This pull request is similar to, and was based on, hashicorp#8708. However, it resolves a few issues I discovered with that patch.
The certificate creation process is clearly asynchronous, and, given
that the provider is attempting to read properties of an
asynchronously created object, it must poll, retrying, until all
critical information is available. hashicorp#8530, however, expects that this
object creation succeeds BEFORE validation is complete, so, we cannot
wait until the certificate is status succeeded, OR, wait until the
domain validation is complete; however, terraform requires the state
to be intact before returning succesfully from creation (as I
understand it), and about the only way to assure the object is created successfully is to retry, which is what this resource does.
My updates:
- I added a retry in case the subject alternate names was empty.
- I wait to Set the subject alternate names until after we've received
all of the domain validation options (if any), so as to prevent
side-effects from retrying.
- Like hashicorp#8708, this patch sorts the SANs and DVOs according to the
order in the original request / terraform state file, so that the
order is predictable.
This should address issue: hashicorp#8531.
If this patch is applied, users will be required to either recreate
their certificates, OR, manually edit the terraform state files to
ensure that the order in the state file reflects the order in their
terraform code.
If found three places that must be edited:
- Reorder domain_validation_options
'''
"domain_validation_options.0.resource_record_name": "domain.com",
"domain_validation_options.0.resource_record_type": "CNAME",
"domain_validation_options.0.resource_record_value": "...",
'''
Replace ".N." in the name with the zero-based index of each domain_validation_options.
- Reorder subject_alternative_names
'''
"subject_alternative_names.0": "*.domain.com"
'''
Replace ".N" in the name with the zero-based index of each subject_alternative_name.
- Reorder aws_route53_record validation resources:
'''
"aws_route53_record.validation.1": {
'''
Replace ".N" with the zero-based index of each route 53 record's domain.
Kevin Burge
Nice, Inc. (https://nice.com)