Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_acm_certificate subject_alternative_names & domain_validation_options get returned in a different order each time #8531

Closed
tdmalone opened this issue May 6, 2019 · 89 comments · Fixed by #14199
Assignees
Labels
service/acm Issues and PRs that pertain to the acm service. upstream Addresses functionality related to the cloud provider.
Milestone

Comments

@tdmalone
Copy link
Contributor

tdmalone commented May 6, 2019

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.13
+ provider.aws v2.8.0

Affected Resource(s)

Terraform Configuration Files

resource "aws_acm_certificate" "main" {
  domain_name = "example.com"
  validation_method = "DNS"

  subject_alternative_names = [
    "one.example.com",
    "two.example.com",
    "three.example.com",
    "four.example.com",
    "five.example.com",
    "six.example.com",
    "seven.example.com",
    "eight.example.com",
    "nine.example.com",
  ]
}

output "domain_validation_options" {
  value = "${aws_acm_certificate.main.domain_validation_options}"
}

Expected Behavior

  • There should be no diff after creating the certificate.
  • The domain_validation_options output should contain the same results, in the same order, each time it is refreshed.

Actual Behavior

The subject_alternative_names re-order on each apply, presenting a diff that would recreate the certificate:

-/+ aws_acm_certificate.main (new resource required)
      id:                          "arn:aws:acm:ap-southeast-2:xxxxxxxxxx:certificate/4c16e4c2-b77e-46f7-82e4-37aa5145c95f" => <computed> (forces new resource)
      arn:                         "arn:aws:acm:ap-southeast-2:xxxxxxxxxx:certificate/4c16e4c2-b77e-46f7-82e4-37aa5145c95f" => <computed>
      domain_name:                 "example.com" => "example.com"
      domain_validation_options.#: "10" => <computed>
      subject_alternative_names.#: "9" => "9"
      subject_alternative_names.0: "five.example.com" => "one.example.com" (forces new resource)
      subject_alternative_names.1: "seven.example.com" => "two.example.com" (forces new resource)
      subject_alternative_names.2: "nine.example.com" => "three.example.com" (forces new resource)
      subject_alternative_names.3: "two.example.com" => "four.example.com" (forces new resource)
      subject_alternative_names.4: "one.example.com" => "five.example.com" (forces new resource)
      subject_alternative_names.5: "six.example.com" => "six.example.com"
      subject_alternative_names.6: "three.example.com" => "seven.example.com" (forces new resource)
      subject_alternative_names.7: "eight.example.com" => "eight.example.com"
      subject_alternative_names.8: "four.example.com" => "nine.example.com" (forces new resource)
      validation_emails.#:         "0" => <computed>
      validation_method:           "DNS" => "DNS"

The domain_validation_options appear to come back in a random order each time:

$ terraform refresh

aws_acm_certificate.main: Refreshing state... (ID: arn:aws:acm:ap-southeast-2:xxxxxxxxxxxxx...e/bb1b08f5-5abe-48a3-9479-4b7c23e6464e)

Outputs:

domain_validation_options = [
    {
        domain_name = four.example.com,
        resource_record_name = _6fc87df20d798c2330866e8e4e6a2abe.four.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _5117e7221b4e3be0f089f19fc2b80e92.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = one.example.com,
        resource_record_name = _23da223716d9e50d20216ab5e1402512.one.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _614bc43713333339cdb429184b55fdb7.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = six.example.com,
        resource_record_name = _0e4cf2b93667f979f63b22ce9021b8ab.six.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _934e8faf2368c3b6ea042d5c143c7594.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = three.example.com,
        resource_record_name = _2e7945ed996c75e8ef734df732a80528.three.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _00b32a7cc13f40d59ee96b85bc57d5c5.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = eight.example.com,
        resource_record_name = _8a675b2ea5f2339e8f7acf281c06a5fe.eight.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _c3cad235d292a1b6ee6e4c91398a7881.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = seven.example.com,
        resource_record_name = _b396e6867067ac23789c5a3b65215035.seven.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _c5faed2e8c55f794a00090356d37e307.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = two.example.com,
        resource_record_name = _4e8c7cf4d0490efdc1ab31e04591b7f4.two.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _b6145ef70687d93ffdf53666aa303c6f.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = five.example.com,
        resource_record_name = _be7d2d75a8694d7647f2f741e0e232c4.five.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _a8a0e9d5062c56ff1a8e72795edce8cf.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = example.com,
        resource_record_name = _a1cc787c0f947dd4cd843e9f55547513.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _bc7930c6cc7fefddf297a10a8447e537.acm-validations.aws.
    },
    {
        domain_name = nine.example.com,
        resource_record_name = _a2f03d4faba00b7e3a472adc39918941.nine.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _453f55ee2c7489dd8664f00f40cba240.xxxxxxxx.acm-validations.aws.
    }
]

$ terraform refresh

aws_acm_certificate.main: Refreshing state... (ID: arn:aws:acm:ap-southeast-2:xxxxxxxxxxxxx...e/bb1b08f5-5abe-48a3-9479-4b7c23e6464e)

Outputs:

domain_validation_options = [
    {
        domain_name = example.com,
        resource_record_name = _a1cc787c0f947dd4cd843e9f55547513.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _bc7930c6cc7fefddf297a10a8447e537.acm-validations.aws.
    },
    {
        domain_name = six.example.com,
        resource_record_name = _0e4cf2b93667f979f63b22ce9021b8ab.six.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _934e8faf2368c3b6ea042d5c143c7594.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = one.example.com,
        resource_record_name = _23da223716d9e50d20216ab5e1402512.one.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _614bc43713333339cdb429184b55fdb7.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = five.example.com,
        resource_record_name = _be7d2d75a8694d7647f2f741e0e232c4.five.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _a8a0e9d5062c56ff1a8e72795edce8cf.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = four.example.com,
        resource_record_name = _6fc87df20d798c2330866e8e4e6a2abe.four.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _5117e7221b4e3be0f089f19fc2b80e92.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = nine.example.com,
        resource_record_name = _a2f03d4faba00b7e3a472adc39918941.nine.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _453f55ee2c7489dd8664f00f40cba240.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = two.example.com,
        resource_record_name = _4e8c7cf4d0490efdc1ab31e04591b7f4.two.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _b6145ef70687d93ffdf53666aa303c6f.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = eight.example.com,
        resource_record_name = _8a675b2ea5f2339e8f7acf281c06a5fe.eight.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _c3cad235d292a1b6ee6e4c91398a7881.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = three.example.com,
        resource_record_name = _2e7945ed996c75e8ef734df732a80528.three.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _00b32a7cc13f40d59ee96b85bc57d5c5.xxxxxxxx.acm-validations.aws.
    },
    {
        domain_name = seven.example.com,
        resource_record_name = _b396e6867067ac23789c5a3b65215035.seven.example.com.,
        resource_record_type = CNAME,
        resource_record_value = _c5faed2e8c55f794a00090356d37e307.xxxxxxxx.acm-validations.aws.
    }
]

Steps to Reproduce

  1. Use the code supplied above (PLEASE NOTE: you may need to change example.com to a domain that you own/control)
  2. terraform apply and enter yes when prompted
  3. terraform apply again to note the different order for the subject_alternative_names
  4. terraform refresh a couple of times to see the different orders for the domain_validation_options

Important Factoids

The diff on the subject_alternative_names is easy to workaround - simply use:

lifecycle {
  ignore_changes = ["subject_alternative_names"]
}

They can't ever change out-of-band anyway, so there's no need to monitor this field for changes.

However, the issue with the domain_validation_options is a little harder to work around. I'm using it as input to multiple aws_route53_record resources, and when the order changes, I'm getting perpetual diffs as Terraform is wanting to replace each of the records with the new order.

Of note - this didn't used to happen. I haven't run this particular workflow for ~6 months so it's possible something has changed in this provider in the meantime (there are a few potentially related entries in the changelog here and here and maybe also here), but I've also only just started seeing these diffs in the last week so I'm wondering if it's possible something has changed in the the relevant AWS API.

References

Might be related to another SAN issue I just lodged: #8530

@tdmalone tdmalone changed the title aws_acm_certificate domain_validation_options get returned in a different order each time aws_acm_certificate subject_alternative_names & domain_validation_options get returned in a different order each time May 6, 2019
@rifelpet
Copy link
Contributor

rifelpet commented May 6, 2019

We've been running plans & applies regularly in a state containing many aws_acm_certificates and aws_route53_records for their validation records. It appears the ordering started varying recently, I assume its related to an AWS API change.

I think one potential solution would be to have the provider sort the records internally prior to storing them in state. This could result in many aws_route53_record recreations for anyone using this workflow, however it would only be a one-time issue after upgrading the aws provider.

I have yet to test it, but I would assume using Terraform's sort() on aws_acm_certificate.foo.domain_validation_options when iterating over aws_route53_records would achieve something similar.

@tdmalone
Copy link
Contributor Author

tdmalone commented May 6, 2019

I thought about sort() too, but domain_validation_options is a list of maps rather than strings, so that’s not gonna work (could probably do some fancy surgery on it by turning it into strings, but that’s gonna be super messy!)

@jonseymour
Copy link

I agree that Terraform AWS provider should be sorting the AWS record by record_name prior to any kind of comparison.

FWIW, I did try the terraform sort() approach as a workaround and it worked for me because I only had one SAN and was prepared to enumerate the SANs in a local variable.

Here is a summary of what I did:

provider "null" {
}

locals {
	unsorted = [
		"${aws_acm_certificate.backoffice.domain_validation_options.0.resource_record_name}!0",
		"${aws_acm_certificate.backoffice.domain_validation_options.1.resource_record_name}!1"
	]
	sorted = "${sort(local.unsorted)}"
	index = [
		"${element(split("!", local.sorted[0]),1)}",
		"${element(split("!", local.sorted[1]),1)}"
	]
}

# for visibility

output "index" {
	value = "${local.index}"
}

output "unsorted" {
	value = "${local.unsorted}"
}

output "sorted" {
	value = "${local.sorted}"
}

resource "null_resource" "locals" {
	triggers = {
		index = "${local.index}"
		unsorted = "${local.unsorted}"
		sorted = "${local.sorted}"
	}
}
...

# the aws_route53_record

resource "aws_route53_record" "backoffice" {
  count   = "${length(local.index)}"
  name    = "${lookup(aws_acm_certificate.backoffice.domain_validation_options[local.index[count.index]], "resource_record_name")}"
  type    = "${lookup(aws_acm_certificate.backoffice.domain_validation_options[local.index[count.index]], "resource_record_type")}"
  zone_id = "${var.zone_id}"
  records = [
  	"${lookup(aws_acm_certificate.backoffice.domain_validation_options[local.index[count.index]], "resource_record_value")}"
  ]
  ttl     = 60
}

@rifelpet
Copy link
Contributor

rifelpet commented May 13, 2019

Here's an easy way to confirm this change in behavior, run this on a cert with multiple SANs:

(for i in {0..10}; do aws acm describe-certificate --certificate-arn $CERTIFICATE_ARN --query "Certificate.DomainValidationOptions[*].DomainName" --output text; done ) | sort | uniq -c

   7 domain1.com	domain2.com
   4 domain2.com	domain1.com

@eriksw
Copy link

eriksw commented May 13, 2019

Is there any workaround for this? I'm wary of allowing validation records to be created/destroyed because I have critical (ALB) resources that transitively depend on them via an aws_acm_certificate_validation.

@tdmalone
Copy link
Contributor Author

@eriksw There’s no harm in momentarily destroying the validation records per se; the only thing it will likely do is prevent renewal of the certificate when it is close to expiry - so obviously you don’t want to remove the records forever, but removing/replacing them in a plan/apply is not going to affect anything.

@axw-pivorra
Copy link

axw-pivorra commented May 14, 2019

Hi,
We had same issue on us-east-1 (not in us-east2), corrected by followed implementation

I tested proposed bypass by jonseymour
Validated on terraform version 0.11.10 and 0.11.13 for AWS region us-east-1 and us-east-2
Provider AWS version is 2.10.0

Important: on a new terraform project, count() can't be used in aws_route53_record.cert_validation_record
I put a local variable named 'entries_count' (no way to solve this)

locals {
entries_number = 5 // IMPORTANT => count() in aws_route53_record.cert_validation_record can't be computed by terraform
unsorted = [
"${aws_acm_certificate.frontend_cert.domain_validation_options.0.resource_record_name}!0",
"${aws_acm_certificate.frontend_cert.domain_validation_options.1.resource_record_name}!1",
"${aws_acm_certificate.frontend_cert.domain_validation_options.2.resource_record_name}!2",
"${aws_acm_certificate.frontend_cert.domain_validation_options.3.resource_record_name}!3",
"${aws_acm_certificate.frontend_cert.domain_validation_options.4.resource_record_name}!4"
]
sorted = "${sort(local.unsorted)}"
index = [
"${element(split("!", local.sorted[0]),1)}",
"${element(split("!", local.sorted[1]),1)}",
"${element(split("!", local.sorted[2]),1)}",
"${element(split("!", local.sorted[3]),1)}",
"${element(split("!", local.sorted[4]),1)}",
]
}

resource "aws_acm_certificate" "frontend_cert" {
domain_name = "${var.mydomain}"
subject_alternative_names = [
"alt-name-1.${var.mydomain}",
"alt-name-2.${var.mydomain}",
"alt-name-3.${var.mydomain}",
"alt-name-4.${var.mydomain}"
]
validation_method = "DNS"
lifecycle {
create_before_destroy = true
# DO NOT REMOVE THIS DUE TO BUG DETECTED ON AWS CERT ALTERNATIVE ORDERING
ignore_changes = ["subject_alternative_names"]
}
}

resource "aws_route53_record" "cert_validation_record" {
count = "${(local.entries_number)}"
name = "${lookup(aws_acm_certificate.frontend_cert.domain_validation_options[local.index[count.index]], "resource_record_name")}"
type = "${lookup(aws_acm_certificate.frontend_cert.domain_validation_options[local.index[count.index]], "resource_record_type")}"
zone_id = "${aws_route53_zone.public_zone.id}"
records = [
"${lookup(aws_acm_certificate.frontend_cert.domain_validation_options[local.index[count.index]], "resource_record_value")}"
]
ttl = 60
}

resource "aws_acm_certificate_validation" "cert" {
certificate_arn = "${aws_acm_certificate.frontend_cert.arn}"

validation_record_fqdns = [
"${aws_route53_record.cert_validation_record.*.fqdn}"
]
}

@angeloskaltsikis
Copy link
Contributor

We faced the same problem in us-east-1 & eu-west-1 while in us-west-1 we do not face such an issue.

