Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws: aws_api_gateway_domain_name cannot update the certificate #8789

Closed
keymon opened this issue Sep 12, 2016 · 2 comments · Fixed by #10588
Closed

aws: aws_api_gateway_domain_name cannot update the certificate #8789

keymon opened this issue Sep 12, 2016 · 2 comments · Fixed by #10588
Labels
bug provider/aws

Comments

@keymon
Copy link
Contributor

keymon commented Sep 12, 2016

Terraform Version

$ terraform -v
Terraform v0.7.3

Affected Resource(s)

aws with aws_api_gateway_domain_name

Terraform Configuration Files

resource "aws_api_gateway_domain_name" "hsts" {
  domain_name = "${var.root_apps_domain}"

  certificate_name = "apps"
  certificate_body = "${var.apps_domain_crt}"
  certificate_chain = "${var.apps_domain_intermediate_crt}"
  certificate_private_key = "${var.apps_domain_key}"
}

Expected Behavior

When you change the content of the certificate, it should change the certificate upstream.

Actual Behavior

It does not work, and it fails with this error:

1 error(s) occurred:

* aws_api_gateway_domain_name.hsts: BadRequestException: Invalid patch path  '/certificate_body' specified for op 'replace'. Must be one of: [/certificateName]
    status code: 400, request id: e5a98f19-78e4-11e6-bd58-bdfb359ea935

Steps to Reproduce

Create a API Gateway domain name with one certficate. Try to rerun that with a different certificate.

Important Factoids

The implementation is wrong. Actually there is not a programmatic way of rotating the certs of a API gateway domain name as it is mention in the documentation:

The following steps describe how to upload and renew an expiring certificate for a custom domain name using the API Gateway console. You cannot rotate custom domain name certificates programmatically.

Proposed implementation

Given you cannot rotate the certificate with API calls, I do not really know what should be the actual behaviour.

I suggest that we add an option of force_update: true, so that it will delete and create the resource to change the certificate if it is set to true, or fail with an error reporting that it must be changed manually otherwise.

References

#3675
@Ninir Ninir mentioned this issue Nov 16, 2016
Merged
@Ninir Ninir mentioned this issue Dec 7, 2016
Merged
@kwellman kwellman mentioned this issue Jan 16, 2017
Closed
@himanso
Copy link

himanso commented Jul 26, 2017

Hi,
In which version of terraform is it fixed? I am unable to update the certificates I am getting this error:-

BadRequestException: Invalid patch path '/certificate_body' specified for op 'replace'. Must be one of: [/certificateName, /certificateArn]

@ghost
Copy link

ghost commented Apr 8, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@hashicorp hashicorp locked and limited conversation to collaborators Apr 8, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug provider/aws
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

provider/aws: Forces the API GW domain name certificates to recreate the resource Ninir/terraform
3 participants
@stack72 @keymon @himanso