Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't store apigateway domain name private key in state file #10043

Closed
michalc opened this issue Nov 11, 2016 · 3 comments
Closed

Don't store apigateway domain name private key in state file #10043

michalc opened this issue Nov 11, 2016 · 3 comments
Labels
enhancement provider/aws

Comments

@michalc
Copy link

michalc commented Nov 11, 2016

Terraform Version

Terraform v0.7.9

Affected Resource(s)

  • aws_api_gateway_domain_name

Terraform Configuration Files

resource "aws_api_gateway_domain_name" "my_domain" {
  domain_name = "mydomain.co"

  certificate_name = "mydomain.co"
  certificate_body = "${file("${path.root}/certificates/mydomain.co/body.crt")}"
  certificate_chain = "${file("${path.root}/certificates/mydomain.co/chain.crt")}"
  certificate_private_key = "${file("${path.root}/certificates/mydomain.co/private.key")}"
}

Expected Behavior

The domain name should be created, but the private key should not be stored in the state file

Actual Behavior

The domain name is created, but the private key is stored in the state file

Steps to Reproduce

  1. terraform apply

Important Factoids

You can't get the private key from the AWS API, and you can't change it once it's set either. If you do try to change it in terraform, and then running terraform apply, you get

BadRequestException: Invalid patch path  '/certificate_private_key' specified for op 'replace'. Must be one of: [/certificateName]

or if changing the certificate

BadRequestException: Invalid patch path  '/certificate_body' specified for op 'replace'. Must be one of: [/certificateName]

which is to be expected if trying to update them, since they can't be updated via the API. However, since it can't be updated, it seems needless to store it in the state file, as nothing can come of it. At most, I imagine maybe storing a hash of the key/certificates, with some mechanism of telling the user that they need to do something outside of terraform?
@henrytk
Copy link

henrytk commented Dec 1, 2016

Related to #9452

@henrytk henrytk mentioned this issue Dec 1, 2016
Closed
@Ninir
Copy link
Contributor

Ninir commented Dec 11, 2016

Since #10588, there are not updates for the fields exposed in the description. We can still encode them but not sure it is a required step!

@michalc Do you think this can be closed?

@hashibot hashibot mentioned this issue Jun 13, 2017
Closed
@ghost
Copy link

ghost commented Apr 10, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement provider/aws
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@michalc @paddycarver @Ninir @henrytk @hashibot