@willejs
Copy link
Contributor

willejs commented May 15, 2019

This is less than ideal...

@nickdgriffin
Copy link

Has anyone raised this to AWS/asked on the forum?

Also having this generate a lot of noise in TF runs, and whilst it might not do any harm it does make it challenging to convince people to review changes when there are some that need to be overlooked like this.

@mlafeldt
Copy link

Has anyone raised this to AWS/asked on the forum?

We just opened a support case after running into this issue in eu-central-1 today. They have reached out to their internal service team for investigation.

@nickdgriffin
Copy link

@mlafeldt Cool, thanks for the info - would you be able to share their response please?

@mlafeldt
Copy link

@mlafeldt Cool, thanks for the info - would you be able to share their response please?

Of course.

@nickdgriffin
Copy link

@mlafeldt Great, thanks!

@rifelpet
Copy link
Contributor

rifelpet commented May 16, 2019

I received this response:

My name is **** from AWS Premium Support and I will be assisting you with your case as it pertains to inconsistent result when querying the aws api.

Thank you for providing such a great level of detail it really does assist in being able to test and reproduce the issue.

I was able to run a similar test on my environments and noticed similar patterns of variance, in my case there where three names and the variance was correspondingly more random.

The reasons for seeing this is because the aws api uses asynchronous processing and multiple threads can be handled simultaneously, because of this the order of the responses is not guaranteed any consistency is incidental rather than intentional.

I see this or a regular bases when we use our tooling on the back end. We always get the same set of results but the order varies.

The best publicly available documentation I could find for this that explains the concept is:

https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/basics-async.html

The aws cli itself is an implementation of the sdk.

I can understand that this is something that might be causing an issue now, but as a general guide going forward I would recommended that you can and should expect variance in the order of results as there is no guarantee.

I trust this information will assist you. If however you need any further information or guidance please do not hesitate to reach out to us.

It sounds like the terraform provider will need to be able to handle inconsistent ordering.

@aserrallerios
Copy link

We got this error recently, but we're using Terraform templates to add (or rename) alternative names (the alternative names is an input variable of type array), so the workaround

ignore_changes = ["subject_alternative_names"]

is not really useful for us :(

@nywilken nywilken added the service/acm Issues and PRs that pertain to the acm service. label May 21, 2019
@Frogvall
Copy link

Frogvall commented May 21, 2019

I just want to add that I don't believe that sorting the returned list is a good enough solution. It will only work if all SANs use the same hosted zone.

We have this scenario:
Cert with SANs.
List of Hosted Zones.

Let's say we have the following SANS:

  • example.hosted.zone.one
  • example.hosted.zone.two

We import the hosted zones and create our certs like this:

variable "uri_prefix" {
  default = "example"
}

variable "domains" {
  type = "list"
  default = ["hosted.zone.one","hosted.zone.two"]
}

data "aws_route53_zone" "example" {
  count = "${length(var.domains)}"
  name = "${var.domains[count.index]}"
}

resource "aws_acm_certificate" "example" {
  domain_name       = "${var.uri_prefix}.${var.domains[0]}"
  subject_alternative_names = "${formatlist("${var.uri_prefix}.%s", slice(var.domains,1,length(var.domains)))}"
  validation_method = "DNS"
}

resource "aws_route53_record" "example" {
  count   = "${length(var.domains)}"
  name    = "${lookup(aws_acm_certificate.example.domain_validation_options[count.index], "resource_record_name")}"
  type    = "${lookup(aws_acm_certificate.example.domain_validation_options[count.index], "resource_record_type")}"
  zone_id = "${element(data.aws_route53_zone.example.*.id, count.index)}"
  records = ["${lookup(aws_acm_certificate.example.domain_validation_options[count.index], "resource_record_value")}"]
  ttl     = 300
}

What will happen (current state):

If we are lucky and we get stuff in the right order the cert validated with the following route53 records:

  • _7c0eff29a73892d0e65a23bc2b14f137.example.hosted.zone.one
  • _4317e3f335540dce25b5580c159b55da.example.hosted.zone.two

If we are unlucky and get them in the wrong order, they will be assigned to the wrong hosted zone, resulting in this:

  • _4317e3f335540dce25b5580c159b55da.example.hosted.zone.two.hosted.zone.one
  • _7c0eff29a73892d0e65a23bc2b14f137.example.hosted.zone.one.hosted.zone.two

AWS (or Terraform) seems to assume we missed adding the domain name for our selected zone and helpfully add it for us.

Adding sort to the same scenario would guarantee the following:

  • _4317e3f335540dce25b5580c159b55da.example.hosted.zone.two.hosted.zone.one
  • _7c0eff29a73892d0e65a23bc2b14f137.example.hosted.zone.one.hosted.zone.two

If we are lucky, of course, the random id will coalign with the order of our domains.

With the current state, we can atleast rerun terraform apply until it gets right (which is cumbersome and stupid, but still possible). If the sort solution is added, you can rerun for infinity without it ever getting right. The risk of getting stuff wrong increases with every additional SAN you add to the above description.

@tbondarchuk
Copy link

I guess if aws_acm_certificate.example.domain_validation_options would be returned not as list of maps but rather as a nested map with domain_name and SANs as top level keys, that would be easier to handle. Not sure how much work it would take to implement on provider level though, or if it's even doable.

Here is my current workaround:

resource "aws_acm_certificate" "this" {
  validation_method = "DNS"
  domain_name       = "${local.dns_record}"

  subject_alternative_names = [
    "${local.dns_record_https}",
  ]

  lifecycle {
    ignore_changes = ["subject_alternative_names"]
  }
}

locals {
  dns_record       = "test.example.com"
  dns_record_https = "https.${local.dns_record}"

  validations = {
    "${replace(aws_acm_certificate.this.domain_validation_options.0.resource_record_name, "/(_[[:alnum:]]*\\.|\\.$)/", "")}" = {
      "name"  = "${aws_acm_certificate.this.domain_validation_options.0.resource_record_name}"
      "type"  = "${aws_acm_certificate.this.domain_validation_options.0.resource_record_type}"
      "value" = "${aws_acm_certificate.this.domain_validation_options.0.resource_record_value}"
    }

    "${replace(aws_acm_certificate.this.domain_validation_options.1.resource_record_name, "/(_[[:alnum:]]*\\.|\\.$)/", "")}" = {
      "name"  = "${aws_acm_certificate.this.domain_validation_options.1.resource_record_name}"
      "type"  = "${aws_acm_certificate.this.domain_validation_options.1.resource_record_type}"
      "value" = "${aws_acm_certificate.this.domain_validation_options.1.resource_record_value}"
    }
  }
}

resource "aws_route53_record" "this-validation" {
  zone_id = "${local.route_53_zone_id}"
  name    = "${lookup(local.validations[local.dns_record], "name")}"
  type    = "${lookup(local.validations[local.dns_record], "type")}"
  ttl     = "300"
  records = ["${lookup(local.validations[local.dns_record], "value")}"]
}

resource "aws_route53_record" "this-validation-https" {
  zone_id = "${local.route_53_zone_id}"
  name    = "${lookup(local.validations[local.dns_record_https], "name")}"
  type    = "${lookup(local.validations[local.dns_record_https], "type")}"
  ttl     = "300"
  records = ["${lookup(local.validations[local.dns_record_https], "value")}"]
}

resource "aws_acm_certificate_validation" "this-validation" {
  certificate_arn = "${aws_acm_certificate.this.arn}"

  validation_record_fqdns = [
    "${aws_route53_record.this-validation.fqdn}",
    "${aws_route53_record.this-validation-https.fqdn}",
  ]
}

@tdmalone
Copy link
Contributor Author

tdmalone commented May 21, 2019

AWS (or Terraform) seems to assume we missed adding the domain name for our selected zone and helpfully add it for us.

@Frogvall This is partially due to the way DNS works. If you include a . at the end of your domain name, it'll be treated as 'the end' of the record (though it's not actually going to help in this case anyway).

What you could do, though, is look up the aws_route53_zone data source with the domains you get back in the domain_validation_options (rather than the local.domains that you initially used). That way, you'll be looking up the right zone, and the record will be applied to the right zone.

You'll still have the ordering issue wanting to replace the records at each apply, but at least it'll work.

@Frogvall
Copy link

@tdmalone I don't know how I missed that dns validation options also comes with a domain field.
Anyway, it would mean I have to import the routes twice, as we use the original ones in other places, but that would be fine. Still need to do the sorting stuff though. Or just accept them being recreated about every second time.

@jharley
Copy link

jharley commented May 8, 2020

@breathingdust is it not possible to do the quick patch proposed by @stack72 on an issue that's been open for a year for a fairly critical resource in the provider, and THEN refactor the implementation?

Certs bound to listeners can't be deleted, and targetted applies aren't possible with Terraform Cloud or Enterprise.. so I have to take an outage when this happens, and I assume others do as well

@breathingdust
Copy link
Member

Hi all! 👋

Just wanted to update that we have completed the research phase for the redesign and begun the implementation work.

This research is covered here: #13053.

We appreciate your patience, and hope to have a resolution for this and the other ACM issues soon.

@rafaelsales
Copy link

rafaelsales commented Jun 4, 2020

I'm sharing my full solution using Terraform 0.11.x and AWS 1.x based on @jonseymour

The two things that are different in my solution:

  • I use a map (<resource_record_name> = <index>) instead of a list of strings (<resource_record_name>!<index>)
  • It supports domains in different zones
locals {
  certificate_domains = [
    "*.${local.foo_domain_name}",
    "*.admin.${local.foo_domain_name}",
    "*.${local.bar_domain_name}"
  ]
  certificate_domain_zones = {
    "${local.certificate_domains[0]}" = "${data.aws_route53_zone.foo.id}"
    "${local.certificate_domains[1]}" = "${data.aws_route53_zone.foo.id}"
    "${local.certificate_domains[2]}" = "${data.aws_route53_zone.bar.id}"
  }
}

resource "aws_acm_certificate" "company" {
  domain_name = "${local.certificate_domains[0]}"
  subject_alternative_names = ["${slice(local.certificate_domains, 1, length(local.certificate_domain_zones))}"]
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }
}

locals {
  # NOTE: Improve on Terraform 0.12
  # Unfortunately there's no way to iterate over domain_validation_options in Terraform 0.11 and AWS 1.x and so we need to
  # create a list from it manually from each element index
  # Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/10997
  unsorted_validation_domains_with_indices = {
    "${aws_acm_certificate.company.domain_validation_options.0.resource_record_name}" = 0
    "${aws_acm_certificate.company.domain_validation_options.1.resource_record_name}" = 1
    "${aws_acm_certificate.company.domain_validation_options.2.resource_record_name}" = 2
  }
  sorted_validation_domains = "${sort(keys(local.unsorted_validation_domains_with_indices))}"
  validation_domain_indices = [
    "${local.unsorted_validation_domains_with_indices[local.sorted_validation_domains[0]]}",
    "${local.unsorted_validation_domains_with_indices[local.sorted_validation_domains[1]]}",
    "${local.unsorted_validation_domains_with_indices[local.sorted_validation_domains[2]]}",
  ]
}

resource "aws_route53_record" "certificate_validation" {
  count = "${length(local.certificate_domains)}"
  name = "${lookup(aws_acm_certificate.company.domain_validation_options[local.validation_domain_indices[count.index]], "resource_record_name")}"
  type = "${lookup(aws_acm_certificate.company.domain_validation_options[local.validation_domain_indices[count.index]], "resource_record_type")}"
  records = ["${lookup(aws_acm_certificate.company.domain_validation_options[local.validation_domain_indices[count.index]], "resource_record_value")}"]
  zone_id = "${local.certificate_domain_zones[lookup(aws_acm_certificate.company.domain_validation_options[local.validation_domain_indices[count.index]], "domain_name")]}"
  ttl = 60
}

resource "aws_acm_certificate_validation" "company" {
  certificate_arn = "${aws_acm_certificate.company.arn}"
  validation_record_fqdns = ["${aws_route53_record.certificate_validation.*.fqdn}"]
}

@mbaitelman
Copy link

I only have 2 SANs but they seem to be coming back in alphabetical order each time.
I added sort() so its alphabetical into the resource to match the expected result.
I did have to run apply once to have state updated with the sorted values.

@tmccombs
Copy link
Contributor

but they seem to be coming back in alphabetical order each time.

that was not my experience. For me the ordering wasn't even consistent across multiple calls.

@tmccombs
Copy link
Contributor

tmccombs commented Jul 8, 2020

but they seem to be coming back in alphabetical order each time.

Yes I just tested again, and can confirm that not only are they not in alphabetical order, but the order is not consistent across multiple runs.

@mbaitelman
Copy link

We only have 2 SANs ( most certs are one name and we create one for each use) so it was coming back in the same order each time.
When running the plan as part of a larger group they don't keep the order.
I stand corrected.

bflad added a commit that referenced this issue Jul 16, 2020
…peSet and calculate elements during plan

Reference: #8531
Reference: #10098
Reference: #10404
Reference: #13053

Output from acceptance testing:

```
--- PASS: TestAccAWSAcmCertificate_imported_IpAddress (11.48s)
--- PASS: TestAccAWSAcmCertificate_rootAndWildcardSan (15.53s)
--- PASS: TestAccAWSAcmCertificate_root_TrailingPeriod (15.53s)
--- PASS: TestAccAWSAcmCertificate_root (15.62s)
--- PASS: TestAccAWSAcmCertificate_emailValidation (15.91s)
--- PASS: TestAccAWSAcmCertificate_san_TrailingPeriod (16.38s)
--- PASS: TestAccAWSAcmCertificate_wildcardAndRootSan (16.43s)
--- PASS: TestAccAWSAcmCertificate_san_single (16.51s)
--- PASS: TestAccAWSAcmCertificate_dnsValidation (16.85s)
--- PASS: TestAccAWSAcmCertificate_disableCTLogging (17.06s)
--- PASS: TestAccAWSAcmCertificate_wildcard (18.71s)
--- PASS: TestAccAWSAcmCertificate_san_multiple (19.49s)
--- PASS: TestAccAWSAcmCertificate_privateCert (20.85s)
--- PASS: TestAccAWSAcmCertificate_imported_DomainName (26.86s)
--- PASS: TestAccAWSAcmCertificate_tags (42.99s)

--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsEmail (11.56s)
--- PASS: TestAccAWSAcmCertificateValidation_timeout (19.20s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdns (107.31s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsSan (110.62s)
--- PASS: TestAccAWSAcmCertificateValidation_basic (143.58s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsWildcardAndRoot (153.05s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsRoot (212.21s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsRootAndWildcard (212.95s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsWildcard (247.43s)
```

Please note that this was also tested manually with a few iterations of this configuration:

```hcl
terraform {
    required_providers {
        aws = "2.70.0"
    }
    required_version = "0.12.28"
}

provider "aws" {
  region = "us-east-2"
}

variable "public_root_domain" {
  description = "Publicly accessible domain for ACM testing"
  type        = string
}

data "aws_route53_zone" "public_root_domain" {
  name = var.public_root_domain
}

resource "aws_acm_certificate" "new" {
  domain_name               = "new.${var.public_root_domain}"
  subject_alternative_names = [
    "new1.${var.public_root_domain}",
    "new2.${var.public_root_domain}",
    "new3.${var.public_root_domain}",
  ]
  validation_method         = "DNS"
}

resource "aws_route53_record" "new" {
  for_each = {
    for dvo in aws_acm_certificate.new.domain_validation_options: dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = data.aws_route53_zone.public_root_domain.zone_id
}

resource "aws_acm_certificate_validation" "new" {
  certificate_arn         = aws_acm_certificate.new.arn
  validation_record_fqdns = [for record in aws_route53_record.new: record.fqdn]
}

resource "aws_acm_certificate" "wildcard" {
  domain_name               = var.public_root_domain
  subject_alternative_names = ["*.${var.public_root_domain}"]
  validation_method         = "DNS"
}

resource "aws_route53_record" "wildcard" {
  for_each = {
    for dvo in aws_acm_certificate.wildcard.domain_validation_options: dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = data.aws_route53_zone.public_root_domain.zone_id
}

resource "aws_acm_certificate_validation" "wildcard" {
  certificate_arn         = aws_acm_certificate.wildcard.arn
  validation_record_fqdns = [for record in aws_route53_record.wildcard: record.fqdn]
}
```
@bflad bflad added this to the v3.0.0 milestone Jul 16, 2020
@bflad bflad self-assigned this Jul 16, 2020
bflad added a commit that referenced this issue Jul 24, 2020
…peSet and calculate elements during plan (#14199)

* resource/aws_acm_certificate: Convert domain_validation_options to TypeSet and calculate elements during plan

Reference: #8531
Reference: #10098
Reference: #10404
Reference: #13053

Output from acceptance testing:

```
--- PASS: TestAccAWSAcmCertificate_imported_IpAddress (11.48s)
--- PASS: TestAccAWSAcmCertificate_rootAndWildcardSan (15.53s)
--- PASS: TestAccAWSAcmCertificate_root_TrailingPeriod (15.53s)
--- PASS: TestAccAWSAcmCertificate_root (15.62s)
--- PASS: TestAccAWSAcmCertificate_emailValidation (15.91s)
--- PASS: TestAccAWSAcmCertificate_san_TrailingPeriod (16.38s)
--- PASS: TestAccAWSAcmCertificate_wildcardAndRootSan (16.43s)
--- PASS: TestAccAWSAcmCertificate_san_single (16.51s)
--- PASS: TestAccAWSAcmCertificate_dnsValidation (16.85s)
--- PASS: TestAccAWSAcmCertificate_disableCTLogging (17.06s)
--- PASS: TestAccAWSAcmCertificate_wildcard (18.71s)
--- PASS: TestAccAWSAcmCertificate_san_multiple (19.49s)
--- PASS: TestAccAWSAcmCertificate_privateCert (20.85s)
--- PASS: TestAccAWSAcmCertificate_imported_DomainName (26.86s)
--- PASS: TestAccAWSAcmCertificate_tags (42.99s)

--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsEmail (11.56s)
--- PASS: TestAccAWSAcmCertificateValidation_timeout (19.20s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdns (107.31s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsSan (110.62s)
--- PASS: TestAccAWSAcmCertificateValidation_basic (143.58s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsWildcardAndRoot (153.05s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsRoot (212.21s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsRootAndWildcard (212.95s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsWildcard (247.43s)
```

Please note that this was also tested manually with a few iterations of this configuration:

```hcl
terraform {
    required_providers {
        aws = "2.70.0"
    }
    required_version = "0.12.28"
}

provider "aws" {
  region = "us-east-2"
}

variable "public_root_domain" {
  description = "Publicly accessible domain for ACM testing"
  type        = string
}

data "aws_route53_zone" "public_root_domain" {
  name = var.public_root_domain
}

resource "aws_acm_certificate" "new" {
  domain_name               = "new.${var.public_root_domain}"
  subject_alternative_names = [
    "new1.${var.public_root_domain}",
    "new2.${var.public_root_domain}",
    "new3.${var.public_root_domain}",
  ]
  validation_method         = "DNS"
}

resource "aws_route53_record" "new" {
  for_each = {
    for dvo in aws_acm_certificate.new.domain_validation_options: dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = data.aws_route53_zone.public_root_domain.zone_id
}

resource "aws_acm_certificate_validation" "new" {
  certificate_arn         = aws_acm_certificate.new.arn
  validation_record_fqdns = [for record in aws_route53_record.new: record.fqdn]
}

resource "aws_acm_certificate" "wildcard" {
  domain_name               = var.public_root_domain
  subject_alternative_names = ["*.${var.public_root_domain}"]
  validation_method         = "DNS"
}

resource "aws_route53_record" "wildcard" {
  for_each = {
    for dvo in aws_acm_certificate.wildcard.domain_validation_options: dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = data.aws_route53_zone.public_root_domain.zone_id
}

resource "aws_acm_certificate_validation" "wildcard" {
  certificate_arn         = aws_acm_certificate.wildcard.arn
  validation_record_fqdns = [for record in aws_route53_record.wildcard: record.fqdn]
}
```

* docs/service/acm: Fix terrafmt reports

Previously:

```
website/docs/r/acm_certificate.html.markdown:83
website/docs/r/acm_certificate_validation.html.markdown:25
website/docs/r/acm_certificate_validation.html.markdown:67
```
@bflad
Copy link
Contributor

bflad commented Jul 24, 2020

Hi folks 👋 Thank you for your patience and understanding on this manner. As part of #13053 and the extensive feedback provided in this issue (thank you again!), it was determined that a few changes were in order with the aws_acm_certificate resource, which will likely have implications on your existing configurations:

  • Changing subject_alternative_names from an ordered list of strings to an unordered set of strings
  • Changing domain_validation_options from an ordered list of objects to an unordered set of objects
  • Pre-calculating the keys for those domain_validation_options during Terraform's plan phase, so they can be used in downstream count or (preferably) for_each resource handling

We certainly do not take breaking configuration changes lightly, so we wanted to be sure that if anything was going to cause any sort of effort to change your configurations, that those changes would be worth the effort. We think we hit a good balance here and hope that you find the updated handling to be much more pleasant and work as expected.

Given the above, most environments will now be able to do the following directly:

resource "aws_route53_zone" "example_com" {
  name = "example.com"
}

resource "aws_acm_certificate" "example_com" {
  domain_name               = "example.${aws_route53_zone.example_com.name}"
  subject_alternative_names = [
    "example1.${aws_route53_zone.example_com.name}",
    "example2.${aws_route53_zone.example_com.name}",
    "example3.${aws_route53_zone.example_com.name}",
  ]
  validation_method         = "DNS"
}

resource "aws_route53_record" "example_validation" {
  for_each = {
    for dvo in aws_acm_certificate.example_com.domain_validation_options: dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }
  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = aws_route53_zone.example_com.zone_id
}

resource "aws_acm_certificate_validation" "example_com" {
  certificate_arn         = aws_acm_certificate.example_com.arn
  validation_record_fqdns = [for record in aws_route53_record.example_validation: record.fqdn]
}

These changes will land as part of the Terraform AWS Provider version 3.0.0, next week. I have copied information that will be present in the Version 3 Upgrade Guide below for these changes, that will be fully updated when the release occurs.

If you find unexpected behavior after upgrading to version 3.0.0 when its released, please create a new GitHub issue following the bug template and we will take a fresh look given the new resource handling. Cheers.


subject_alternative_names Changed from List to Set

Previously the subject_alternative_names argument was stored in the Terraform state as an ordered list while the API returned information in an unordered manner. The attribute is now configured as a set instead of a list. Certain Terraform configuration language features distinguish between these two attribute types such as not being able to index a set (e.g. aws_acm_certificate.example.subject_alternative_names[0] is no longer a valid reference). Depending on the implementation details of a particular configuration using subject_alternative_names as a reference, possible solutions include changing references to using for/for_each or using the tolist() function as a temporary workaround to keep the previous behavior until an appropriate configuration (properly using the unordered set) can be determined. Usage questions can be submitted to the community forums.


domain_validation_options Changed from List to Set

Previously, the domain_validation_options attribute was a list type and completely unknown until after an initial terraform apply. This generally required complicated configuration workarounds to properly create DNS validation records since referencing this attribute directly could produce errors similar to the below:

Error: Invalid for_each argument
  on main.tf line 16, in resource "aws_route53_record" "existing":
  16:   for_each = aws_acm_certificate.existing.domain_validation_options
The "for_each" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the for_each depends on.

The domain_validation_options attribute is now a set type and the resource will attempt to populate the information necessary during the planning phase to handle the above situation in most environments without workarounds. This change also prevents Terraform from showing unexpected differences if the API returns the results in varying order.

Configuration references to this attribute will likely require updates since sets cannot be indexed (e.g. domain_validation_options[0] or the older domain_validation_options.0. syntax will return errors). If the domain_validation_options list previously contained only a single element like the two examples just shown, it may be possible to wrap these references using the tolist() function (e.g. tolist(aws_acm_certificate.example.domain_validation_options)[0]) as a quick configuration update, however given the complexity and workarounds required with the previous domain_validation_options attribute implementation, different environments will require different configuration updates and migration steps. Below is a more advanced example. Further questions on potential update steps can be submitted to the community forums.

For example, given this previous configuration using a count based resource approach that may have been used in certain environments:

data "aws_route53_zone" "public_root_domain" {
  name = var.public_root_domain
}
resource "aws_acm_certificate" "existing" {
  domain_name               = "existing.${var.public_root_domain}"
  subject_alternative_names = [
    "existing1.${var.public_root_domain}",
    "existing2.${var.public_root_domain}",
    "existing3.${var.public_root_domain}",
  ]
  validation_method         = "DNS"
}
resource "aws_route53_record" "existing" {
  count = length(aws_acm_certificate.existing.subject_alternative_names) + 1
  allow_overwrite = true
  name            = aws_acm_certificate.existing.domain_validation_options[count.index].resource_record_name
  records         = [aws_acm_certificate.existing.domain_validation_options[count.index].resource_record_value]
  ttl             = 60
  type            = aws_acm_certificate.existing.domain_validation_options[count.index].resource_record_type
  zone_id         = data.aws_route53_zone.public_root_domain.zone_id
}
resource "aws_acm_certificate_validation" "existing" {
  certificate_arn         = aws_acm_certificate.existing.arn
  validation_record_fqdns = aws_route53_record.existing[*].fqdn
}

It will receive errors like the below after upgrading:

Error: Invalid index
  on main.tf line 14, in resource "aws_route53_record" "existing":
  14:   name    = aws_acm_certificate.existing.domain_validation_options[count.index].resource_record_name
    |----------------
    | aws_acm_certificate.existing.domain_validation_options is set of object with 4 elements
    | count.index is 1
This value does not have any indices.

