorp/kubernetes v2.0.1
+ provider registry.terraform.io/hashicorp/local v1.4.0
+ provider registry.terraform.io/hashicorp/null v2.1.2
+ provider registry.terraform.io/hashicorp/random v3.0.1
+ provider registry.terraform.io/hashicorp/template v2.2.0
+ provider registry.terraform.io/hashicorp/tls v3.1.0

Affected Resource(s)

• aws_apigatewayv2_domain_name

Terraform Configuration Files

Here's the resource in question:

resource "aws_apigatewayv2_domain_name" "example" {
  domain_name = "example.com"

  domain_name_configuration {
    certificate_arn = aws_acm_certificate.domain_cert.arn
    endpoint_type   = "REGIONAL"
    security_policy = "TLS_1_2"
  }

  mutual_tls_authentication {
    truststore_uri = "s3://${aws_s3_bucket.truststore.id}/${aws_s3_bucket_object.truststore_pem.id}"
    truststore_version = aws_s3_bucket_object.truststore_pem.version_id
  }
}

The difficult bit about setting up this recreation is that you will need to have an Amazon issued (e.g. DNS / email verified) aws_acm_certificate.domain_cert to configure mTLS. I can include some additional config if needed, let me know!

Debug Output

aws_apigatewayv2_domain_name.redacted_domain[0]: Modifying... [id=redacted.example.com]
2021-03-19T20:05:19.526Z [INFO]  plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/19 20:05:19 [DEBUG] Updating API Gateway v2 domain name: {
  DomainName: "redacted.example.com",
  MutualTlsAuthentication: {
    TruststoreVersion: "UGb2pjvF9ahXYvu6kxbtX0vFmixFvI1Q"
  }
}: timestamp=2021-03-19T20:05:19.526Z
2021-03-19T20:05:19.527Z [INFO]  plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/19 20:05:19 [DEBUG] [aws-sdk-go] DEBUG: Request ApiGatewayV2/UpdateDomainName Details:
---[ REQUEST POST-SIGN ]-----------------------------
PATCH /v2/domainnames/redacted.example.com HTTP/1.1
Host: apigateway.us-west-2.amazonaws.com
User-Agent: aws-sdk-go/1.37.24 (go1.16; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.14.5 (+https://www.terraform.io) terraform-provider-aws/dev (+https://registry.terraform.io/providers/hashicorp/aws)
Content-Length: 84
Authorization: Redacted
Content-Type: application/json
X-Amz-Date: Redacted
X-Amz-Security-Token: Redacted
Accept-Encoding: gzip

{"mutualTlsAuthentication":{"truststoreVersion":"UGb2pjvF9ahXYvu6kxbtX0vFmixFvI1Q"}}
-----------------------------------------------------: timestamp=2021-03-19T20:05:19.526Z
2021-03-19T20:05:19.774Z [INFO]  plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/19 20:05:19 [DEBUG] [aws-sdk-go] DEBUG: Response ApiGatewayV2/UpdateDomainName Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 400 Bad Request
Content-Length: 67
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: x-amzn-RequestId,x-amzn-ErrorType,x-amzn-ErrorMessage,Date
Content-Type: application/json
Date: Fri, 19 Mar 2021 20:05:19 GMT
X-Amz-Apigw-Id: Redacted
X-Amzn-Errortype: BadRequestException
X-Amzn-Requestid: Redacted
X-Amzn-Trace-Id: Redacted


-----------------------------------------------------: timestamp=2021-03-19T20:05:19.774Z
2021-03-19T20:05:19.775Z [INFO]  plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/19 20:05:19 [DEBUG] [aws-sdk-go] {"message":"Invalid input. Expected one domain name configuration"}: timestamp=2021-03-19T20:05:19.774Z
2021-03-19T20:05:19.775Z [INFO]  plugin.terraform-provider-aws_v3.32.0_x5: 2021/03/19 20:05:19 [DEBUG] [aws-sdk-go] DEBUG: Validate Response ApiGatewayV2/UpdateDomainName failed, attempt 0/25, error BadRequestException: Invalid input. Expected one domain name configuration: timestamp=2021-03-19T20:05:19.774Z
2021/03/19 20:05:19 [DEBUG] aws_apigatewayv2_domain_name.redacted_domain[0]: apply errored, but we're indicating that via the Error pointer rather than returning it: error updating API Gateway v2 domain name (redacted.example.com): BadRequestException: Invalid input. Expected one domain name configuration

Expected Behavior

The update to truststore_version succeeds.

Actual Behavior

The update to truststore_version fails

Steps to Reproduce

Updating / tainting the aws_s3_bucket_object.truststore_pem resource or manually changing the truststore_version value is enough to trigger the error.

Important Factoids

No, standard AWS deployment and basic API Gateway configuration

References

[ewbankkit]

Related:

• r/aws_apigatewayv2_domain_name: Support mutual TLS authentication #15249

[ewbankkit]

I can reproduce with a slightly modified acceptance test case:

=== CONT  TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication
    resource_aws_apigatewayv2_domain_name_test.go:279: Step 2/4 error: Error running apply: exit status 1
        2021/03/22 17:15:26 [DEBUG] Using modified User-Agent: Terraform/0.12.26 HashiCorp-terraform-exec/0.13.0
        
        Error: error updating API Gateway v2 domain name (tf-acc-01xy3s6uqmlgijxzyxaupimtxq7sqdaldcnzlpdqz8.ewbankkit.com): BadRequestException: Invalid input. Expected one domain name configuration
        
          on terraform_plugin_test.tf line 62, in resource "aws_apigatewayv2_domain_name" "test":
          62: resource "aws_apigatewayv2_domain_name" "test" {
        
        
--- FAIL: TestAccAWSAPIGatewayV2DomainName_MutualTlsAuthentication (194.33s)

[ewbankkit]

Sniffing the AWS Console network traffic I can see that the domain name configuration is sent when updating just the S3 object version:

{headers: {X-Amz-User-Agent: "aws-sdk-js/2.640.0 promise", Content-Type: "application/json"},…}
contentString: "{"domainNameConfigurations":[{"endpointType":"REGIONAL","certificateArn":"arn:aws:acm:us-west-2:123456789012:certificate/9044a2b3-9d04-45c6-8611-9ee315b65da6","securityPolicy":"TLS_1_2"}],"mutualTlsAuthentication":{"truststoreUri":"s3://ewbankkit-mtls-versioned/1.pem","truststoreVersion":"i4Dy_KY2_ow6MgurAAKTjaW.IL4AlWuM"}}"
headers: {X-Amz-User-Agent: "aws-sdk-js/2.640.0 promise", Content-Type: "application/json"}
method: "PATCH"
operation: "updateDomainName"
params: {}
path: "/domainnames/mtls.ewbankkit.com"
region: "us-west-2"

[ghost]

This has been released in version 3.34.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!