aws_api_gateway_domain_name changing imported cert to ACM AWS Managed recreating resource instead of modify

[ivanzolotuhin]

I am trying to replace imported cert which soon will expire to AWS Managed on
aws_api_gateway_domain_name Edge cert

Terraform v0.12.23

• provider.aws v2.41.0

• Downloading plugin for provider "aws" (hashicorp/aws) 2.52.0...

replacing

resource "aws_api_gateway_domain_name" "lambda_custom_domain" {
  domain_name             = "${var.aws_api_lambdas["friendly_domain_prefix"]}.domain.com"
  certificate_name        = "domain-custom-lambda-domain-cert"
  certificate_body        = "${file("../../../certificates/wildcard.domain.com.crt")}"
  certificate_private_key = "${file("../../../certificates/wildcard.domain.com.key")}"
  certificate_chain       = "${file("../../../certificates/wildcard.domain.com.crt.nginx.chain.pem")}"
}

to

resource "aws_api_gateway_domain_name" "lambda_custom_domain" {                                                                                                          
  domain_name             = "${var.aws_api_lambdas["friendly_domain_prefix"]}.domain.com"                                                                
  certificate_arn         = var.global["cert_arn_us"]                                                                                                                    
}            

Expected behaviour: tf just modifying resource. Only removes old cert and use Edge us-east-1 ACM cert.
What actually happens it trying to recreate resource and recreate all dependant resources which is disaster.

Workaround steps:

1. Manually replace cert for aws api gateway domain name (choose ACM Edge cert in AWS console), "rollback cert" in AWS console for whatever reason to apply it.
2. terraform refresh to refresh the state. On this point new certificate_arn is the right one, but plan command still offers to recreate resource, because wants to remove old certificate which not longer attached to resource.
3. After refresh: manually change .tfstate file by removing all old certificate related fields from JSON: certificate_body, certificate_chain, certificate_name, certificate_private_key
4. Apply/plan terraform: no changes required! which is expected after all manual manipulations.

[justinretzolk]

Hey @ivanzolotuhin 👋 Thank you for taking the time to file this. I suspect with the amount of time that's passed, you're no longer experiencing this, but I'd like to follow up just to be sure. On a quick look, it looks like certificate_body, certificate_private_key, and certificate_chain are all marked as ForceNew: true, which would at least explain why Terraform was attempting to recreate the resource.