Since the domain_validation_options attribute changed from a list to a set and sets cannot be indexed in Terraform, the recommendation is to update the configuration to use the more stable resource for_each support instead of count. Note the slight change in the validation_record_fqdns syntax as well.

resource "aws_route53_record" "existing" {
  for_each = {
    for dvo in aws_acm_certificate.existing.domain_validation_options: dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }
  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = data.aws_route53_zone.public_root_domain.zone_id
}
resource "aws_acm_certificate_validation" "existing" {
  certificate_arn         = aws_acm_certificate.existing.arn
  validation_record_fqdns = [for record in aws_route53_record.existing: record.fqdn]
}

After the configuration has been updated, a plan should no longer error and may look like the following:

------------------------------------------------------------------------
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
  - destroy
-/+ destroy and then create replacement
Terraform will perform the following actions:
  # aws_acm_certificate_validation.existing must be replaced
-/+ resource "aws_acm_certificate_validation" "existing" {
        certificate_arn         = "arn:aws:acm:us-east-2:123456789012:certificate/ccbc58e8-061d-4443-9035-d3af0512e863"
      ~ id                      = "2020-07-16 00:01:19 +0000 UTC" -> (known after apply)
      ~ validation_record_fqdns = [
          - "_40b71647a8d88eb82d53fe988e8a3cc1.existing2.example.com",
          - "_812ddf11b781af1eec1643ec58f102d2.existing.example.com",
          - "_8dc56b6e35f699b8754afcdd79e9748d.existing3.example.com",
          - "_d7112da809a40e848207c04399babcec.existing1.example.com",
        ] -> (known after apply) # forces replacement
    }
  # aws_route53_record.existing will be destroyed
  - resource "aws_route53_record" "existing" {
      - fqdn    = "_812ddf11b781af1eec1643ec58f102d2.existing.example.com" -> null
      - id      = "Z123456789012__812ddf11b781af1eec1643ec58f102d2.existing.example.com._CNAME" -> null
      - name    = "_812ddf11b781af1eec1643ec58f102d2.existing.example.com" -> null
      - records = [
          - "_bdeba72164eec216c55a32374bcceafd.jfrzftwwjs.acm-validations.aws.",
        ] -> null
      - ttl     = 60 -> null
      - type    = "CNAME" -> null
      - zone_id = "Z123456789012" -> null
    }
  # aws_route53_record.existing[1] will be destroyed
  - resource "aws_route53_record" "existing" {
      - fqdn    = "_40b71647a8d88eb82d53fe988e8a3cc1.existing2.example.com" -> null
      - id      = "Z123456789012__40b71647a8d88eb82d53fe988e8a3cc1.existing2.example.com._CNAME" -> null
      - name    = "_40b71647a8d88eb82d53fe988e8a3cc1.existing2.example.com" -> null
      - records = [
          - "_638532db1fa6a1b71aaf063c8ea29d52.jfrzftwwjs.acm-validations.aws.",
        ] -> null
      - ttl     = 60 -> null
      - type    = "CNAME" -> null
      - zone_id = "Z123456789012" -> null
    }
  # aws_route53_record.existing[2] will be destroyed
  - resource "aws_route53_record" "existing" {
      - fqdn    = "_d7112da809a40e848207c04399babcec.existing1.example.com" -> null
      - id      = "Z123456789012__d7112da809a40e848207c04399babcec.existing1.example.com._CNAME" -> null
      - name    = "_d7112da809a40e848207c04399babcec.existing1.example.com" -> null
      - records = [
          - "_6e1da5574ab46a6c782ed73438274181.jfrzftwwjs.acm-validations.aws.",
        ] -> null
      - ttl     = 60 -> null
      - type    = "CNAME" -> null
      - zone_id = "Z123456789012" -> null
    }
  # aws_route53_record.existing[3] will be destroyed
  - resource "aws_route53_record" "existing" {
      - fqdn    = "_8dc56b6e35f699b8754afcdd79e9748d.existing3.example.com" -> null
      - id      = "Z123456789012__8dc56b6e35f699b8754afcdd79e9748d.existing3.example.com._CNAME" -> null
      - name    = "_8dc56b6e35f699b8754afcdd79e9748d.existing3.example.com" -> null
      - records = [
          - "_a419f8410d2e0720528a96c3506f3841.jfrzftwwjs.acm-validations.aws.",
        ] -> null
      - ttl     = 60 -> null
      - type    = "CNAME" -> null
      - zone_id = "Z123456789012" -> null
    }
  # aws_route53_record.existing["existing.example.com"] will be created
  + resource "aws_route53_record" "existing" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "_812ddf11b781af1eec1643ec58f102d2.existing.example.com"
      + records         = [
          + "_bdeba72164eec216c55a32374bcceafd.jfrzftwwjs.acm-validations.aws.",
        ]
      + ttl             = 60
      + type            = "CNAME"
      + zone_id         = "Z123456789012"
    }
  # aws_route53_record.existing["existing1.example.com"] will be created
  + resource "aws_route53_record" "existing" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "_d7112da809a40e848207c04399babcec.existing1.example.com"
      + records         = [
          + "_6e1da5574ab46a6c782ed73438274181.jfrzftwwjs.acm-validations.aws.",
        ]
      + ttl             = 60
      + type            = "CNAME"
      + zone_id         = "Z123456789012"
    }
  # aws_route53_record.existing["existing2.example.com"] will be created
  + resource "aws_route53_record" "existing" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "_40b71647a8d88eb82d53fe988e8a3cc1.existing2.example.com"
      + records         = [
          + "_638532db1fa6a1b71aaf063c8ea29d52.jfrzftwwjs.acm-validations.aws.",
        ]
      + ttl             = 60
      + type            = "CNAME"
      + zone_id         = "Z123456789012"
    }
  # aws_route53_record.existing["existing3.example.com"] will be created
  + resource "aws_route53_record" "existing" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "_8dc56b6e35f699b8754afcdd79e9748d.existing3.example.com"
      + records         = [
          + "_a419f8410d2e0720528a96c3506f3841.jfrzftwwjs.acm-validations.aws.",
        ]
      + ttl             = 60
      + type            = "CNAME"
      + zone_id         = "Z123456789012"
    }
Plan: 5 to add, 0 to change, 5 to destroy.

Due to the type of configuration change, Terraform does not know that the previous aws_route53_record resources (indexed by number in the existing state) and the new resources (indexed by domain names in the updated configuration) are equivalent. Typically in this situation, the terraform state mv command can be used to reduce the plan to show no changes. This is done by associating the count index (e.g. [1]) with the equivalent domain name index (e.g. ["existing2.example.com"]), making one of the four commands to fix the above example: terraform state mv 'aws_route53_record.existing[1]' 'aws_route53_record.existing["existing2.example.com"]'. It is recommended to use this terraform state mv update process where possible to reduce chances of unexpected behaviors or changes in an environment.

If using terraform state mv to reduce the plan to show no changes, no additional steps are required.

In larger or more complex environments though, this process can be tedius to match the old resource address to the new resource address and run all the necessary terraform state mv commands. Instead, since the aws_route53_record resource implements the allow_overwrite = true argument, it is possible to just remove the old aws_route53_record resources from the Terraform state using the terraform state rm command. In this case, Terraform will leave the existing records in Route 53 and plan to just overwrite the existing validation records with the same exact (previous) values.

-> This guide is showing the simpler terraform state rm option below as a potential shortcut in this specific situation, however in most other cases terraform state mv is required to change from count based resources to for_each based resources and properly match the existing Terraform state to the updated Terraform configuration.

$ terraform state rm aws_route53_record.existing
Removed aws_route53_record.existing[0]
Removed aws_route53_record.existing[1]
Removed aws_route53_record.existing[2]
Removed aws_route53_record.existing[3]
Successfully removed 4 resource instance(s).

Now the Terraform plan will show only the additions of new Route 53 records (which are exactly the same as before the upgrade) and the proposed recreation of the aws_acm_certificate_validation resource. The aws_acm_certificate_validation resource recreation will have no effect as the certificate is already validated and issued.

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
-/+ destroy and then create replacement
Terraform will perform the following actions:
  # aws_acm_certificate_validation.existing must be replaced
-/+ resource "aws_acm_certificate_validation" "existing" {
        certificate_arn         = "arn:aws:acm:us-east-2:123456789012:certificate/ccbc58e8-061d-4443-9035-d3af0512e863"
      ~ id                      = "2020-07-16 00:01:19 +0000 UTC" -> (known after apply)
      ~ validation_record_fqdns = [
          - "_40b71647a8d88eb82d53fe988e8a3cc1.existing2.example.com",
          - "_812ddf11b781af1eec1643ec58f102d2.existing.example.com",
          - "_8dc56b6e35f699b8754afcdd79e9748d.existing3.example.com",
          - "_d7112da809a40e848207c04399babcec.existing1.example.com",
        ] -> (known after apply) # forces replacement
    }
  # aws_route53_record.existing["existing.example.com"] will be created
  + resource "aws_route53_record" "existing" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "_812ddf11b781af1eec1643ec58f102d2.existing.example.com"
      + records         = [
          + "_bdeba72164eec216c55a32374bcceafd.jfrzftwwjs.acm-validations.aws.",
        ]
      + ttl             = 60
      + type            = "CNAME"
      + zone_id         = "Z123456789012"
    }
  # aws_route53_record.existing["existing1.example.com"] will be created
  + resource "aws_route53_record" "existing" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "_d7112da809a40e848207c04399babcec.existing1.example.com"
      + records         = [
          + "_6e1da5574ab46a6c782ed73438274181.jfrzftwwjs.acm-validations.aws.",
        ]
      + ttl             = 60
      + type            = "CNAME"
      + zone_id         = "Z123456789012"
    }
  # aws_route53_record.existing["existing2.example.com"] will be created
  + resource "aws_route53_record" "existing" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "_40b71647a8d88eb82d53fe988e8a3cc1.existing2.example.com"
      + records         = [
          + "_638532db1fa6a1b71aaf063c8ea29d52.jfrzftwwjs.acm-validations.aws.",
        ]
      + ttl             = 60
      + type            = "CNAME"
      + zone_id         = "Z123456789012"
    }
  # aws_route53_record.existing["existing3.example.com"] will be created
  + resource "aws_route53_record" "existing" {
      + allow_overwrite = true
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "_8dc56b6e35f699b8754afcdd79e9748d.existing3.example.com"
      + records         = [
          + "_a419f8410d2e0720528a96c3506f3841.jfrzftwwjs.acm-validations.aws.",
        ]
      + ttl             = 60
      + type            = "CNAME"
      + zone_id         = "Z123456789012"
    }
Plan: 5 to add, 0 to change, 1 to destroy.

Once applied, no differences should be shown and no additional steps should be necessary.

anGie44 pushed a commit that referenced this issue Jul 27, 2020
author Brian Flad <bflad417@gmail.com> 1594769808 -0400
committer Angie Pinilla <angelinepinilla@gmail.com> 1595878294 -0400

parent b69af0579e0415631faa9b77559a55a5f6e7c208
author Brian Flad <bflad417@gmail.com> 1594769808 -0400
committer Angie Pinilla <angelinepinilla@gmail.com> 1595878093 -0400

tests/provider: Update testacc target to error when provided example test pattern (#14091)

* tests/provider: Update testacc target to error when provided example test pattern

Reference: https://github.com/terraform-providers/terraform-provider-aws/blob/master/.github/PULL_REQUEST_TEMPLATE.md

The pull request template suggests an example of how to run acceptance testing, but uses a placeholder example since its not feasible to reliably determine this automatically via git, etc. Also given that we have begun adding many more Go packages beyond just the top level provider one, the output can look potentially valid when it really is not meaningful:

```console
$ $ make testacc TESTARGS='-run=TestAccXXX'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./... -v -count 1 -parallel 20 -run=TestAccXXX -timeout 120m
?   	github.com/terraform-providers/terraform-provider-aws	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	2.594s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/flatmap	0.409s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags	0.792s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/naming	1.619s [no tests to run]
?   	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/apigatewayv2/waiter	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/batch/equivalency	0.373s [no tests to run]
?   	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/ec2/waiter	[no test files]
?   	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/ecs/waiter	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/eks/token	0.343s [no tests to run]
?   	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/guardduty/waiter	[no test files]
?   	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/iam/waiter	[no test files]
?   	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/kinesisanalytics/waiter	[no test files]
?   	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/kms/waiter	[no test files]
?   	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/neptune/waiter	[no test files]
?   	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/rds/waiter	[no test files]
?   	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/secretsmanager/waiter	[no test files]
?   	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/servicediscovery/waiter	[no test files]
?   	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/sfn/waiter	[no test files]
?   	github.com/terraform-providers/terraform-provider-aws/aws/internal/service/workspaces/waiter	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws/internal/tfawsresource	1.022s [no tests to run]
?   	github.com/terraform-providers/terraform-provider-aws/awsproviderlint	[no test files]
?   	github.com/terraform-providers/terraform-provider-aws/awsproviderlint/helper/awsprovidertype/keyvaluetags	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/awsproviderlint/passes	2.115s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/awsproviderlint/passes/AWSAT001	2.212s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/awsproviderlint/passes/AWSAT002	0.326s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/awsproviderlint/passes/AWSR001	0.412s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/awsproviderlint/passes/AWSR002	2.086s [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/awsproviderlint/passes/fmtsprintfcallexpr	0.248s [no tests to run]
```

This now focuses the acceptance testing on the top level package to remove the extraneous package output and returns an error when attempting to use the example verbatim:

```console
$ make testacc TESTARGS='-run=TestAccXXX'
==> Checking that code complies with gofmt requirements...

Error: Skipping example acceptance testing pattern. Update TESTARGS to match the test naming in the relevant *_test.go file.

For example if updating aws/resource_aws_acm_certificate.go, use the test names in aws/resource_aws_acm_certificate_test.go starting with TestAcc and up to the underscore:
make testacc TESTARGS='-run=TestAccAWSAcmCertificate_'

See the contributing guide for more information: https://github.com/terraform-providers/terraform-provider-aws/blob/master/docs/contributing/running-and-writing-acceptance-tests.md
make: *** [testacc] Error 1

$ make testacc TESTARGS='-run=TestAccAWSAvailabilityZones_'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSAvailabilityZones_ -timeout 120m
=== RUN   TestAccAWSAvailabilityZones_basic
...
```

* docs/provider: Remove TEST=./aws usage in running acceptance testing section

resource/aws_s3_bucket: Convert region to read-only attribute (#14127)

Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/592
Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/1656

