-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
resource/aws_acm_certificate_validation: Fix root and wildcard validation_record_fqdns handling #3366
Conversation
…tion_record_fqdns handling and augment ACM testing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few nitpicks, overall LGTM.
I couldn't run acceptance tests to actually verify this works yet though. I'm in the process of getting us a dedicated domain we could use for this testing.
resource.TestCheckResourceAttr("aws_acm_certificate.cert", "subject_alternative_names.#", "0"), | ||
resource.TestCheckResourceAttr("aws_acm_certificate.cert", "validation_emails.#", "0"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
}) | ||
} | ||
|
||
func TestAccAwsAcmCertificate_subjectAlternativeName(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: I'd perhaps pick different names for TestAccAwsAcmCertificate_subjectAlternativeName
and TestAccAwsAcmCertificate_subjectAlternativeNames
below so we can run the first one in isolation if we want to.
e.g. TestAccAwsAcmCertificate_subjectAlternativeName_single
and TestAccAwsAcmCertificate_subjectAlternativeName_multiple
or we can shorten subjectAlternativeName
to SAN
as it's very common to do so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll do both 😄
@@ -31,64 +25,225 @@ func TestAccAwsAcmCertificateValidation_basic(t *testing.T) { | |||
Steps: []resource.TestStep{ | |||
// Test that validation times out if certificate can't be validated | |||
resource.TestStep{ | |||
Config: testAccAcmCertificateValidation_basic(domain), | |||
Config: testAccAcmCertificateValidation_timeout(domain), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: I'd expect _basic
test to be actually basic and this timeout logic to be exercised perhaps in a separate test.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Valid point, I'll separate
return fmt.Sprintf(` | ||
%s | ||
|
||
resource "aws_acm_certificate_validation" "cert" { | ||
certificate_arn = "${aws_acm_certificate.cert.arn}" | ||
timeouts { | ||
create = "20s" | ||
create = "5s" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
if os.Getenv("ACM_CERTIFICATE_ROOT_DOMAIN") == "" { | ||
t.Skip("Environment variable ACM_CERTIFICATE_ROOT_DOMAIN is not set") | ||
} | ||
return os.Getenv("ACM_CERTIFICATE_ROOT_DOMAIN") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add any brief instructions in a comment on what is this domain in case it's not clear from the ENV variable name?
e.g.
// ACM_CERTIFICATE_ROOT_DOMAIN is a domain that was previously registered
// and successfully verified via ACM either via email or DNS
// See https://us-west-2.console.aws.amazon.com/acm/home
Also I assume the verification only needs to be done for the TLD (root) domain (e.g. terraformtesting.com
), not for SAN or anything else?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, its more complicated then that. Its per domain in each certificate request done via email validation. So if I request foo.example.com and bar.example.com with email validation, I will get two approval emails for that single request. If I go to renew them, I have to click the emails again. Hence why everyone was clamoring for DNS validation 😁
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But I'll definitely add information about the environment variable, its non-descriptive at the moment.
This has been released in version 1.10.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Fixes #3329 (and heavily augments the ACM testing)
ACM will return the same validation record name across two domain validation objects when creating a certificate for the root domain and wildcard for the same domain. Previously
validation_record_fqdns
(always a set of 1 in this case) was trying to deeply equal the domain validation record names (a list of 2), which is impossible to workaround. This PR makes the domain validation record names a set for the validation. This also updates the error handling.Previously the error handling returned (this is the bug that was fixed):
Now returns missing records via multierror along with the associated domain name, which should be very helpful for those with high SAN count:
Passes testing locally: