ACM Module ImportCertificate Error with AWS Provider v6.0.0

[todd-dsm]

Description

It appears terraform-aws-modules/acm module incorrectly calls the AWS ImportCertificate API instead of RequestCertificate when using AWS Provider v6.0.0, resulting in validation errors for DNS-validated certificates.

• ✋ I have searched the open/closed issues and my issue is not listed.
• I've re-init'd a few times

Versions

% terraform version 
Terraform v1.11.4
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v6.0.0
+ provider registry.terraform.io/hashicorp/helm v3.0.2
+ provider registry.terraform.io/hashicorp/kubernetes v2.37.1
+ provider registry.terraform.io/hashicorp/null v3.2.4
+ provider registry.terraform.io/hashicorp/random v3.7.2
+ provider registry.terraform.io/hashicorp/tls v4.1.0

AWS Provider Version: 6.0.0
ACM Module Version: ~> 6.0.0 

Reproduction Code [Required]

# Environment-Specific Base Certificate
module "acm_environment" {
  source  = "terraform-aws-modules/acm/aws"
  version = "~> 6.0.0"

  domain_name = "${var.env_build}.${var.dns_zone}"
  zone_id     = data.aws_route53_zone.selected.zone_id

  subject_alternative_names = [
    "api.${var.env_build}.${var.dns_zone}",
    "app.${var.env_build}.${var.dns_zone}",
  ]

  wait_for_validation = true
  validation_method   = "DNS"

  tags = merge(var.tags, {
    Name        = "${var.project}-${var.env_build}-cert"
    Module      = "security"
    Type        = "acm-certificate"
    Environment = var.env_build
  })
}

# Route53 Zone Data Source for DNS validation
data "aws_route53_zone" "selected" {
  name         = "${var.dns_zone}."
  private_zone = var.zone_private
}

# Find a certificate issued by (not imported into) ACM
data "aws_acm_certificate" "amazon_issued" {
  domain      = var.dns_zone
  types       = ["AMAZON_ISSUED"]
  most_recent = true
}

Steps to reproduce the behavior:

1. tf init, plan apply
2. the first time it worked; wait for about 30 minutes
3. run another plan/apply, it now fails with this message:

│ Error: importing ACM Certificate: operation error ACM: ImportCertificate, https response error StatusCode: 400, RequestID: 4d2dbe9c-251c-483b-be9d-8acda5c0154b, api error ValidationException: 2 validation errors detected: Value at 'privateKey' failed to satisfy constraint: Member must have length greater than or equal to 1; Value at 'certificate' failed to satisfy constraint: Member must have length greater than or equal to 1
│ 
│   with module.eks.module.acm_environment.aws_acm_certificate.this[0],
│   on .terraform/modules/eks.acm_environment/main.tf line 19, in resource "aws_acm_certificate" "this":
│   19: resource "aws_acm_certificate" "this" {

Then it wouldn't work any longer; truly confusing.

Expected behavior

I'm not an expert but if it works at all, I would expect it to keep working forever.

This is all being done in a private lab. I can retest if needed.

[bryantbiggs]

that is either a provider level issue or possibly an AWS API issue; we don't define those fields in this module (yet)

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days