Output from acceptance testing (NOTE: CUR data source and resource need to be tested in standalone account due to Organization permissions and appear to be failing due to new validation in the API that's not handled in the resource yet):

```
--- PASS: TestAccAWSS3Bucket_acceleration (65.86s)
--- PASS: TestAccAWSS3Bucket_AclToGrant (67.94s)
--- PASS: TestAccAWSS3Bucket_basic (37.25s)
--- PASS: TestAccAWSS3Bucket_Bucket_EmptyString (35.95s)
--- PASS: TestAccAWSS3Bucket_Cors_Delete (31.78s)
--- PASS: TestAccAWSS3Bucket_Cors_EmptyOrigin (37.29s)
--- PASS: TestAccAWSS3Bucket_Cors_Update (65.22s)
--- PASS: TestAccAWSS3Bucket_disableDefaultEncryption_whenDefaultEncryptionIsEnabled (62.31s)
--- PASS: TestAccAWSS3Bucket_enableDefaultEncryption_whenAES256IsUsed (37.28s)
--- PASS: TestAccAWSS3Bucket_enableDefaultEncryption_whenTypical (43.14s)
--- PASS: TestAccAWSS3Bucket_forceDestroy (31.61s)
--- PASS: TestAccAWSS3Bucket_forceDestroyWithEmptyPrefixes (31.54s)
--- PASS: TestAccAWSS3Bucket_forceDestroyWithObjectLockEnabled (37.95s)
--- PASS: TestAccAWSS3Bucket_generatedName (35.53s)
--- PASS: TestAccAWSS3Bucket_GrantToAcl (57.50s)
--- PASS: TestAccAWSS3Bucket_LifecycleBasic (86.93s)
--- PASS: TestAccAWSS3Bucket_LifecycleExpireMarkerOnly (62.03s)
--- PASS: TestAccAWSS3Bucket_LifecycleRule_Expiration_EmptyConfigurationBlock (31.01s)
--- PASS: TestAccAWSS3Bucket_Logging (55.35s)
--- PASS: TestAccAWSS3Bucket_namePrefix (35.81s)
--- PASS: TestAccAWSS3Bucket_objectLock (60.93s)
--- PASS: TestAccAWSS3Bucket_Policy (88.67s)
--- PASS: TestAccAWSS3Bucket_Replication (147.39s)
--- PASS: TestAccAWSS3Bucket_ReplicationConfiguration_Rule_Destination_AccessControlTranslation (86.62s)
--- PASS: TestAccAWSS3Bucket_ReplicationConfiguration_Rule_Destination_AddAccessControlTranslation (84.62s)
--- PASS: TestAccAWSS3Bucket_ReplicationExpectVersioningValidationError (28.14s)
--- PASS: TestAccAWSS3Bucket_ReplicationSchemaV2 (152.22s)
--- PASS: TestAccAWSS3Bucket_ReplicationWithoutPrefix (52.74s)
--- PASS: TestAccAWSS3Bucket_ReplicationWithoutStorageClass (51.40s)
--- PASS: TestAccAWSS3Bucket_RequestPayer (63.26s)
--- PASS: TestAccAWSS3Bucket_shouldFailNotFound (15.41s)
--- PASS: TestAccAWSS3Bucket_tagsWithNoSystemTags (118.49s)
--- PASS: TestAccAWSS3Bucket_tagsWithSystemTags (163.94s)
--- PASS: TestAccAWSS3Bucket_UpdateAcl (58.70s)
--- PASS: TestAccAWSS3Bucket_UpdateGrant (91.75s)
--- PASS: TestAccAWSS3Bucket_Versioning (90.14s)
--- PASS: TestAccAWSS3Bucket_Website_Simple (89.22s)
--- PASS: TestAccAWSS3Bucket_WebsiteRedirect (86.48s)
--- PASS: TestAccAWSS3Bucket_WebsiteRoutingRules (63.97s)

--- PASS: TestAccAWSSsmResourceDataSync_basic (15.77s)
--- PASS: TestAccAWSSsmResourceDataSync_update (28.49s)

    TestAccAwsCurReportDefinition_basic: testing.go:684: Step 0 error: errors during apply:

        Error: Error creating AWS Cost And Usage Report Definition: ValidationException: Failed to verify customer bucket permission. accountId= --OMITTED--, bucket name: tf-test-bucket-3532084976228094739, bucket region: us-east-1

    TestAccDataSourceAwsCurReportDefinition_basic: testing.go:684: Step 0 error: errors during apply:

        Error: Error creating AWS Cost And Usage Report Definition: ValidationException: Failed to verify customer bucket permission. accountId= --OMITTED--, bucket name: tf-test-bucket-9147728765044904331, bucket region: us-east-1
```

Update CHANGELOG for #14127

Corrects name of Workspaces Workspace sweeper

let subject_alternative_names be a set

re-add computed: true to subject_alternative_names attribute

resource/aws_acm_certificate: Finalize subject_alternative_names change from TypeList to TypeSet

Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/11300

Output from acceptance testing:

```
--- PASS: TestAccAWSAcmCertificate_imported_IpAddress (11.98s)
--- PASS: TestAccAWSAcmCertificate_wildcard (14.66s)
--- PASS: TestAccAWSAcmCertificate_emailValidation (14.79s)
--- PASS: TestAccAWSAcmCertificate_root (15.12s)
--- PASS: TestAccAWSAcmCertificate_disableCTLogging (15.15s)
--- PASS: TestAccAWSAcmCertificate_san_TrailingPeriod (15.80s)
--- PASS: TestAccAWSAcmCertificate_wildcardAndRootSan (16.01s)
--- PASS: TestAccAWSAcmCertificate_root_TrailingPeriod (16.44s)
--- PASS: TestAccAWSAcmCertificate_rootAndWildcardSan (18.30s)
--- PASS: TestAccAWSAcmCertificate_san_single (18.38s)
--- PASS: TestAccAWSAcmCertificate_dnsValidation (18.62s)
--- PASS: TestAccAWSAcmCertificate_san_multiple (19.06s)
--- PASS: TestAccAWSAcmCertificate_privateCert (22.34s)
--- PASS: TestAccAWSAcmCertificate_imported_DomainName (26.46s)
--- PASS: TestAccAWSAcmCertificate_tags (37.20s)
```

Remove hardcoded AMI IDs from launch_config data source

Removing import of aws_security_group_rule for rules associated with aws_security_group implicitly during its import. Acceptance tests updated to account for removed rules in import state check.

rebased and addressed review feedback

Update CHANGELOG for #12616

update documentation attributes

add missing validation value for comparison_operator argument

delete_on_termination on ENI has to be optional

like the EBS delete_on_termination this can be optional and cannot
be treated like a real bool but has to be treated as a string which
can be empty or a bool representation

testing all possible inputs

now testing as well `delete_on_termination = ""` and
`delete_on_termination = null` which both should not set the value to
anything.

adding upgrade instructions

version 3 upgrade details

Update CHANGELOG for #8612

add private_ips field

change private_ips to secondary_private_ips and enable update

update to using expandstringset method

Update CHANGELOG for #14079

Removed hardcoded AMI IDs from AutoscalingAttachment

docs/resource/aws_codebuild_webhook: Add COMMIT_MESSAGE to acceptable codebuild filter types (#14207)

Co-authored-by: mikiya771 <norep>

Fixes aws_lambda_alias import to set function_name attribute correctly instead of function's ARN

resource/aws_lambda_alias: Finalize resource import adjustments

Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/12876

Output from acceptance testing:

```
--- PASS: TestAccAWSLambdaAlias_FunctionName_Name (35.53s)
--- PASS: TestAccAWSLambdaAlias_basic (53.18s)
--- PASS: TestAccAWSLambdaAlias_nameupdate (62.70s)
--- PASS: TestAccAWSLambdaAlias_routingconfig (63.82s)
```

Update CHANGELOG for #12876

remove trailing period from domainname/name attributes

update to using TrimSuffix strings method

isolate changes to only route53_zone

return error for singular data source

Error when data.aws_ecr_repository cannot find repository

Fixes https://github.com/terraform-providers/terraform-provider-aws/issues/10071.

adjust error messaging

return error for singular data source

add angie and dirk

consolidate maintainer lists

Ignore hardcoded AMI because not actually used

Add underscore to acceptance test names, minor naming convention fixes

provider: Remove unnecessary fmt.Sprint()/fmt.Sprintf() (#14242)

Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/14239

Update Terraform github to v2.9.2 (#14021)

* Update Terraform github to v2.9.2

* infrastructure/repository: Use organization argument instead of owner in github provider configuration

Appears that the provider reverted the deprecation of the `organization` argument and inclusion of the new `owner` argument in 2.9.x, delaying until 3.0.0.

Previously:

```
Error: Unsupported argument

  on main.tf line 14, in provider "github":
  14:   owner = "terraform-providers"

An argument named "owner" is not expected here.
```

Co-authored-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Brian Flad <bflad417@gmail.com>

add-q3-roadmap-draft

add old roadmap section

fix milestone link

remove currently in progress in case it causes confusion

r/aws_apigatewayv2_integration: suppress diff for passthrough_behavior

Update CHANGELOG for #13062

Update ROADMAP.md to fix formatting omissions

docs/provider: Setup and document release/* branch convention, link 2.x and earlier changelog entries (#14177)

* docs/provider: Setup and document release/* branch convention, link 2.x and earlier changelog entries

Reference: https://github.com/terraform-providers/terraform-provider-aws/tree/release/2.x

* tests/provider: Ensure release/* branches are ran on push via GitHub Actions

docs/provider: Document max_retries default (#14256)

adjust error formatting and handling

tests/resource/aws_s3_bucket: Add S3 Same-Region Replication acceptance test (#10170)

Output from acceptance testing in AWS Commercial:

```
--- PASS: TestAccAWSS3Bucket_SameRegionReplicationSchemaV2 (52.57s)
```

Output from acceptance testing in AWS GovCloud (US):

```
--- PASS: TestAccAWSS3Bucket_SameRegionReplicationSchemaV2 (56.62s)
```

tests/resource/aws_rds_cluster: Remove aws_s3_bucket region argument from TestAccAWSRDSCluster_s3Restore (#14272)

Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/14127

Missed during test configuration cleanup after the referenced argument removal. Fixes the initial configuration issue, but does not fix the (still) broken test which is presumably something to do with the backup file or engine version.

Previously:

```
--- FAIL: TestAccAWSRDSCluster_s3Restore (0.99s)
testing.go:684: Step 0 error: config is invalid: "region": this field cannot be set
```

Output from acceptance testing:

```
=== CONT  TestAccAWSRDSCluster_s3Restore
    TestAccAWSRDSCluster_s3Restore: testing.go:684: Step 0 error: errors during apply:

        Error: Error waiting for RDS Cluster state to be "available": unexpected state 'migration-failed', wanted target 'available'. last error: %!s(<nil>)
```

refactor resource import

set virtual attributes in import func

Update CHANGELOG for #10520 and #10521

update default value for min_capacity in scaling_configuration block of rds_cluster

Update CHANGELOG for #14268

keep throttling disabled by default in api gateway method settings resource

update import ID pattern

Update CHANGELOG for #14266

add plan time validation to `self_managed_active_directory.dns_ips`

add support for multi az deployment

add deployment type to test

add computed flag to deployment_type

add docs

fix docs

remove computed

fix multi az test

disappears

fix lint issue

add support for `SINGLE_AZ_2` type

Update website/docs/r/fsx_windows_file_system.html.markdown

Co-authored-by: Simon Davis <simon@breathingdust.com>

Update website/docs/r/fsx_windows_file_system.html.markdown

Co-authored-by: Simon Davis <simon@breathingdust.com>

Update website/docs/r/fsx_windows_file_system.html.markdown

Co-authored-by: Simon Davis <simon@breathingdust.com>

Update CHANGELOG.md for #12676

Fix schema set errors (#14167)

* Fix schema set errors

* Fix wrong attribute

* Fix type

* Flatten ssm parameters

* resource/elasticsearch_domain: update method to set advanced_security_options  (#14198)

* set advanced security options only if enabled

* refactor and set values depending on enabled field

Co-authored-by: angie pinilla <angelinepinilla@gmail.com>

tests/provider: Enable AWSAT004 check for CI (#14216)

Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/14097

resource/aws_launch_configuration: Remove DescribeLaunchConfigurations retries on all errors (#14260)

Reference: https://github.com/hashicorp/terraform/issues/302
Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13409

Does not seem to be occurring anymore, but could require additional load to manifest. Can re-add explicit retries as necessary.

