terraform,

Terraform aws_acm_certificate resource forces constant replacement

May 04, 2022 · 1 min read · Post a comment
Terraform aws_acm_certificate resource forces constant replacement

Take a look at the following Terraform code block:

resource "aws_acm_certificate" "devcoops" {
  domain_name               = "devcoops.com"
  subject_alternative_names = ["devcoops.com", "www.devcoops.com"]
  validation_method         = "DNS"

  tags = {
    Environment = "prod"
  }

  lifecycle {
    create_before_destroy = true
  }
}

So, you might be thinking what’s wrong with it? Obviously, at first sight it seems fine, but if you run terraform plan / apply, you will get prompted every single time for a resource recreation. For instance:

   ~ subject_alternative_names = [ # forces replacement
       + "devcoops.com",
         "www.devcoops.com",
     ]

And there are two ways to handle it.

Prerequisites

  • Terraform

Solution(s)

Solution no. 1

Never add the domain_name value as part of the subject_alternative_names list.

resource "aws_acm_certificate" "devcoops" {
  domain_name               = "devcoops.com"
  subject_alternative_names = ["www.devcoops.com"]
  ...

Solution no. 2

Since subject_alternative_names is an optional argument, either remove it or leave it empty.

resource "aws_acm_certificate" "devcoops" {
  domain_name               = "devcoops.com"
  subject_alternative_names = []
  ...

Conclusion

As always, if you can think of any alternative solution, feel free to write a comment below. On a side note, follow our official channel on Telegram.