aws_acm_certificate_validation on certificate that is in ValidationStatus=SUCCESS and Status=ISSUED should always succeed

### Community Note

* Please vote on this issue by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request
* Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
* If you are interested in working on this issue or have submitted a pull request, please leave a comment

### Terraform Version

```
Terraform v0.11.13
+ provider.aws v2.10.0
```

### Affected Resource(s)

* aws_acm_certificate_validation


### Terraform Configuration Files

```hcl
resource "aws_acm_certificate" "secure_newdream_net" {
  domain_name = "secure.newdream.net"
  subject_alternative_names = []
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_acm_certificate_validation" "secure_newdream_net" {
  certificate_arn = "${aws_acm_certificate.secure_newdream_net.arn}"
  validation_record_fqdns = ["${aws_acm_certificate.secure_newdream_net.domain_name}"]

  timeouts {
    create = "5m"
  }
}
```

Certificate is already in AWS - it was created earlier and then imported to Terraform.

![image](https://user-images.githubusercontent.com/611746/57500996-56a2e180-72ab-11e9-90c4-053ab7fd6a06.png)

### Debug Output

```
% TF_LOG=debug terraform apply
...
  + aws_acm_certificate_validation.secure_newdream_net
      id:                                 <computed>
      certificate_arn:                    "arn:aws:acm:us-east-1:272624908555:certificate/5b9f10f1-59e2-4d16-a477-c6f4e10200fa"
      validation_record_fqdns.#:          "1"
      validation_record_fqdns.1167109527: "secure.newdream.net"
...
aws_acm_certificate_validation.secure_newdream_net: Creating...
  certificate_arn:                    "" => "arn:aws:acm:us-east-1:272624908555:certificate/5b9f10f1-59e2-4d16-a477-c6f4e10200fa"
  validation_record_fqdns.#:          "" => "1"
  validation_record_fqdns.1167109527: "" => "secure.newdream.net"
2019-05-09T22:30:06.160-0500 [DEBUG] plugin.terraform-provider-aws_v2.10.0_x4: 2019/05/09 22:30:06 [DEBUG] [aws-sdk-go] DEBUG: Request acm/DescribeCertificate Details:
...
2019-05-09T22:30:06.843-0500 [DEBUG] plugin.terraform-provider-aws_v2.10.0_x4: 2019/05/09 22:30:06 [DEBUG] [aws-sdk-go] {"Certificate":{"CertificateArn":"arn:aws:acm:us-east-1:272624908555:certificate/5b9f10f1-59e2-4d16-a477-c6f4e10200fa","CreatedAt":1.545151664E9,"DomainName":"secure.newdream.net","DomainValidationOptions":[{"DomainName":"secure.newdream.net","ResourceRecord":{"Name":"_1ce25b9917074ea63c6d293b9013b5c5.secure.newdream.net.","Type":"CNAME","Value":"_5c08a0d9d8a0c0fe289a91fec8bbbe98.hkvuiqjoua.acm-validations.aws."},"ValidationMethod":"DNS","ValidationStatus":"SUCCESS"}],"ExtendedKeyUsages":[{"Name":"TLS_WEB_SERVER_AUTHENTICATION","OID":"1.3.6.1.5.5.7.3.1"},{"Name":"TLS_WEB_CLIENT_AUTHENTICATION","OID":"1.3.6.1.5.5.7.3.2"}],"InUseBy":["arn:aws:cloudfront::272624908555:distribution/E33SJU5H6240E7"],"IssuedAt":1.545151949E9,"Issuer":"Amazon","KeyAlgorithm":"RSA-2048","KeyUsages":[{"Name":"DIGITAL_SIGNATURE"},{"Name":"KEY_ENCIPHERMENT"}],"NotAfter":1.5793488E9,"NotBefore":1.5450912E9,"Options":{"CertificateTransparencyLoggingPreference":"ENABLED"},"RenewalEligibility":"ELIGIBLE","Serial":"0c:af:a0:4f:09:67:46:b1:15:d6:b9:bd:d2:ba:cb:23","SignatureAlgorithm":"SHA256WITHRSA","Status":"ISSUED","Subject":"CN=secure.newdream.net","SubjectAlternativeNames":["secure.newdream.net"],"Type":"AMAZON_ISSUED"}}
2019/05/09 22:30:06 [ERROR] root: eval: *terraform.EvalApplyPost, err: 1 error(s) occurred:

* aws_acm_certificate_validation.secure_newdream_net: 1 error occurred:
        * missing secure.newdream.net DNS validation record: _1ce25b9917074ea63c6d293b9013b5c5.secure.newdream.net
...
```

### Expected Behavior

Just work. Since Amazon considers the certificate issued and DNS validated, it should be a no-op for Terraform. Just create this virtual entity in the state and move on with life.

### Actual Behavior

```
Error: Error applying plan:

1 error(s) occurred:

* aws_acm_certificate_validation.secure_newdream_net: 1 error(s) occurred:

* aws_acm_certificate_validation.secure_newdream_net: 1 error occurred:
        * missing secure.newdream.net DNS validation record: (SNIPPED).secure.newdream.net
```

### Steps to Reproduce

1. Create an ACM certificate manually using DNS validation in AWS.
2. `terraform import` the ACM certificate.
3. Create `aws_acm_certificate_validation` that references the certificate.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aws_acm_certificate_validation on certificate that is in ValidationStatus=SUCCESS and Status=ISSUED should always succeed #8597

Community Note

Terraform Version

Affected Resource(s)

Terraform Configuration Files

Debug Output

Expected Behavior

Actual Behavior

Steps to Reproduce

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

aws_acm_certificate_validation on certificate that is in ValidationStatus=SUCCESS and Status=ISSUED should always succeed #8597

Description

Community Note

Terraform Version

Affected Resource(s)

Terraform Configuration Files

Debug Output

Expected Behavior

Actual Behavior

Steps to Reproduce

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions