Import self-managed certificate to ACM then importing into Pulumi fails

[pierskarsenbarg]

Describe what happened

When you import a certificate into ACM, the validationMethod is set to "NONE". When running pulumi import against this resource, you get the following warning message:

aws:acm/certificate:Certificate resource 'my-cert' has a problem: expected validation_method to be one of ["EMAIL" "DNS"], got NONE. Examine values at 'my-cert.validationMethod'.

You can still continue import it but if you run pulumi up afterwards, it fails with an error with the same wanting message as above.

And you can't change the validationMethod to anything because that triggers a replacement.

In our docs, we specify this alongside the validationMethod input:

Which method to use for validation. DNS or EMAIL are valid. This parameter must not be set for certificates that were imported into ACM and then into Pulumi.

Sample program

Create certificate and import into ACM

(requires openssl installed)

1. Create private key: openssl genrsa -out private.key 2048
2. Create certificate: openssl req -new -x509 -nodes -sha1 -days 365 -extensions v3_ca -key private.key -out certificate.crt and answer questions
3. Import into ACM: aws acm import-certificate --certificate fileb://certificate.crt --private-key fileb://private.key --region {region}

Import into Pulumi

1. Get ARN from AWS
2. Run import: pulumi import aws:acm/certificate:Certificate my-cert arn:aws:acm:eu-west-1:123456789:certificate/{guid-from-arn}

Log output

Gist here: https://gist.github.com/pierskarsenbarg/c82c19d06e66120cab36d5d276c25566

Affected Resource(s)

No response

Output of pulumi about

CLI
Version      3.116.1
Go Version   go1.22.2
Go Compiler  gc

Plugins
KIND      NAME    VERSION
resource  aws     6.39.0
resource  awsx    2.11.0
resource  docker  4.5.4
resource  docker  3.6.1
language  nodejs  unknown

Host
OS       darwin
Version  14.5
Arch     arm64

This project is written in nodejs: executable='/Users/piers/.nvm/versions/node/v20.11.1/bin/node' version='v20.11.1'

Current Stack: pierskarsenbarg/ssl-acm-import/dev

TYPE                             URN
pulumi:pulumi:Stack              urn:pulumi:dev::ssl-acm-import::pulumi:pulumi:Stack::ssl-acm-import-dev
pulumi:providers:aws             urn:pulumi:dev::ssl-acm-import::pulumi:providers:aws::default_6_39_0
aws:acm/certificate:Certificate  urn:pulumi:dev::ssl-acm-import::aws:acm/certificate:Certificate::my-cert


Found no pending operations associated with dev

Backend
Name           pulumi.com
URL            https://app.pulumi.com/pierskarsenbarg
User           pierskarsenbarg
Organizations  pierskarsenbarg, karsenbarg, team-ce, gitlab-test-piers, demo
Token type     personal

Dependencies:
NAME            VERSION
@pulumi/awsx    2.11.0
@pulumi/pulumi  3.119.0
@types/node     18.19.34
typescript      5.4.5
@pulumi/aws     6.39.0

Additional context

Looks like it's been possible to import using the upstream provider for a while: hashicorp/terraform-provider-aws#31425

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[pierskarsenbarg]

Interesting: When I run aws acm describe-certificate --certificate-arn {cert_arn} --region eu-west-1 I get the following in the response:

"DomainValidationOptions": [
            {
                "DomainName": "test.pierskarsenbarg.com"
            }
        ],

which was the domain I specified when creating the certificate.

[corymhall]

@pierskarsenbarg do you have an example app we can use to reproduce? When I try to reproduce this, I only get an error if I specify the validationMethod property as NONE. If I don't provide validationMethod at all I do not get an error. This matches the behavior from Terraform that is mentioned in the issue you linked.

[pierskarsenbarg]

I was importing into a program generated by pulumi new aws-typescript and making sure that the region in the stack config (so using the default provider) matched the region I'd imported the certificate to using the AWS cli command.

[pierskarsenbarg]

Workarounds for the different ways of importing:

Importing using the CLI: pulumi import

(Information on using this method to import can be found here: https://www.pulumi.com/docs/cli/commands/pulumi_import/)

When you run pulumi import you'll get some code that looks something like this:

const my_cert = new aws.acm.Certificate("my-cert", {
  domainName: "test.pierskarsenbarg.com",
  keyAlgorithm: "RSA_2048",
  options: {
      certificateTransparencyLoggingPreference: "DISABLED",
  },
  subjectAlternativeNames: ["test.pierskarsenbarg.com"],
  validationMethod: "NONE",
}, {
  protect: true,
});

If you then remove the validationMethod: "NONE" line you can carry on. You don't need this input to be there in this scenario. Removing validationMethod: "NONE" when you've just done the import won't trigger a replace (although you do have the protect: "true" to stop the replacement anyway.