Output from acceptance testing:

```
--- PASS: TestAccAWSLaunchConfiguration_withSpotPrice (11.31s)
--- PASS: TestAccAWSLaunchConfiguration_ebs_noDevice (13.17s)
--- PASS: TestAccAWSLaunchConfiguration_withBlockDevices (13.44s)
--- PASS: TestAccAWSLaunchConfiguration_withInstanceStoreAMI (13.67s)
--- PASS: TestAccAWSLaunchConfiguration_withEncryption (14.02s)
--- PASS: TestAccAWSLaunchConfiguration_basic (22.34s)
--- PASS: TestAccAWSLaunchConfiguration_withIAMProfile (24.19s)
--- PASS: TestAccAWSLaunchConfiguration_encryptedRootBlockDevice (25.59s)
--- PASS: TestAccAWSLaunchConfiguration_userData (28.60s)
--- PASS: TestAccAWSLaunchConfiguration_RootBlockDevice_VolumeSize (28.91s)
--- PASS: TestAccAWSLaunchConfiguration_updateEbsBlockDevices (30.96s)
--- PASS: TestAccAWSLaunchConfiguration_withVpcClassicLink (32.72s)
--- PASS: TestAccAWSLaunchConfiguration_RootBlockDevice_AmiDisappears (353.93s)
```

resource/aws_spot_fleet_request: Only retry RequestSpotFleet on IAM eventual consistency errors, use standard 2 minute timeout (#14265)

Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/7740
Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13409

Output from acceptance testing:

```
--- PASS: TestAccAWSSpotFleetRequest_associatePublicIpAddress (251.97s)
--- PASS: TestAccAWSSpotFleetRequest_basic (314.23s)
--- PASS: TestAccAWSSpotFleetRequest_changePriceForcesNewRequest (612.33s)
--- PASS: TestAccAWSSpotFleetRequest_disappears (261.47s)
--- PASS: TestAccAWSSpotFleetRequest_diversifiedAllocation (403.92s)
--- PASS: TestAccAWSSpotFleetRequest_fleetType (316.94s)
--- PASS: TestAccAWSSpotFleetRequest_iamInstanceProfileArn (251.69s)
--- PASS: TestAccAWSSpotFleetRequest_instanceInterruptionBehavior (253.29s)
--- PASS: TestAccAWSSpotFleetRequest_LaunchSpecification_EbsBlockDevice_KmsKeyId (112.90s)
--- PASS: TestAccAWSSpotFleetRequest_LaunchSpecification_RootBlockDevice_KmsKeyId (142.33s)
--- PASS: TestAccAWSSpotFleetRequest_launchSpecToLaunchTemplate (467.97s)
--- PASS: TestAccAWSSpotFleetRequest_launchTemplate (253.11s)
--- PASS: TestAccAWSSpotFleetRequest_launchTemplate_multiple (254.84s)
--- PASS: TestAccAWSSpotFleetRequest_launchTemplateToLaunchSpec (468.45s)
--- PASS: TestAccAWSSpotFleetRequest_launchTemplateWithOverrides (253.43s)
--- PASS: TestAccAWSSpotFleetRequest_lowestPriceAzInGivenList (274.51s)
--- PASS: TestAccAWSSpotFleetRequest_lowestPriceAzOrSubnetInRegion (314.01s)
--- PASS: TestAccAWSSpotFleetRequest_lowestPriceSubnetInGivenList (276.90s)
--- PASS: TestAccAWSSpotFleetRequest_multipleInstancePools (486.46s)
--- PASS: TestAccAWSSpotFleetRequest_multipleInstanceTypesInSameAz (406.36s)
--- PASS: TestAccAWSSpotFleetRequest_multipleInstanceTypesInSameSubnet (231.26s)
--- PASS: TestAccAWSSpotFleetRequest_overriddingSpotPrice (295.29s)
--- PASS: TestAccAWSSpotFleetRequest_placementTenancyAndGroup (57.48s)
--- PASS: TestAccAWSSpotFleetRequest_tags (342.55s)
--- PASS: TestAccAWSSpotFleetRequest_updateExcessCapacityTerminationPolicy (597.13s)
--- PASS: TestAccAWSSpotFleetRequest_updateTargetCapacity (753.34s)
--- PASS: TestAccAWSSpotFleetRequest_withEBSDisk (255.16s)
--- PASS: TestAccAWSSpotFleetRequest_WithELBs (277.96s)
--- PASS: TestAccAWSSpotFleetRequest_withoutSpotPrice (232.56s)
--- PASS: TestAccAWSSpotFleetRequest_withTags (282.39s)
--- PASS: TestAccAWSSpotFleetRequest_WithTargetGroups (427.61s)
--- PASS: TestAccAWSSpotFleetRequest_withWeightedCapacity (335.33s)
```

Update CHANGELOG for #14265

resource/aws_codepipeline: Only retry CreatePipeline errors for IAM eventual consistency (#14264)

Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13409

Output from acceptance testing:

```
--- PASS: TestAccAWSCodePipeline_emptyStageArtifacts (33.11s)
--- PASS: TestAccAWSCodePipeline_WithNamespace (35.13s)
--- PASS: TestAccAWSCodePipeline_multiregion_basic (36.83s)
--- PASS: TestAccAWSCodePipeline_deployWithServiceRole (42.85s)
--- PASS: TestAccAWSCodePipeline_basic (57.83s)
--- PASS: TestAccAWSCodePipeline_multiregion_Update (61.32s)
--- PASS: TestAccAWSCodePipeline_tags (76.28s)
--- PASS: TestAccAWSCodePipeline_multiregion_ConvertSingleRegion (79.20s)
```

Update CHANGELOG for #14264

resource/aws_ssm_activation: Only retry CreateActivation on IAM eventual consistency error, allow retries for standard 2 minutes (#14263)

Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13409

API does not seem to validate IAM Role permissions on creation.

Output from acceptance testing:

```
--- PASS: TestAccAWSSSMActivation_expirationDate (19.17s)
--- PASS: TestAccAWSSSMActivation_disappears (25.22s)
--- PASS: TestAccAWSSSMActivation_basic (27.39s)
--- PASS: TestAccAWSSSMActivation_update (37.23s)
```

Update CHANGELOG for #14263

resource/aws_network_acl_rule: Immediately return DescribeNetworkAcls errors on creation (#14261)

Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13409

Output from acceptance testing:

```
--- PASS: TestAccAWSNetworkAclRule_allProtocol (44.33s)
--- PASS: TestAccAWSNetworkAclRule_basic (32.50s)
--- PASS: TestAccAWSNetworkAclRule_disappears (32.83s)
--- PASS: TestAccAWSNetworkAclRule_disappears_NetworkAcl (27.16s)
--- PASS: TestAccAWSNetworkAclRule_ingressEgressSameNumberDisappears (30.24s)
--- PASS: TestAccAWSNetworkAclRule_ipv6 (29.23s)
--- PASS: TestAccAWSNetworkAclRule_ipv6ICMP (28.65s)
--- PASS: TestAccAWSNetworkAclRule_ipv6VpcAssignGeneratedIpv6CidrBlockUpdate (47.71s)
--- PASS: TestAccAWSNetworkAclRule_missingParam (15.14s)
--- PASS: TestAccAWSNetworkAclRule_tcpProtocol (40.32s)
```

Update CHANGELOG for #14261

Add function to check TypeSet pairs

Add unit tests for TestCheckTypeSetElemAttrPair

tests/resource/aws_rds_cluster: Fix TestAccAWSRDSCluster_EngineVersion (#14286)

isolate changes to only route53_record resource

update additional domian name example in upgrade guide

Co-authored-by: Brian Flad <bflad417@gmail.com>

update with CR comments

isolate changes to only resolver rule

isolate changes to only acm_certificate

isolate changes to only ses_domain_identity

re-add trailing period acctest

merge with parent branch and update statefuncs to use global method

update statefuncs to use global method and update tests w/trailingp period domains

r/aws_apigatewayv2_stage: Make deployment_id a computed attribute.

Update CHANGELOG.md for #13644

bump to go v1.14.5

r/aws_apigatewayv2_integration: Add 'request_parameters' attribute.

Update CHANGELOG.md for #14080

r/aws_apigatewayv2_route: Update route key.

Update CHANGELOG.md for #13833

Revert "Remove 'tls_config' attribute. It doesn't seem to do anything right now."

This reverts commit ffbce32f931a9b33adc8407a267ba176c510bd44.

r/aws_apigatewayv2_integration: Test HTTP API VPC Link integration.

r/aws_apigatewayv2_integration: Additional import test step in 'TestAccAWSAPIGatewayV2Integration_VpcLinkHttp'.

Update CHANGELOG.md

Update CHANGELOG.md for #13013

Update CHANGELOG.md

add atleastoneof property to filter attributes

Update CHANGELOG for #14230

Remove hardcoded AMI and AZ

Improve static check for hardcoded partition in ARN

resource/aws_lambda_function: Increase IAM retry timeout for create to 2 minutes (#14291)

References:
* https://github.com/terraform-providers/terraform-provider-aws/issues/14285

Increased the retry timeout for eventual consistency IAM errors during a
lambda function create from 1 minute to 2 minute.

Output from acceptance testing:

```
make testacc TEST=./aws TESTARGS='-run=TestAccAWSLambdaFunction_'
...
--- PASS: TestAccAWSLambdaFunction_basic (28.86s)
--- PASS: TestAccAWSLambdaFunction_runtimeValidation_java8 (34.46s)
--- PASS: TestAccAWSLambdaFunction_DeadLetterConfigUpdated (160.32s)
--- PASS: TestAccAWSLambdaFunction_VpcConfig_ProperIamDependencies (208.54s)
--- PASS: TestAccAWSLambdaFunction_VPC_withInvocation (567.54s)
--- PASS: TestAccAWSLambdaFunction_VPCRemoval (596.13s)
--- PASS: TestAccAWSLambdaFunction_LayersUpdate (49.02s)
--- PASS: TestAccAWSLambdaFunction_VPC (362.84s)
--- PASS: TestAccAWSLambdaFunction_VPCUpdate (797.25s)
--- PASS: TestAccAWSLambdaFunction_nilDeadLetterConfig (120.01s)
--- PASS: TestAccAWSLambdaFunction_DeadLetterConfig (51.30s)
--- PASS: TestAccAWSLambdaFunction_envVariables (153.15s)
--- PASS: TestAccAWSLambdaFunction_versioned (39.16s)
--- PASS: TestAccAWSLambdaFunction_versionedUpdate (61.80s)
--- PASS: TestAccAWSLambdaFunction_runtimeValidation_python37 (31.16s)
--- PASS: TestAccAWSLambdaFunction_encryptedEnvVariables (51.77s)
--- PASS: TestAccAWSLambdaFunction_runtimeValidation_dotnetcore31 (36.20s)
--- PASS: TestAccAWSLambdaFunction_runtimeValidation_ruby27 (40.86s)
--- PASS: TestAccAWSLambdaFunction_Layers (38.54s)
--- PASS: TestAccAWSLambdaFunction_tracingConfig (51.87s)
--- PASS: TestAccAWSLambdaFunction_KmsKeyArn_NoEnvironmentVariables (36.57s)
--- PASS: TestAccAWSLambdaFunction_concurrencyCycle (54.03s)
--- PASS: TestAccAWSLambdaFunction_runtimeValidation_ruby25 (36.53s)
--- PASS: TestAccAWSLambdaFunction_expectFilenameAndS3Attributes (13.34s)
--- PASS: TestAccAWSLambdaFunction_runtimeValidation_python38 (28.27s)
--- PASS: TestAccAWSLambdaFunction_tags (51.19s)
--- PASS: TestAccAWSLambdaFunction_runtimeValidation_java11 (36.59s)
--- PASS: TestAccAWSLambdaFunction_updateRuntime (51.42s)
--- PASS: TestAccAWSLambdaFunction_s3Update_unversioned (43.77s)
--- PASS: TestAccAWSLambdaFunction_localUpdate (39.80s)
--- PASS: TestAccAWSLambdaFunction_s3Update_basic (44.15s)
--- PASS: TestAccAWSLambdaFunction_localUpdate_nameOnly (40.02s)
--- PASS: TestAccAWSLambdaFunction_runtimeValidation_python36 (32.09s)
--- PASS: TestAccAWSLambdaFunction_FileSystemConfig (721.87s)
--- PASS: TestAccAWSLambdaFunction_s3 (31.68s)
--- PASS: TestAccAWSLambdaFunction_runtimeValidation_provided (36.48s)
--- PASS: TestAccAWSLambdaFunction_runtimeValidation_python27 (33.63s)
--- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs10x (38.17s)
--- PASS: TestAccAWSLambdaFunction_runtimeValidation_noRuntime (0.91s)
--- PASS: TestAccAWSLambdaFunction_concurrency (46.63s)
--- PASS: TestAccAWSLambdaFunction_EmptyVpcConfig (38.38s)
--- PASS: TestAccAWSLambdaFunction_disappears (36.13s)
--- PASS: TestAccAWSLambdaFunction_runtimeValidation_NodeJs12x (38.47s)
```

Update CHANGELOG for #14291

error when iops provided for unsupported type

improve upgrade docs for iops

Update CHANGELOG for #14310

Update CHANGELOG with Go versioning

Remove hardcoded AMIs and AZs

Remove hardcoded AMIs and AZs

Removed hardcoded AMIs and AZs

Remove hardcoded AMI and AZ

Remove hardcoded AMI

r/aws_apigatewayv2_stage: 'data_trace_enabled' and 'logging_level' are only valid for WebSocket APIs.

r/aws_apigatewayv2_stage: No need for diff-suppression for new resources.

r/aws_apigatewayv2_stage: Additional route_settings and default_route_settings test cases.

r/aws_apigatewayv2_stage: Add computed 'api_protocol_type' attribute.

r/aws_apigatewayv2_stage: Pass API protocol type to 'flattenApiGatewayV2RouteSettings'.

Revert "r/aws_apigatewayv2_stage: Pass API protocol type to 'flattenApiGatewayV2RouteSettings'."

This reverts commit 9337272b7842879cdbae5be19ec076bea314b20c.

Revert "r/aws_apigatewayv2_stage: Add computed 'api_protocol_type' attribute."

This reverts commit a7eb7cf9976ecabb04696dbe2f39805cc0ec1401.

Fix mess from rebase.

r/aws_apigatewayv2_stage: Change 'route_setting.logging_level' to computed to address different defaults for WebSocket vs. HTTP.

