aws_acm_certificate does not work with 4096-bit RSA keys

[Clete2]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.11
+ provider.archive v1.1.0
+ provider.aws v1.58.0

Affected Resource(s)

• aws_acm_certificate (resource & data)

Terraform Configuration Files

resource "aws_acm_certificate" "domain-resource" {
  private_key       = "${file("${path.module}/tls/example.com.private.key")}"
  certificate_body  = "${file("${path.module}/tls/example.com.cer")}"
}

data "aws_acm_certificate" "domain-data" {
  domain   = "example.com"
  statuses = ["ISSUED"]
}

Expected Behavior

A 4096-bit key should be able to be both created and read by Terraform.

Actual Behavior

A 4096-bit key can be created but not read. Terraform fails with an error stating that the specified key cannot be found.

Steps to Reproduce

1. openssl req -nodes -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 - Generate new private key and certificate
2. Add to ACM either through terraform or the console -- it doesn't matter.
3. Try to read the ACM certificate using the data_aws_acm_certificate

Description

4096-bit keys are supported by AWS ACM, but by default the list certificate APIs do not return 4096-bit keys.

Here's an example:

# aws acm list-certificates
{
    "CertificateSummaryList": []
}

# aws acm list-certificates --includes=keyTypes=RSA_4096
{
    "CertificateSummaryList": [
        {
            "CertificateArn": "arn:aws:acm:us-east-1:<SNIP>:certificate/<SNIP>",
            "DomainName": "example.com"
        }
    ]
}

In the API, we should specify that we want to see 4096-bit keys as well as other types of keys.

[Clete2]

@nywilken Do you need any additional information? I'm not familiar enough with Go to submit a fix myself.

[bflad]

Support for a new key_types argument in the aws_acm_certificate data source has been merged and will release with version 2.17.0 of the Terraform AWS Provider shortly. Thanks to @pselle for the implementation and discussion!

For example, to search for RSA 4096 bit certificates:

data "aws_acm_certificate" "example" {
  domain    = "example.com"
  key_types = ["RSA_4096"]
}

We preferred to add the new argument over always searching all key types (going against the default ACM API) as the expanded criteria could represent a breaking change for environments where multiple key types exist for the same domain already. Enjoy!

[bflad]

This has been released in version 2.17.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!