Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sort ACM cert subject alternative names and domain validation option #10791

Closed
wants to merge 1 commit into from
Closed

Sort ACM cert subject alternative names and domain validation option #10791

wants to merge 1 commit into from

Commits on Nov 8, 2019

  1. Sort ACM cert subject alternative names and domain validation option 

    This pull request is similar to, and was based on, hashicorp#8708. However, it resolves a few issues I discovered with that patch.

The certificate creation process is clearly asynchronous, and, given
that the provider is attempting to read properties of an
asynchronously created object, it must poll, retrying, until all
critical information is available. hashicorp#8530, however, expects that this
object creation succeeds BEFORE validation is complete, so, we cannot
wait until the certificate is status succeeded, OR, wait until the
domain validation is complete; however, terraform requires the state
to be intact before returning succesfully from creation (as I
understand it), and about the only way to assure the object is created successfully is to retry, which is what this resource does.

My updates:

- I added a retry in case the subject alternate names was empty.

- I wait to Set the subject alternate names until after we've received
all of the domain validation options (if any), so as to prevent
side-effects from retrying.

- Like hashicorp#8708, this patch sorts the SANs and DVOs according to the
order in the original request / terraform state file, so that the
order is predictable.

This should address issue: hashicorp#8531.

If this patch is applied, users will be required to either recreate
their certificates, OR, manually edit the terraform state files to
ensure that the order in the state file reflects the order in their
terraform code.

If found three places that must be edited:

- Reorder domain_validation_options

'''
"domain_validation_options.0.resource_record_name": "domain.com",
"domain_validation_options.0.resource_record_type": "CNAME",
"domain_validation_options.0.resource_record_value": "...",
'''

Replace ".N." in the name with the zero-based index of each domain_validation_options.

- Reorder subject_alternative_names

'''
"subject_alternative_names.0": "*.domain.com"
'''

Replace ".N" in the name with the zero-based index of each subject_alternative_name.

- Reorder aws_route53_record validation resources:

'''
"aws_route53_record.validation.1": {
'''

Replace ".N" with the zero-based index of each route 53 record's domain.

Kevin Burge
Nice, Inc. (https://nice.com)
    Kevin Burge committed Nov 8, 2019
    Configuration menu
    Copy the full SHA
    dbdcc98 View commit details
    Browse the repository at this point in the history