Update CHANGELOG.md for #13809

resource/aws_acm_certificate: Convert domain_validation_options to TypeSet and calculate elements during plan (#14199)

* resource/aws_acm_certificate: Convert domain_validation_options to TypeSet and calculate elements during plan

Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/8531
Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/10098
Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/10404
Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13053

Output from acceptance testing:

```
--- PASS: TestAccAWSAcmCertificate_imported_IpAddress (11.48s)
--- PASS: TestAccAWSAcmCertificate_rootAndWildcardSan (15.53s)
--- PASS: TestAccAWSAcmCertificate_root_TrailingPeriod (15.53s)
--- PASS: TestAccAWSAcmCertificate_root (15.62s)
--- PASS: TestAccAWSAcmCertificate_emailValidation (15.91s)
--- PASS: TestAccAWSAcmCertificate_san_TrailingPeriod (16.38s)
--- PASS: TestAccAWSAcmCertificate_wildcardAndRootSan (16.43s)
--- PASS: TestAccAWSAcmCertificate_san_single (16.51s)
--- PASS: TestAccAWSAcmCertificate_dnsValidation (16.85s)
--- PASS: TestAccAWSAcmCertificate_disableCTLogging (17.06s)
--- PASS: TestAccAWSAcmCertificate_wildcard (18.71s)
--- PASS: TestAccAWSAcmCertificate_san_multiple (19.49s)
--- PASS: TestAccAWSAcmCertificate_privateCert (20.85s)
--- PASS: TestAccAWSAcmCertificate_imported_DomainName (26.86s)
--- PASS: TestAccAWSAcmCertificate_tags (42.99s)

--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsEmail (11.56s)
--- PASS: TestAccAWSAcmCertificateValidation_timeout (19.20s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdns (107.31s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsSan (110.62s)
--- PASS: TestAccAWSAcmCertificateValidation_basic (143.58s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsWildcardAndRoot (153.05s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsRoot (212.21s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsRootAndWildcard (212.95s)
--- PASS: TestAccAWSAcmCertificateValidation_validationRecordFqdnsWildcard (247.43s)
```

Please note that this was also tested manually with a few iterations of this configuration:

```hcl
terraform {
    required_providers {
        aws = "2.70.0"
    }
    required_version = "0.12.28"
}

provider "aws" {
  region = "us-east-2"
}

variable "public_root_domain" {
  description = "Publicly accessible domain for ACM testing"
  type        = string
}

data "aws_route53_zone" "public_root_domain" {
  name = var.public_root_domain
}

resource "aws_acm_certificate" "new" {
  domain_name               = "new.${var.public_root_domain}"
  subject_alternative_names = [
    "new1.${var.public_root_domain}",
    "new2.${var.public_root_domain}",
    "new3.${var.public_root_domain}",
  ]
  validation_method         = "DNS"
}

resource "aws_route53_record" "new" {
  for_each = {
    for dvo in aws_acm_certificate.new.domain_validation_options: dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = data.aws_route53_zone.public_root_domain.zone_id
}

resource "aws_acm_certificate_validation" "new" {
  certificate_arn         = aws_acm_certificate.new.arn
  validation_record_fqdns = [for record in aws_route53_record.new: record.fqdn]
}

resource "aws_acm_certificate" "wildcard" {
  domain_name               = var.public_root_domain
  subject_alternative_names = ["*.${var.public_root_domain}"]
  validation_method         = "DNS"
}

resource "aws_route53_record" "wildcard" {
  for_each = {
    for dvo in aws_acm_certificate.wildcard.domain_validation_options: dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = data.aws_route53_zone.public_root_domain.zone_id
}

resource "aws_acm_certificate_validation" "wildcard" {
  certificate_arn         = aws_acm_certificate.wildcard.arn
  validation_record_fqdns = [for record in aws_route53_record.wildcard: record.fqdn]
}
```

* docs/service/acm: Fix terrafmt reports

Previously:

```
website/docs/r/acm_certificate.html.markdown:83
website/docs/r/acm_certificate_validation.html.markdown:25
website/docs/r/acm_certificate_validation.html.markdown:67
```

Update CHANGELOG for #14199

Implement Disappears test for API Gateway resources (#13243)

* add disappears test case for APIGW API Key

* add disappears test case for APIGW Authorizer

* add disappears test case for APIGW Base Path

* add disappears test case for APIGW Client Cert

* add disappears test case for APIGW Deployment

* add disappears test case for APIGW Doc Part

* add disappears test case for APIGW Doc Ver

* add disappears test case for APIGW Domain Name

* add disappears test case for APIGW Gateway Response

* add disappears test case for APIGW Integration Response

* add disappears test case for APIGW Integration

* add disappears test case for APIGW Method

* add disappears test case for APIGW Method Response

* add disappears test case for APIGW Method Settings

* add disappears test case for APIGW Model

* add disappears test case for APIGW Request Validator

* add disappears test case for APIGW Resource

* add disappears test case for APIGW Rest API

* add disappears test case for APIGW Stage

* add disappears test case for APIGW Usage Plan Key

* add disappears test case for APIGW Usage Plan

* add disappears test case for APIGW VPC Link

* fix

* fix lint

docs/resource/aws_codebuild_project: Add SECRETS_MANAGER to the CodeBuild environment_variable type (#14200)

Updates alexa example

Updates api-gateway-websocket-chat-app example

Updates asg example

Updates cloudhsm example

Updates cloudwatch-events kinesis and sns examples

Updates cognito-user-pool example

Updates count example

Updates dx-gateway-cross-account-vgw-association example

Updates ecs-alb example

Updates eip example

Updates eks-getting-started example

Updates elasticsearch-domain example

Updates elb example

Updates lambda example

Updates lambda-file-system example

Updates networking example

Updates rds example

Updates s3-api-gateway-integration example

Updates s3-cross-account-access

Updates sagemaker example

Updates transit-gateway-cross-account-peering-attachment example

Updates transit-gateway-cross-account-vpc-attachment example

Updates two-tier example

Updates workspaces example

Updates example action workflow to validate only with Terraform 0.12. Adds error for testing

Restore `terraform validate` output

Only check for warnings if there are no errors

Fixes bash conditional

Wraps jq result in quotes to force it into a string to avoid "unary operator expected" error

Tightens warning check

Updates warning equality

Simplify warning check since it will exit on syntax errors

Resetting warning test to debug it

Add back terraform validate -json

Adds back jq

Echoes warning count

Step-by-step

Baby steps

One step back

Again

Try anything

Drops checks for warnings

Removes error added for testing

Got it!

resource/aws_ssm_maintenance_window_task: Remove deprecated logging_info and task_parameters configuration blocks (#14311)

Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/7823
Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398

Output from acceptance testing:

```
--- PASS: TestAccAWSSSMMaintenanceWindowTask_emptyNotificationConfig (13.56s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationStepFunctionParameters (14.66s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_updateForcesNewResource (22.46s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_basic (22.75s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationLambdaParameters (36.30s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationAutomationParameters (36.56s)
--- PASS: TestAccAWSSSMMaintenanceWindowTask_TaskInvocationRunCommandParameters (39.53s)
```

Update CHANGELOG for #14311

resource/aws_lb_listener_rule: Remove deprecated condition configuration block field and values arguments (#14309)

Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/8268
Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398

Already documented in the version 3 upgrade guide.

Output from acceptance testing:

```
--- PASS: TestAccAWSLBListenerRule_Action_Order (242.39s)
--- PASS: TestAccAWSLBListenerRule_Action_Order_Recreates (172.01s)
--- PASS: TestAccAWSLBListenerRule_BackwardsCompatibility (192.52s)
--- PASS: TestAccAWSLBListenerRule_basic (205.77s)
--- PASS: TestAccAWSLBListenerRule_changeListenerRuleArnForcesNew (234.49s)
--- PASS: TestAccAWSLBListenerRule_cognito (190.75s)
--- PASS: TestAccAWSLBListenerRule_conditionAttributesCount (10.86s)
--- PASS: TestAccAWSLBListenerRule_conditionHostHeader (227.40s)
--- PASS: TestAccAWSLBListenerRule_conditionHttpHeader (194.36s)
--- PASS: TestAccAWSLBListenerRule_conditionHttpHeader_invalid (1.43s)
--- PASS: TestAccAWSLBListenerRule_conditionHttpRequestMethod (195.55s)
--- PASS: TestAccAWSLBListenerRule_conditionMultiple (269.78s)
--- PASS: TestAccAWSLBListenerRule_conditionPathPattern (199.17s)
--- PASS: TestAccAWSLBListenerRule_conditionQueryString (195.57s)
--- PASS: TestAccAWSLBListenerRule_conditionSourceIp (186.73s)
--- PASS: TestAccAWSLBListenerRule_conditionUpdateMixed (274.24s)
--- PASS: TestAccAWSLBListenerRule_conditionUpdateMultiple (267.11s)
--- PASS: TestAccAWSLBListenerRule_fixedResponse (213.36s)
--- PASS: TestAccAWSLBListenerRule_forwardWeighted (213.62s)
--- PASS: TestAccAWSLBListenerRule_oidc (206.04s)
--- PASS: TestAccAWSLBListenerRule_priority (377.75s)
--- PASS: TestAccAWSLBListenerRule_redirect (248.43s)
--- PASS: TestAccAWSLBListenerRule_updateFixedResponse (189.01s)
--- PASS: TestAccAWSLBListenerRule_updateRulePriority (206.44s)
```

Update CHANGELOG for #14309

resource/aws_cognito_user_pool: Remove deprecated admin_create_user_config.unused_account_validity_days argument (#14294)

Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/10890
Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398

Output from acceptance testing:

```
--- PASS: TestAccAWSCognitoUserPool_basic (16.93s)
--- PASS: TestAccAWSCognitoUserPool_MfaConfiguration_SmsConfiguration (47.75s)
--- PASS: TestAccAWSCognitoUserPool_MfaConfiguration_SmsConfigurationAndSoftwareTokenMfaConfiguration (50.45s)
--- PASS: TestAccAWSCognitoUserPool_MfaConfiguration_SmsConfigurationToSoftwareTokenMfaConfiguration (46.37s)
--- PASS: TestAccAWSCognitoUserPool_MfaConfiguration_SoftwareTokenMfaConfiguration (41.83s)
--- PASS: TestAccAWSCognitoUserPool_MfaConfiguration_SoftwareTokenMfaConfigurationToSmsConfiguration (35.22s)
--- PASS: TestAccAWSCognitoUserPool_SmsAuthenticationMessage (36.72s)
--- PASS: TestAccAWSCognitoUserPool_SmsConfiguration (45.69s)
--- PASS: TestAccAWSCognitoUserPool_SmsConfiguration_ExternalId (43.87s)
--- PASS: TestAccAWSCognitoUserPool_SmsConfiguration_SnsCallerArn (41.27s)
--- PASS: TestAccAWSCognitoUserPool_SmsVerificationMessage (21.39s)
--- PASS: TestAccAWSCognitoUserPool_update (38.77s)
--- PASS: TestAccAWSCognitoUserPool_withAdminCreateUserConfiguration (26.14s)
--- PASS: TestAccAWSCognitoUserPool_withAdminCreateUserConfigurationAndPasswordPolicy (13.70s)
--- PASS: TestAccAWSCognitoUserPool_withAdvancedSecurityMode (32.33s)
--- PASS: TestAccAWSCognitoUserPool_withAliasAttributes (23.59s)
--- PASS: TestAccAWSCognitoUserPool_withDeviceConfiguration (21.89s)
--- PASS: TestAccAWSCognitoUserPool_withEmailVerificationMessage (21.15s)
--- PASS: TestAccAWSCognitoUserPool_withLambdaConfig (46.71s)
--- PASS: TestAccAWSCognitoUserPool_withPasswordPolicy (36.75s)
--- PASS: TestAccAWSCognitoUserPool_withSchemaAttributes (22.83s)
--- PASS: TestAccAWSCognitoUserPool_withTags (33.77s)
--- PASS: TestAccAWSCognitoUserPool_withUsernameConfiguration (28.12s)
--- PASS: TestAccAWSCognitoUserPool_withVerificationMessageTemplate (21.48s)
```

Update CHANGELOG for #14294

tests/provider: Ensure awsproviderlint source is dependency and lint checked (#14131)

* tests/provider: Ensure awsproviderlint source is dependency and lint checked

Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/14129

* provider: Add awsproviderlint to make fmt target

provider: Initial snapshot build workflow (#14140)

Using GitHub Actions artifacts, sets up daily snapshot builds of master and allows other snapshot builds.

resource/aws_iam_access_key: Remove deprecated ses_smtp_password attribute (#14299)

Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/11144
Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398

Output from acceptance testing:

```
--- PASS: TestAccAWSAccessKey_basic (5.87s)
--- PASS: TestAccAWSAccessKey_encrypted (5.97s)
--- PASS: TestAccAWSAccessKey_inactive (9.72s)
```

Update CHANGELOG for #14299

provider: Remove deprecated kinesis_analytics and r53 custom endpoint arguments (#14238)

Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398

Output from acceptance testing:

```
--- PASS: TestAccAWSProvider_Region_AwsCommercial (3.64s)
--- PASS: TestAccAWSProvider_Region_AwsChina (3.64s)
--- PASS: TestAccAWSProvider_Region_AwsGovCloudUs (3.65s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_Multiple (4.00s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_None (4.00s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_Multiple (4.01s)
--- PASS: TestAccAWSProvider_IgnoreTags_Keys_One (4.01s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_None (4.01s)
--- PASS: TestAccAWSProvider_IgnoreTags_KeyPrefixes_One (4.02s)
--- PASS: TestAccAWSProvider_IgnoreTags_EmptyConfigurationBlock (4.01s)
--- PASS: TestAccAWSProvider_Endpoints (4.08s)
--- PASS: TestAccAWSProvider_AssumeRole_Empty (7.80s)
```

Update CHANGELOG for #14238

resource/aws_glue_job: Remove deprecated allocated_capacity argument (#14296)

Reference: https://github.com/terraform-providers/terraform-provider-aws/pull/7340
Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398

Output from acceptance testing:

```
--- PASS: TestAccAWSGlueJob_basic (14.45s)
--- PASS: TestAccAWSGlueJob_Description (21.70s)
--- PASS: TestAccAWSGlueJob_GlueVersion (21.74s)
--- PASS: TestAccAWSGlueJob_MaxRetries (21.92s)
--- PASS: TestAccAWSGlueJob_Command (21.95s)
--- PASS: TestAccAWSGlueJob_DefaultArguments (22.08s)
--- PASS: TestAccAWSGlueJob_NotificationProperty (22.10s)
--- PASS: TestAccAWSGlueJob_Timeout (22.13s)
--- PASS: TestAccAWSGlueJob_ExecutionProperty (22.43s)
--- PASS: TestAccAWSGlueJob_MaxCapacity (22.43s)
--- PASS: TestAccAWSGlueJob_SecurityConfiguration (22.48s)
--- PASS: TestAccAWSGlueJob_WorkerType (29.22s)
--- PASS: TestAccAWSGlueJob_Tags (29.29s)
--- PASS: TestAccAWSGlueJob_PythonShell (30.12s)
```

