-
Notifications
You must be signed in to change notification settings - Fork 9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can not create aws_api_gateway_domain_name on the first run #10447
Comments
Hi @speller 👋 Thanks for reporting this and sorry for the hassle.
The explicit The documentation lives in this codebase at |
@bflad Thank you for your answer. My concern is about why TF is waiting for the validation resource created and fails even after it is created? Can it be fixed? The error message is incorrect by the way. It states about invalid certificate ARN, but actually it is about some issues with validation. |
I've added a note in the documentation #10466 for this issue. |
When you give Terraform a configuration to apply, it generates a directed acyclic graph (DAG) that determines if operations have dependencies or can otherwise be done in parallel. By default, Terraform performs operations (that do not have dependencies on each other) with a concurrency of 10. You can see this graph if you run When a particular node in the graph has an error, nodes that are dependent on that node are not executed. If there are other nodes in the graph that are not dependent on that node, they are allowed to continue applying since (theoretically) they should not be affected by the failure. Configuring Terraform with implicit or explicit dependencies is one way to ensure expected behavior when applying a configuration, should there be any failures. Since the original configuration does not have an implicit or explicit dependency between
The error message:
Is generated from the AWS API and just passed through by Terraform. For improvements to this error messaging, you would need to contact AWS. Of note though, ACM changes can sometimes display eventual consistency issues with other AWS services during certificate creation/deletion, so the API Gateway service may not be able to see the new ACM certificate immediately after its created. In certain resources where setting up the correct dependencies can still display eventual consistency issues like these (notorious when working with IAM and S3 for example), we do introduce retry logic for a few minutes (up to 5 minutes) on specific error messaging to help operators. In this case though, ACM certificate validation can be manual or take upwards of 45 minutes. Most likely, we would not want to introduce retries that long into the
Much appreciated. 😄 |
This has been released in version 2.37.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Unable to create an
aws_api_gateway_domain_name
on the first run (when no infra were previously created). On re-run the resource is created successfully. The behavior is constant and always reproduces.Community Note
Terraform Version
Terraform v0.12.6
Affected Resource(s)
aws_api_gateway_domain_name
Terraform Configuration Files
Prerequisites:
Debug Output
https://gist.github.com/speller/23fbc81c1c8c53cef8ce5cf63db86221
Regular output:
Expected Behavior
The
aws_api_gateway_domain_name
resource is created without issues.Actual Behavior
The exception is thrown and the script fails.
Steps to Reproduce
terraform apply
References
Workaround
Add
depends_on = [aws_acm_certificate_validation.cert-validation]
to theaws_api_gateway_domain_name
definition. Or change cert arn property to this:regional_certificate_arn = aws_acm_certificate_validation.cert-validation.certificate_arn
. Explicit dependency on theaws_acm_certificate_validation
resource is required. This should be fixed or mentioned in docs. Without this workaround, TF fails despite it's actually waiting until theaws_acm_certificate_validation
is created.The text was updated successfully, but these errors were encountered: