Terraform ACM Certificate State Change After Provider Update

Introduction
Step-by-Step Guide
Code Example
Additional Notes
Summary
Conclusion
References

Introduction

When working with AWS ACM certificates in Terraform, you might encounter situations where the certificate state remains in "pending validation." This can happen if DNS propagation delays cause Terraform to attempt validation before DNS records update globally, if there are incorrect DNS configurations such as missing or inaccurate CNAME records, or if Terraform provider updates introduce changes in certificate state handling. Other potential causes include issues with count and multiple certificates, data source dependencies that aren't configured to handle potential certificate unavailability, incorrect execution order or state sharing in multi-stage Terraform setups, and problems with remote state accessibility or backend configuration.

Step-by-Step Guide

When working with AWS ACM certificates in Terraform, you might encounter situations where the certificate state remains in "pending validation." This can happen if:

DNS propagation delays: After updating the Name Servers for your domain, it takes time for the changes to propagate. Terraform might attempt validation before the DNS records are updated globally.
```
resource "aws_acm_certificate" "example" {
  domain_name = "example.com"
  validation_method = "DNS"
}
```
Incorrect DNS configuration: Double-check that you've created the correct CNAME records in your DNS provider's settings as instructed by AWS.
Terraform provider updates: Sometimes, updates to the AWS provider might introduce changes in how certificate states are handled. Ensure you're using a compatible provider version.
```
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0" 
    }
  }
}
```
Count and multiple certificates: If you're using count to create multiple certificates, ensure the logic for generating certificate names and domains is correct.
```
resource "aws_acm_certificate" "example" {
  count = length(var.domains)
  domain_name = var.domains[count.index]
}
```
Data source dependencies: If you're using data sources that depend on the certificate, ensure they're configured to handle cases where the certificate might not be immediately available.
```
data "aws_acm_certificate" "example" {
  domain = aws_acm_certificate.example.domain_name
}
```
Multiple Terraform stages: If you're using multiple Terraform stages (e.g., separate stages for creating certificates and resources that depend on them), ensure the stages are executed in the correct order and that state is shared between them.

Remote state: If you're using remote state, ensure the state file is accessible and that the correct backend configuration is used.

terraform {
  backend "s3" {
    bucket = "my-terraform-state-bucket"
    key    = "path/to/my/state.tfstate"
    region = "us-west-2"
  }
}

If you're still facing issues, review the Terraform logs for detailed error messages and consider using tools like terraform plan and terraform apply with the -target option to debug specific resources.

Code Example

This Terraform code defines infrastructure for provisioning and using AWS ACM certificates. It sets up an AWS provider, configures optional remote state, and declares a variable for domain names. The code creates ACM certificates for each domain, fetches certificate details using a data source, and demonstrates using the certificate ARN in an example load balancer listener resource.

# main.tf

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0" # Ensure a compatible version
    }
  }
}

# Configure remote state (optional)
terraform {
  backend "s3" {
    bucket = "your-terraform-state-bucket"
    key    = "path/to/your/state.tfstate"
    region = "your-aws-region"
  }
}

# Define variables for domain names
variable "domains" {
  type = list(string)
  default = ["example.com", "www.example.com"]
}

# Create ACM certificates
resource "aws_acm_certificate" "example" {
  count         = length(var.domains)
  domain_name   = var.domains[count.index]
  validation_method = "DNS"
}

# Define a data source to fetch the certificate details
data "aws_acm_certificate" "example" {
  domain = aws_acm_certificate.example[0].domain_name # Assuming you need the first certificate

  # Handle cases where the certificate might not be immediately available
  depends_on = [aws_acm_certificate.example]
}

# Example resource that depends on the certificate
resource "aws_lb_listener" "example" {
  # ... other configurations ...

  certificate_arn = data.aws_acm_certificate.example.arn
}

Explanation:

Provider Version: The code specifies a compatible AWS provider version (~> 4.0).
Remote State: It includes an optional terraform block for configuring remote state using S3.
Variables: It defines a domains variable to store a list of domain names.
Certificate Creation: The aws_acm_certificate resource creates certificates for each domain in the domains variable using the count meta-argument.
Data Source: The data "aws_acm_certificate" fetches the details of the first certificate created. The depends_on meta-argument ensures that the data source is queried only after the certificate is created.
Dependent Resource: An example aws_lb_listener resource demonstrates how to use the certificate ARN obtained from the data source.

Troubleshooting Tips:

DNS Propagation: Allow sufficient time for DNS changes to propagate after updating your domain's name servers.
DNS Configuration: Double-check the CNAME records created in your DNS provider's settings.
Terraform Logs: Review the Terraform logs (terraform apply -target=aws_acm_certificate.example) for detailed error messages.
State File: If using remote state, ensure the state file is accessible and the backend configuration is correct.

This comprehensive example addresses the common causes of "pending validation" states and provides guidance on troubleshooting and best practices. Remember to replace the example values with your specific configurations.

