Route53 validation records creation fails

[ToROxI]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.11

• provider.aws v2.1.0

Affected Resource(s)

aws_acm_certificate
aws_route53_record

Terraform Configuration Files

resource "aws_acm_certificate" "example_wildcard" {
  domain_name               = "example.com"
  subject_alternative_names = ["*.example.com"]

  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }

  tags = "${var.tags}"
}

resource "aws_route53_record" "example_wildcard_validation_0" {
    name = "${aws_acm_certificate.example_wildcard.domain_validation_options.0.resource_record_name}"
    type = "${aws_acm_certificate.example_wildcard.domain_validation_options.0.resource_record_type}"
    zone_id = "${aws_route53_zone.example.id}"
    records = ["${aws_acm_certificate.example_wildcard.domain_validation_options.0.resource_record_value}"]
    ttl = 60
}

resource "aws_route53_record" "example_wildcard_validation_1" {
    name = "${aws_acm_certificate.example_wildcard.domain_validation_options.1.resource_record_name}"
    type = "${aws_acm_certificate.example_wildcard.domain_validation_options.1.resource_record_type}"
    zone_id = "${aws_route53_zone.example.id}"
    records = ["${aws_acm_certificate.example_wildcard.domain_validation_options.1.resource_record_value}"]
    ttl = 60
}

Expected Behavior

I tried to create an aws_acm_certificate for "example.com" domain name with "subject_alternative_names" set to "*.example.com". This produces two domain_validation_options with the same CNAME. It should either produce a single domain_validation_option or recognise at validation stage that the two are identical.

Actual Behavior

Error: Error applying plan:

1 error(s) occurred:

* aws_route53_record.example_wildcard_validation_1: 1 error(s) occurred:

* aws_route53_record.example_wildcard_validation_1: [ERR]: Error building changeset: InvalidChangeBatch: [Tried to create resource record set [name='_6fcf8470af9790c423164357049b8dba.example.com.', type='CNAME'] but it already exists]
	status code: 400, request id: d374a768-44ce-11e9-a407-07f68f36e577

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Steps to Reproduce

1. terraform apply

Important Factoids

None

References

• #0000

[ayashjorden]

In my use-case, I have an infra module that creates an ACM cert for *.my.domain.com.
This module gets called twice (my platform is deployed in two regions). so I have two certs configured the same, one for each region.

While the call for 1 region succeeds, the other call for the 2nd region fails with the error with the same errors as the OP.

My aws provider version is 2.0.0

Details:

• infra-us-east-1
  |- aws_acm_certificate: my.domain.com, SAN=*.my.domain.com - this one gets created and validated
• infra-us-west-2
  |- aws_acm_certificate: my.domain.com, SAN=*.my.domain.com - this one gets created but fails with the R53 records already exists.

I've confirmed that with aws provider version 1.60.0 the issue doesn't happen
With aws provider version 2.3.0 the issue still happening.

[ayashjorden]

Reading this suggests that the new version of this provider are working as designed/expected.

This breaks the functionality of validating ACM certs using DNS validation as AWS generate the validation record data (name and value) based on the requested domain (and SANs) and the account info.
Region and other information of the certificate does not go into calculation.

[texascloud]

Is the only option to provide the allow_overwrite = true field to the aws_route53_record resource? I'm using latest version 2.15.0 and am hitting this issue as well.

allow_overwrite option didn't work for me anyways

[christianbradley]

This bug is preventing me from deploying applications that utilize Certificate Manager DNS validation. I'm having the same issue as @CamelCaseNotation mentions above - allow_overwrite = true has no effect.

[tracypholmes]

Thank you for using Terraform and for opening up this question @ToROxI. Issues on GitHub are intended to be related to bugs or feature requests with the provider codebase. Please use https://discuss.hashicorp.com/c/terraform-providers for community discussions, and questions around Terraform.

It looks as though @ayashjorden has provided an answer and reference to this question.

If you believe this issue was miscategorized as a question or closed in error, please create a new issue using one of the following provided templates: bug report or feature request. Please make sure to provide us with the appropriate information so we can best determine how to assist with the given issue.

[mkamrani]

Is the only option to provide the allow_overwrite = true field to the aws_route53_record resource? I'm using latest version 2.15.0 and am hitting this issue as well.

allow_overwrite option didn't work for me anyways

It worked for me

[Dmitry1987]

oh well, allow_overwrite didn't work for me either... any ideas how to make it not fail on existing record?

  # module.xxxxxxxx-xxxx.aws_route53_record.cert_validation[0] will be created
  + resource "aws_route53_record" "cert_validation" {
      + allow_overwrite = (known after apply)
      + fqdn            = (known after apply)
      + id              = (known after apply)
      + name            = "xxxxxxxx.xx-xxxxxx.com"
      + records         = [
          + "xxxxxxxxxxx.olprtlswtu.acm-validations.aws.",
        ]
      + ttl             = 60
      + type            = "CNAME"
      + zone_id         = "xxxxxxxxx"
    }

Error: [ERR]: Error building changeset: InvalidChangeBatch: [Tried to create resource record set [name='xxxxxxxxx.xxx-xxxxx.com.', type='CNAME'] but it already exists]
	status code: 400, request id: xxxxxx-4530-430f-920c-xxxxxxx

  on xxxxx/aws/acm/acm.tf line 25, in resource "aws_route53_record" "cert_validation":
  25: resource "aws_route53_record" "cert_validation" {

[Dmitry1987]

by the way I am using terraform 0.12.9
and all default settings for the provider, I guess it pulls the latest AWS provider, so the fix with overwrite flag definitely does not work.

I have the flag hardcoded to true:

resource "aws_route53_record" "cert_validation" {
  count   = "${length(var.domain_names)}"
  name    = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_name")}"
  type    = "${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_type")}"
  zone_id = "${data.aws_route53_zone.selected.id}"
  records = ["${lookup(aws_acm_certificate.cert.domain_validation_options[count.index], "resource_record_value")}"]
  ttl     = 60
  allow_overwrite = true
}

and it still fails with the error above. Maybe there is a way to add some conditional block to avoid TF attempting the operation if record already exists? I am thinking of a way to disable that block on consequent runs....

[Dmitry1987]

oh and the * provider.aws: version = "~> 2.30" and it is latest. But yeah, this discussion belongs to here: https://github.com/terraform-providers/terraform-provider-aws/issues
just that this page is in google top for the issue search keyword ....

so,
Anyone who has this issue please go here: https://github.com/terraform-providers/terraform-provider-aws

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!