Importing using the Resource Options

(Information on using this method can be found here: https://www.pulumi.com/docs/concepts/options/import/)

Assuming we have the same resource as above:

const my_cert = new aws.acm.Certificate("my-cert", {
  domainName: "test.pierskarsenbarg.com",
  keyAlgorithm: "RSA_2048",
  options: {
      certificateTransparencyLoggingPreference: "DISABLED",
  },
  subjectAlternativeNames: ["test.pierskarsenbarg.com"],
}, {
  import: "{ARN goes here},
});

[pierskarsenbarg]

Workarounds above, but since when using the CLI command to import the resources it would be nice to actually output code that works straight away so people don't have to search for this issue.

We also specify in the docs that changing the validationMethod input (which presumably includes removing it) would trigger a replacement.

It would also be nice to remove the warning from the CLI output as well.

[blaargh]

In my case, the code wasn't generated by the import, I added it myself. The validationMethod is not set and I run into the problem of this issue, using the Go SDK:

_, err = acm.NewCertificate(ctx, "cert", &acm.CertificateArgs{
			PrivateKey:       pulumi.String(key),
			CertificateBody:  pulumi.String(cert),
			CertificateChain: pulumi.String(chain),
		}, pulumi.Provider(provider))

[pierskarsenbarg]

@blaargh what version of the AWS provider are you using?

Using the same self-signed private key and cert files that I generated using the openssl command and the following code I was able to import it into ACM:

package main

import (
	"fmt"
	"os"

	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acm"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {

		privateKeyData, err := os.ReadFile("/path/to/private.key")
		if err != nil {
			return fmt.Errorf("couldn't read private key %v", err)
		}
		privateKeyString := string(privateKeyData)

		certData, err := os.ReadFile("/path/to/certificate.crt")
		if err != nil {
			return fmt.Errorf("couldn't read cert body %v", err)
		}
		certString := string(certData)

		cert, _ := acm.NewCertificate(ctx, "gocert", &acm.CertificateArgs{
			CertificateBody: pulumi.String(certString),
			PrivateKey: pulumi.String(privateKeyString),
		})

		ctx.Export("arn", cert.Arn)
		
		return nil
	})
}

The only difference being that mine is self-signed and you've got a certificate chain.

[blaargh]

I just updated to 6.39.0 (latest version). I get the same error, this is the diff output:

Diagnostics:
  aws:acm:Certificate (*.domain.io-vendor):
    warning: One or more imported inputs failed to validate. This is almost certainly a bug in the `aws` provider. The import will still proceed, but you will need to edit the generated code after copying it into your program.
    warning: aws:acm/certificate:Certificate resource '*.domain.io-vendor' has a problem: expected validation_method to be one of ["EMAIL" "DNS"], got NONE. Examine values at '*.domain.io-vendor.validationMethod'.

Do you want to perform this import? details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:nonprod::network::pulumi:pulumi:Stack::network-nonprod]

    = aws:acm/certificate:Certificate: (import) 🔒
        [id=arn:aws:acm:us-east-1:<redacted>:certificate/<redacted>]
        [urn=urn:pulumi:nonprod::network::aws:acm/certificate:Certificate::*.domain.io-vendor]
        [provider=urn:pulumi:nonprod::network::pulumi:providers:aws::us-east-1::<redacted>]
        domainName             : "*.domain.io"
        keyAlgorithm           : "RSA_2048"
        options                : {
            certificateTransparencyLoggingPreference: "DISABLED"
        }
        subjectAlternativeNames: [
            [0]: "domain.io"
            [1]: "*.domain.io"
        ]
        tags                   : {
            Name      : "<vendor>"
        }
        tagsAll                : {
            Name      : "<vendor>"
        }
        validationMethod       : "NONE"

The code I pasted before is the exact one I use, where I don't set the validationMethod at all.

[pierskarsenbarg]

Are you using the import command? So pulumi import aws:acm/certificate:Certificate my-cert arn:aws:acm:eu-west-1:123456789:certificate/{guid-from-arn} ?

If you are, you don't need any code in there to start with as the CLI generates the code for you to copy and paste in. If you are just seeing the warning and the code appear in the CLI output, then the certificate has been imported. You can then copy and paste the code (without the validationMethod input) and you should be good to update it going forward

[blaargh]

Damn, okay this is my bad. I never executed the import (by choosing 'yes') because I didn't want to risk anything when the warnings are present. Just executing the command works without any issues... I am importing everything based on the code I already have

[pierskarsenbarg]

That's ok, that's why I wanted this issue left open so we can do something to remove the warning

[pierskarsenbarg]

@corymhall given our conversation yesterday, and that this works with the workaround of "removing the validationMethod from the generated code" is it worth me closing this issue and creating another to focus on removing the validationMethod input from the generated code and also hiding the warning?

[corymhall]

@pierskarsenbarg yes I think creating a new ticket makes sense.

[pierskarsenbarg]

Created #4054 as the fix issue.

Closing this one in the meantime as the workaround is documented above.