Update CHANGELOG for #14296

resource/aws_iam_instance_profile: Remove deprecated roles argument (#14303)

Reference: https://github.com/hashicorp/terraform/pull/13130
Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398

Output from acceptance testing:

```
--- PASS: TestAccAWSIAMInstanceProfile_withoutRole (6.44s)
--- PASS: TestAccAWSIAMInstanceProfile_basic (6.92s)
--- PASS: TestAccAWSIAMInstanceProfile_namePrefix (6.94s)

--- PASS: TestAccAWSAutoScalingGroup_LaunchTemplate_IAMInstanceProfile (53.25s)

--- PASS: TestAccAWSAppautoScalingTarget_emrCluster (790.81s)

--- PASS: TestAccAWSBeanstalkEnv_tier (518.46s)

--- PASS: TestAccAWSIAMRole_testNameChange (12.80s)

--- PASS: TestAccAWSInstance_instanceProfileChange (204.32s)
--- PASS: TestAccAWSInstance_withIamInstanceProfile (115.26s)

--- PASS: TestAccAWSLaunchConfiguration_withIAMProfile (21.61s)
```

Update CHANGELOG for #14303

Remove hardcoded AMIs and AZs

resource/aws_sns_topic_subscription: Use paginated ListSubscriptionsByTopic and return immediately on errors (#14262)

* tests/resource/aws_sns_topic_subscription: Fix recurring and unrelated test configuration error

Previously:

```
--- FAIL: TestAccAWSSNSTopicSubscription_autoConfirmingSecuredEndpoint (63.28s)
testing.go:684: Step 0 error: After applying this step, the plan was not empty:
DIFF:
UPDATE: aws_api_gateway_authorizer.test
...
authorizer_result_ttl_in_seconds: "300" => "0"
```

Output from acceptance testing:

```
--- PASS: TestAccAWSSNSTopicSubscription_autoConfirmingSecuredEndpoint (91.18s)
```

* resource/aws_sns_topic_subscription: Use paginated ListSubscriptionsByTopic and return immediately on errors

Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13409

Output from acceptance testing:

```
--- PASS: TestAccAWSSNSTopicSubscription_basic (13.47s)
--- PASS: TestAccAWSSNSTopicSubscription_rawMessageDelivery (27.13s)
--- PASS: TestAccAWSSNSTopicSubscription_filterPolicy (28.12s)
--- PASS: TestAccAWSSNSTopicSubscription_deliveryPolicy (28.38s)
--- PASS: TestAccAWSSNSTopicSubscription_autoConfirmingEndpoint (48.31s)
--- PASS: TestAccAWSSNSTopicSubscription_autoConfirmingSecuredEndpoint (91.18s)
```

Update CHANGELOG for #14262

service/directconnect: vpn_gateway_id Argument Removals and Increase aws_dx_gateway_association Default Timeouts (#14144)

* resource/aws_dx_gateway_association: Increase default create/update/delete timeouts to 30 minutes

Previously, we were seeing consistent failures across many of acceptance tests:

```
    TestAccAwsDxGatewayAssociation_allowedPrefixesVpnGatewaySingleAccount: testing.go:684: Step 1 error: errors during apply:

        Error: error waiting for Direct Connect gateway association (ga-a59d30b3-e6de-435e-bb17-cd7ed23f400evgw-06bccd6488d2b8d87) to become available: timeout while waiting for state to become 'associated' (last state: 'updating', timeout: 10m0s)

    TestAccAwsDxGatewayAssociation_allowedPrefixesVpnGatewayCrossAccount: testing.go:684: Step 1 error: errors during apply:

        Error: error waiting for Direct Connect gateway association (ga-a8b1b976-c0a1-4b64-8560-9d9cc45d11a3vgw-0a2e52679acf9c250) to become available: timeout while waiting for state to become 'associated' (last state: 'updating', timeout: 10m0s)

--- FAIL: TestAccAwsDxGatewayAssociation_basicTransitGatewaySingleAccount (989.81s)
testing.go:684: Step 0 error: errors during apply:
Error: error waiting for Direct Connect gateway association (ga-48d0e3d3-e131-443d-9693-e64eff519baatgw-0a2a0ea77f65ed202) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s)

--- FAIL: TestAccAwsDxGatewayAssociation_basicTransitGatewayCrossAccount (991.80s)
testing.go:684: Step 0 error: errors during apply:
Error: error waiting for Direct Connect gateway association (ga-9f9c1ed2-97b6-41c5-8018-0724f6162b59tgw-06f7ce56df96282d7) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s)

--- FAIL: TestAccAwsDxGatewayAssociation_basicVpnGatewaySingleAccount (1816.92s)
testing.go:684: Step 0 error: errors during apply:
Error: error waiting for Direct Connect gateway association (ga-76c9d0f4-b0aa-4b1b-96d9-10ce8c3ca025vgw-0c47a2c63baf7d4d8) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s)

testing.go:745: Error destroying resource! WARNING: Dangling resources
may exist. The full state and error is shown below.
Error: errors during apply: error waiting for Direct Connect gateway association (ga-76c9d0f4-b0aa-4b1b-96d9-10ce8c3ca025vgw-0c47a2c63baf7d4d8) to be deleted: timeout while waiting for state to become 'disassociated, deleted' (last state: 'disassociating', timeout: 15m0s)

--- FAIL: TestAccAwsDxGatewayAssociation_allowedPrefixesVpnGatewaySingleAccount (1816.89s)
testing.go:684: Step 0 error: errors during apply:
Error: error waiting for Direct Connect gateway association (ga-12a5c1e8-322e-4bc1-8a5a-f4b778a00db3vgw-09c811d121256131b) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s)

testing.go:745: Error destroying resource! WARNING: Dangling resources
may exist. The full state and error is shown below.
Error: errors during apply: error waiting for Direct Connect gateway association (ga-12a5c1e8-322e-4bc1-8a5a-f4b778a00db3vgw-09c811d121256131b) to be deleted: timeout while waiting for state to become 'disassociated, deleted' (last state: 'disassociating', timeout: 15m0s)

--- FAIL: TestAccAwsDxGatewayAssociation_allowedPrefixesVpnGatewayCrossAccount (1819.25s)
testing.go:684: Step 0 error: errors during apply:
Error: error waiting for Direct Connect gateway association (ga-ccf678f2-5d51-441e-86c5-308c731f26abvgw-063e75f539bc3719c) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s)

testing.go:745: Error destroying resource! WARNING: Dangling resources
may exist. The full state and error is shown below.
Error: errors during apply: error waiting for Direct Connect gateway association (ga-ccf678f2-5d51-441e-86c5-308c731f26abvgw-063e75f539bc3719c) to be deleted: timeout while waiting for state to become 'disassociated, deleted' (last state: 'disassociating', timeout: 15m0s)

--- FAIL: TestAccAwsDxGatewayAssociation_multiVpnGatewaysSingleAccount (2487.01s)
testing.go:684: Step 0 error: errors during apply:
Error: error waiting for Direct Connect gateway association (ga-5d93ccd0-8344-4ee6-95f8-58af27e01301vgw-054e2b0e7ecf45c8d) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s)

Error: error waiting for Direct Connect gateway association (ga-5d93ccd0-8344-4ee6-95f8-58af27e01301vgw-057b39dbec7338ec1) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s)

testing.go:745: Error destroying resource! WARNING: Dangling resources
may exist. The full state and error is shown below.
Error: errors during apply: error waiting for Direct Connect gateway association (ga-5d93ccd0-8344-4ee6-95f8-58af27e01301vgw-057b39dbec7338ec1) to be deleted: timeout while waiting for state to become 'disassociated, deleted' (last state: 'disassociating', timeout: 15m0s)

--- FAIL: TestAccAwsDxGatewayAssociation_basicVpnGatewayCrossAccount (2529.42s)
testing.go:684: Step 0 error: errors during apply:
Error: error waiting for Direct Connect gateway association (ga-ad8143a9-657e-4ed2-9ebb-a78dd2bee2c1vgw-0d552249edec48941) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s)

testing.go:745: Error destroying resource! WARNING: Dangling resources
may exist. The full state and error is shown below.
Error: errors during apply: Error waiting for VPN Gateway "vgw-0d552249edec48941" to detach from VPC "vpc-0cbba5ddf6a4ec7ba": timeout while waiting for state to become 'detached' (last state: 'detaching', timeout: 15m0s)

--- FAIL: TestAccAwsDxGatewayAssociation_deprecatedSingleAccount (2551.41s)
testing.go:684: Step 0 error: errors during apply:
Error: error waiting for Direct Connect gateway association (ga-c1c37095-ab8d-4dcd-9f97-b369face1ad4vgw-0576f5ab3096ace51) to become available: timeout while waiting for state to become 'associated' (last state: 'associating', timeout: 15m0s)
```

* service/directconnect: Remove vpn_gateway_id arguments

Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13398

Changes:

```
* resource/aws_dx_gateway_association: Remove `vpn_gateway_id` argument
* resource/aws_dx_gateway_association_proposal: Remove `vpn_gateway_id` argument
```

Output from acceptance testing:

```
--- PASS: TestAccAwsDxGatewayAssociation_basicTransitGatewaySingleAccount (2063.56s)
--- PASS: TestAccAwsDxGatewayAssociation_basicTransitGatewayCrossAccount (2556.75s)
--- PASS: TestAccAwsDxGatewayAssociation_multiVpnGatewaysSingleAccount (2668.06s)
--- PASS: TestAccAwsDxGatewayAssociation_basicVpnGatewaySingleAccount (2674.09s)
--- PASS: TestAccAwsDxGatewayAssociation_basicVpnGatewayCrossAccount (2677.20s)
--- PASS: TestAccAwsDxGatewayAssociation_allowedPrefixesVpnGatewaySingleAccount (3612.36s)
--- PASS: TestAccAwsDxGatewayAssociation_allowedPrefixesVpnGatewayCrossAccount (3856.32s)

--- PASS: TestAccAwsDxGatewayAssociationProposal_basicVpnGateway (88.64s)
--- PASS: TestAccAwsDxGatewayAssociationProposal_disappears (96.50s)
--- PASS: TestAccAwsDxGatewayAssociationProposal_AllowedPrefixes (121.18s)
--- PASS: TestAccAwsDxGatewayAssociationProposal_basicTransitGateway (182.42s)
```

* tests/resource/aws_dx_gateway_association: Ensure v0 state upgrade is still covered by acceptance testing

Output from acceptance testing:

```
--- PASS: TestAccAwsDxGatewayAssociation_V0StateUpgrade (2605.48s)
```

Update CHANGELOG for #14144

docs/resource/aws_security_group: Update `cidr_blocks` value to list (#14329)

add support for zero ttl

add validation for `authorizer_uri`, `authorizer_credentials`
changes for %w
remove deprecated func

use set len func

revert validation for `authorizer_uri`

refactor tests

refactor tests

Update CHANGELOG for #12643

resource/aws_appautoscaling_target: Remove  DeregisterScalableTarget retries on all errors and add disappears test (#14259)

Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13409
Reference: https://github.com/terraform-providers/terraform-provider-aws/issues/13826

Output from acceptance testing:

```
--- PASS: TestAccAWSAppautoScalingTarget_multipleTargets (20.68s)
--- PASS: TestAccAWSAppautoScalingTarget_optionalRoleArn (25.17s)
--- PASS: TestAccAWSAppautoScalingTarget_basic (43.13s)
--- PASS: TestAccAWSAppautoScalingTarget_spotFleetRequest (57.42s)
--- PASS: TestAccAWSAppautoScalingTarget_disappears (71.79s)
--- PASS: TestAccAWSAppautoScalingTarget_emrCluster (840.33s)

--- PASS: TestAccAWSAppautoScalingPolicy_multiplePoliciesSameName (24.97s)
--- PASS: TestAccAWSAppautoScalingPolicy_dynamodb_table (26.58s)
--- PASS: TestAccAWSAppautoScalingPolicy_multiplePoliciesSameResource (28.13s)
--- PASS: TestAccAWSAppautoScalingPolicy_dynamodb_index (37.07s)
--- PASS: TestAccAWSAppautoScalingPolicy_spotFleetRequest (71.64s)
--- PASS: TestAccAWSAppautoScalingPolicy_disappears (75.45s)
--- PASS: TestAccAWSAppautoScalingPolicy_basic (77.30s)
--- PASS: TestAccAWSAppautoScalingPolicy_scaleOutAndIn (79.17s)
--- PASS: TestAccAWSAppautoScalingPolicy_ResourceId_ForceNew (83.72s)
```

Update CHANGELOG for #14259

update statefuncs to use global method

update statefuncs to use global method

Update provider's S3 bucket lookup to use GetBucketRegion utility (#14221)

* Update provider's S3 bucket lookup to use GetBucketRegion utility

Replaces the usage of S3's GetBucketLocation with the aws-sdk-go's
GetBucketRegion utility. This utility can discover the bucket's region
without authentication, and can be configured to be compatible with
FIPS endpoints.

Fixes https://github.com/terraform-providers/terraform-provider-aws/issues/14217
Related to https://github.com/aws/aws-sdk-go/issues/3115

* Add AWS SDK for Go s3manager dependency

Adds a dependency on the AWS SDK for Go's `s3manager`, and `s3iface`
packages. These packages make the s3manager packages's GetBucketRegion
utility available for discovering a S3 bucket's locations.

These packages are used by PR #14221.

Update CHANGELOG for #14221 and other minor formatting fixes

refactor trimTrailingPeriod method
@ghost
Copy link

ghost commented Jul 31, 2020

This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Aug 23, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Aug 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.