Skip to content

[Bug]: aws_acm_certificate does not immediately error when subject_alternative_names is above account quotaΒ #40974

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
[Bug]: aws_acm_certificate does not immediately error when subject_alternative_names is above account quota#40974
Labels
bugAddresses a defect in current functionality.service/acmIssues and PRs that pertain to the acm service.
@teddylear

Description

@teddylear
teddylear
opened on Jan 17, 2025

Terraform Core Version

1.4.2

AWS Provider Version

5,77.0

Affected Resource(s)

  • aws_acm_certificate with subject_alternative_names is above account quota

Expected Behavior

Terraform apply with a plan that has this will crash on first response back from AWS when receiving LimitExceedException.

Actual Behavior

Terraform gets stuck on apply on cert creation waiting a long time by default (waited 20+ minutes on 2 applies before cancelling) with no indication of error about subject alternative domain names being too long.

Relevant Error/Panic Output Snippet



Terraform Configuration Files


resource "aws_acm_certificate" "cert" {
  domain_name       = "example.com"
  validation_method = "DNS"

  subject_alternative_names = [
    "example1.com",
    "example2.com",
    "example3.com",
    "example4.com",
    "example5.com",
    "example6.com",
    "example7.com",
    "example8.com",
    "example9.com",
    "example10.com",
    "example11.com",
  ]

  lifecycle {
    create_before_destroy = true
  }
}


Steps to Reproduce


Init, plan, apply above and see it stuck on creation of certificate and not immediately erroring back from calls to create certificate that by default this is above quota (if your account quota is at 10 by default, else put 1 above your AWS accounts quota).


Debug Output


No response


Panic Output


No response


Important Factoids


Import factoid from aws cli request certificate documentation:


"Additional FQDNs to be included in the Subject Alternative Name extension of the ACM certificate. For example, add the name www.example.net to a certificate for which the DomainName field is www.example.com if users can reach your site by using either name. The maximum number of domain names that you can add to an ACM certificate is 100. However, the initial quota is 10 domain names. If you need more than 10 names, you must request a quota increase. "


Meaning that the provider can't and shouldn't do this check as it is a dynamic value and instead should check if this LimitExceedException error is received back.


References


No response


Would you like to implement a fix?


Yes
Metadata
Assignees
No one assigned
    Labels
    bugAddresses a defect in current functionality.service/acmIssues and PRs that pertain to the acm service.
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions