-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug in 1.9.0 when creating route53 entries for ACM approvals #3362
Comments
Hi @sophos-jeff, sorry you're running into trouble here. Are you able to turn on debug logging and see if the |
on the same note , this should be optional since when using SAN in certificate requests DNS records are the same
so instead of doing this resource "aws_route53_record" "cn_cert_validation" {
name = "${aws_acm_certificate.certificate.domain_validation_options.0.resource_record_name}"
type = "${aws_acm_certificate.certificate.domain_validation_options.0.resource_record_type}"
zone_id = "${data.aws_route53_zone.approval_zone.id}"
records = ["${aws_acm_certificate.certificate.domain_validation_options.0.resource_record_value}"]
ttl = 60
}
resource "aws_route53_record" "san_cert_validation" {
name = "${aws_acm_certificate.certificate.domain_validation_options.1.resource_record_name}"
type = "${aws_acm_certificate.certificate.domain_validation_options.1.resource_record_type}"
zone_id = "${data.aws_route53_zone.approval_zone.id}"
records = ["${aws_acm_certificate.certificate.domain_validation_options.1.resource_record_value}"]
ttl = 60
}
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = "${aws_acm_certificate.cert.arn}"
validation_record_fqdns = ["${aws_route53_record.cn_cert_validation.fqdn}","${aws_route53_record.san_cert_validation.fqdn}"]
}
you should be able to do just resource "aws_route53_record" "cn_cert_validation" {
name = "${aws_acm_certificate.certificate.domain_validation_options.0.resource_record_name}"
type = "${aws_acm_certificate.certificate.domain_validation_options.0.resource_record_type}"
zone_id = "${data.aws_route53_zone.approval_zone.id}"
records = ["${aws_acm_certificate.certificate.domain_validation_options.0.resource_record_value}"]
ttl = 60
}
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = "${aws_acm_certificate.cert.arn}"
validation_record_fqdns = ["${aws_route53_record.cn_cert_validation.fqdn}"]
} |
Working on the debug logging still..Should have that today. @aduzsardi The CN and SAN are different from each other. This was updated like this due to hitting the 64 character limit on a CN so there is kind of an ID CN generated and using the FQDN for the SAN instead to get around this issue. NOTE: This issue was still occurring with only a CN as well, before I implemented the SAN, but it happened only once so I had ignored it before implementing the SA. It has happened more since then, hopefully getting the debug logs reveal more. |
@aduzsardi the mentioned |
I have a fully debug log.... here is a better look at another example of the error. 2018/02/14 14:05:20 [ERROR] root.service_definition: eval: *terraform.EvalSequence, err: aws_route53_record.cert_validation: diffs didn't match during apply. This is a bug with Terraform and should be reported as a GitHub Issue.
|
What happens if you run this with Terraform 0.11.3? Does If your debug log contains sensitive information you can encrypt it using the Hashicorp GPG key and I can take a look. |
Closing due to lack of response. If you're still having this problem please open a new issue. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
This occurs every time on the first run of a terraform apply...on a subsequent run it works fine (So our current work around is run it again)
NOTE: I Have censored our actual DNS names for this as it might contain information we don't want posted to a public location
Please include the following information in your report:
Also include as much context as you can about your config, state, and the steps you performed to trigger this error.
This is what the code looks like
Thanks for any assistance on this issue.
-Jeff
The text was updated successfully, but these errors were encountered: