Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

awscc_iot_domain_configuration awscc_iot_ca_certificate resource parameters cannot be updated #2109

Open
josegalarceh opened this issue Nov 21, 2024 · 2 comments
Open

awscc_iot_domain_configuration awscc_iot_ca_certificate resource parameters cannot be updated #2109

josegalarceh opened this issue Nov 21, 2024 · 2 comments
Assignees
@quixoticmonk
Labels
bug needs-triage

Comments

@josegalarceh
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
  • The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform Core Version

Terraform v1.5.7 on darwin_arm64

AWSCC Provider Version

~> 1.5

Affected Resource(s)

  • awscc_iot_domain_configuration
  • awscc_iot_ca_certificate

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

provider.tf:

terraform {
  required_version = ">= 0.14"
  required_providers {
    awscc = {
      source  = "hashicorp/awscc"
      version = "~> 1.5"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variables.tf:

locals {
  base_tags = merge(
    {
      ## Map of default tags to be included in all the created resources.
      tag_key_2 = "tag_value_2"
      tag_key_3 = "tag_value_3"

    },
    var.additional_tags
  )
}

variable "additional_tags" {
  type        = map(string)
  description = <<EOF
    **OPTIONAL**
    Additional tags that need to be added to all taggable resources. This will be applied to all resources.
  EOF
  default     = {}
}

variable "custom_domain_cert_body" {
  description = "PEM body of the Publicly signed certificate."
  type        = string
  default     = "private certificate content"
}

variable "custom_domain_cert_chain" {
  description = "Intermidiate certificate."
  type        = string
  default     = "private certificate content"
}

variable "custom_domain_cert_key" {
  description = "RSA key of the certificate."
  type        = string
  default     = "private certificate content"
}

variable "custom_domain_hostname" {
  description = "URL of the IoT Custom Domain to be created"
  type        = string
  default     = "iot.dev.company.com"
}

variable "custom_domain_tls_version" {
  default     = "IoTSecurityPolicy_TLS12_1_0_2015_01"
  type        = string
  description = "TLS setting for the IoT Custom domain endpoint. Options can be: IoTSecurityPolicy_TLS12_1_0_2015_01 , IoTSecurityPolicy_TLS13_1_2_2022_10 "
}


data "awscc_acmpca_certificate_authority_activation" "iot_pca" {
  id = var.iot_pca_arns
}

variable "iot_pca_arns" {
  type        = string
  description = <<EOF
  IoT private CA certificates to provision device certificate
  EOF
  default = {
    "us-east-1" = "arn:aws:acm-pca:us-east-1:xxxxxxxxxx:certificate-authority/aaaaaaa-eeeee-bbb-ffffffffffff",
  }
}

main.tf:

# Custom Domain configuration
resource "aws_acm_certificate" "cert" {
  certificate_body  = base64decode(var.custom_domain_cert_body)
  private_key       = base64decode(var.custom_domain_cert_key)
  certificate_chain = base64decode(var.custom_domain_cert_chain)
  tags = merge(
    local.base_tags, {
      Name = "iot-custom-domain-cert"
    }
  )
}

resource "awscc_iot_domain_configuration" "custom_domain" {
  domain_configuration_name   = var.custom_domain_hostname
  domain_name                 = var.custom_domain_hostname
  domain_configuration_status = "ENABLED"
  server_certificate_arns     = [aws_acm_certificate.cert.arn]
  service_type                = "DATA"
  tls_config = {
    security_policy = var.custom_domain_tls_version
  }
  /*
  Note: The awscc provider resource's does not support tags containing characters other than
  "_", ".", "/", "=", "+", and "-".
  This restriction is documented here:
  https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/iot_ca_certificate#nested-schema-for-tags
 */
  tags = [
    for k, v in merge(
      local.base_tags,
      {
        tag_key_1 = var.custom_domain_hostname,
        tag_key_2 = "tag_value_2"
      }
    ) : {
      key   = k
      value = v
    }
  ]
}

## CA registration on IoT
resource "awscc_iot_ca_certificate" "register_iot_ca_cert" {
  ca_certificate_pem       = split("\n-----BEGIN CERTIFICATE", data.awscc_acmpca_certificate_authority_activation.iot_pca.complete_certificate_chain)[0]
  certificate_mode         = "SNI_ONLY"
  status                   = "ACTIVE"
  auto_registration_status = "ENABLE"
  /*
  Note: The awscc provider resource's does not support tags containing  characters other than
  "_", ".", "/", "=", "+", and "-".
  This restriction is documented here:
  https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/iot_ca_certificate#nested-schema-for-tags
 */
  tags = [
    for k, v in merge(
      local.base_tags,
      {
        tag_key_1 = "iot-pca",
        tag_key_2 = "tag_value_2"
      }
    ) : {
      key   = k
      value = v
    }
  ]
}

Debug Output

(https://gist.github.com/josegalarceh/70dd17c11015e463a783a8262721447e)

Panic Output

no

Expected Behavior

Having first deployed these 2 resources in the accounts, awscc_iot_domain_configuration and awscc_iot_ca_certificate, and then I want to update the tag values associated with them, the resources should update only those values, as do most of the other terraform resources.

Actual Behavior

An error appears saying that they cannot be updated. After a troubleshooting, what should be done is to do a taint of these resources, so that they are first deleted and recreated with the new tag values.

Steps to Reproduce

  1. Deploy resources, terraform apply
  2. Edit the tag values in the terraform files
  3. Try to deploy these changes again, terraform apply

Important Factoids

Nothing special, these resources are general resources for the account, one that controls the custom domain and another that registers the certified domain in IoT. Nothing particular that has to do with this problem

References

  • #0000
@wvxi
Copy link

wvxi commented Nov 25, 2024

We will be very attentive to this issue!

@quixoticmonk
Copy link
Collaborator

Thank you for opening the issue @josegalarceh . Are you able to provide the patch document you see in the logs when this is run ?

 NotUpdatableException: Invalid patch update: createOnlyProperties
│ [/properties/ServerCertificateArns] cannot be updated

@quixoticmonk quixoticmonk self-assigned this Dec 11, 2024
@ejnarvala ejnarvala mentioned this issue Dec 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@quixoticmonk quixoticmonk

Labels
bug needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@josegalarceh @quixoticmonk @wvxi