Additional Notes

Certificate Transparency Logging: By default, AWS ACM certificates are enrolled in Certificate Transparency logs. This might add some time to the validation process.
Wildcard Certificates: When requesting a wildcard certificate (e.g., *.example.com), ensure you understand the DNS validation requirements for wildcard domains.
Rate Limits: AWS has rate limits for ACM certificate requests. If you're creating a large number of certificates, you might encounter throttling. Consider using the AWS SDK or API to check the status of certificate requests and implement retry logic in your Terraform code.
Alternative Validation Methods: Besides DNS validation, AWS ACM also supports email validation. This can be useful if you don't have direct control over DNS settings.
Manual Validation: In some cases, you might need to manually validate a certificate through the AWS console. This is typically required for specific domain extensions or unusual DNS setups.
Certificate Renewal: ACM certificates are automatically renewed by default. However, it's essential to ensure that your DNS records remain valid to avoid renewal failures.
Import Existing Certificates: You can import existing ACM certificates into Terraform using the aws_acm_certificate data source and the import command.
Testing and Debugging: Use terraform plan to preview changes before applying them. The -target option can be helpful for debugging specific resources. Additionally, enable verbose logging for more detailed output.
Security Best Practices: Store sensitive information, such as private keys, securely using tools like AWS Secrets Manager or HashiCorp Vault. Avoid hardcoding credentials in your Terraform code.

By understanding these nuances and following best practices, you can effectively manage AWS ACM certificates with Terraform and ensure a smooth and secure deployment process.

Summary

Issue	Description	Solution
DNS Propagation Delays	DNS changes take time to propagate globally. Terraform might attempt validation before records update.	Wait for propagation or use a tool to check DNS records.
Incorrect DNS Configuration	CNAME records are not correctly configured in your DNS provider.	Double-check CNAME records against AWS instructions.
Terraform Provider Updates	Provider updates can change how certificate states are handled.	Use a compatible provider version (e.g., `hashicorp/aws ~> 3.0`).
Count and Multiple Certificates	Logic for generating certificate names and domains using `count` is incorrect.	Verify the logic within the `count` block.
Data Source Dependencies	Data sources depending on the certificate are not configured to handle potential unavailability.	Ensure data sources can handle cases where the certificate is not immediately available.
Multiple Terraform Stages	Stages are not executed in the correct order, or state is not shared properly.	Define stage dependencies and ensure state is shared between them.
Remote State	State file is inaccessible, or the backend configuration is incorrect.	Verify state file accessibility and correct backend configuration.

General Troubleshooting Tips:

Review Terraform logs for detailed error messages.
Use terraform plan and terraform apply with the -target option to debug specific resources.

Conclusion

To wrap up, managing AWS ACM certificates with Terraform requires careful attention to potential pitfalls like DNS propagation delays, configuration errors, and Terraform state management. By understanding these common issues and implementing the provided code examples and troubleshooting tips, you can streamline your certificate provisioning process and ensure a secure and robust infrastructure. Remember to double-check your configurations, leverage Terraform's debugging capabilities, and stay updated on AWS and Terraform best practices for optimal results.

References

Multiple Plan+Apply stages - Terraform - HashiCorp Discuss | I’m trying to provision my environment using terraform, it creates everything from scratch, so in case of disaster I can simply run terraform apply and create all AWS and K8s resources I need. Unfortunately, I keep hitting same wall. Some resources need to be created before others, furthermore some resources need to be created before planning changes in other resources. Terraform’s PLAN everything > APPLY everything model, does not work very well for me. What seems to be missing (or I don’t kno...
AWS ACM certificate state is pending validation and not changing to ... | Jun 29, 2021 ... ... update the Name Servers in my domain, what I did was the opposite. ... state output possibly due to a provider update- am I doing this wrong?
cloudflare_record used with aws_acm_certificate always thinks it ... | Terraform Version 0.11.10 Affected Resource(s) Please list the resources as a list, for example: cloudflare_record aws_acm_certificate Terraform Configuration Files variable "domain" {} variable "a...
terraform - Why isn't my AWS ACM certificate validating? - Stack ... | Jul 8, 2020 ... ... Terraform, which I ... aws_acm_certificate seems to have changed its state output possibly due to a provider update- am I doing this wrong?
Data sources should allow empty results without failing · Issue ... | This is an enhancement request. Data sources should allow empty results without failing the plan or apply. This would allow for fallback or fallthrough scenarios that are needed in certain situatio...
Importing and exporting from multiple workspaces/modules : r ... | Posted by u/NiPinga - 2 votes and 3 comments
count is not working on certificate with multiple names · Issue ... | Community Note Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request Please do not leave "+1" or "me too" comments, th...
SweetOps #terraform for June, 2021 | Jun 1, 2021 ... ... the remote-state call. The reasons aren't always ... It seems we could be doing this with the terraform_remote_state provider, but we would ...
The evaluating of data source working with count is wrong (probably ... | Terraform Version 0.11.10 (but I guess the bug may have been across multiple previous versions) Description of the issue The code I am going to show you is a demo code, not a real code used in prac...