How to Troubleshoot a Failed Re-creation of Google Cloud Certificate Manager Resources with Terraform

This note describes how to address an error that occurred when trying to recreate a certificate in Google Cloud’s Certificate Manager, which is managed via Terraform. Note This operation was performed in a development environment, so downtime during the troubleshooting process was not considered. Versions Terraform: 1.9.8 hashicorp/google: 6.16.0 Goal We wanted to change the domain in the certificate from before.com to after.com, as shown below: locals { - domain_name = "before.com" + domain_name = "after.com" } resource "google_certificate_manager_dns_authorization" "example" { name = "example-dns-authorization" domain = local.domain_name } resource "google_certificate_manager_certificate_map" "example" { name = "example-certificate-map" } resource "google_certificate_manager_certificate" "example" { name = var.prefix managed { domains = [ local.domain_name, "*.${local.domain_name}" ] dns_authorizations = [google_certificate_manager_dns_authorization.example.id] } } resource "google_certificate_manager_certificate_map_entry" "example" { name = "example-certificate-map-entry" map = google_certificate_manager_certificate_map.example.name matcher = "PRIMARY" certificates = [google_certificate_manager_certificate.example.id] } Error Details We encountered the following error: Error: Error when reading or editing Certificate: googleapi: Error 400: can't delete certificate that is referenced by a CertificateMapEntry or other resources Because the domain name change requires deleting and recreating the certificate, and the certificate is referenced by the certificate map entry, it cannot be deleted as is. Solution Below is the procedure used to resolve this issue. Comment out the google_certificate_manager_certificate and google_certificate_manager_certificate_map_entry resources while changing the domain: locals { - domain_name = "before.com" + domain_name = "after.com" } resource "google_certificate_manager_dns_authorization" "example" { name = "example-dns-authorization" domain = local.domain_name } resource "google_certificate_manager_certificate_map" "example" { name = "example-certificate-map" } - resource "google_certificate_manager_certificate" "example" { - name = var.prefix - managed { - domains = [ - local.domain_name, - "*.${local.domain_name}" - ] - dns_authorizations = [google_certificate_manager_dns_authorization.example.id] - } - } - resource "google_certificate_manager_certificate_map_entry" "example" { - name = "example-certificate-map-entry" - map = google_certificate_manager_certificate_map.example.name - matcher = "PRIMARY" - certificates = [google_certificate_manager_certificate.example.id] - } + # resource "google_certificate_manager_certificate" "example" { + # name = var.prefix + # managed { + # domains = [ + # local.domain_name, + # "*.${local.domain_name}" + # ] + # dns_authorizations = [google_certificate_manager_dns_authorization.example.id] + # } + # } + + # resource "google_certificate_manager_certificate_map_entry" "example" { + # name = "example-certificate-map-entry" + # map = google_certificate_manager_certificate_map.example.name + # matcher = "PRIMARY" + # certificates = [google_certificate_manager_certificate.example.id] + # } After making these changes, run: terraform apply Uncomment the two resources: locals { domain_name = "after.com" } resource "google_certificate_manager_dns_authorization" "example" { name = "example-dns-authorization" domain = local.domain_name } resource "google_certificate_manager_certificate_map" "example" { name = "example-certificate-map" } - # resource "google_certificate_manager_certificate" "example" { - # name = var.prefix - # managed { - # domains = [ - # local.domain_name, - # "*.${local.domain_name}" - # ] - # dns_authorizations = [google_certificate_manager_dns_authorization.example.id] - # } - # } - - # resource "google_certificate_manager_certificate_map_entry" "example" { - # name = "example-certificate-map-entry" - # map = google_certificate_manager_certificate_map.example.name - # matcher = "PRIMARY" - # certificates = [google_certificate_manager_certificate.example.id] - # } + resource "google_certificate_manager_certificate" "example" { + name = var.prefix + managed { + domains = [ + local.domain_name, + "*.${local.domain_name}" + ] + dns_authorizations = [google_certificate_manager_dns_authorization.example.id] + } + } + resource "google_certificate_manager_certificate_map_entry" "example" { + name = "example-certificate-map-entry" + map = google_certificate_manager_certificate_map.example.name + matcher

Jan 21, 2025 - 16:07
 0
How to Troubleshoot a Failed Re-creation of Google Cloud Certificate Manager Resources with Terraform

This note describes how to address an error that occurred when trying to recreate a certificate in Google Cloud’s Certificate Manager, which is managed via Terraform.

Note

This operation was performed in a development environment, so downtime during the troubleshooting process was not considered.

Versions

  • Terraform: 1.9.8
  • hashicorp/google: 6.16.0

Goal

We wanted to change the domain in the certificate from before.com to after.com, as shown below:

locals {
-  domain_name = "before.com"
+  domain_name = "after.com"
}

resource "google_certificate_manager_dns_authorization" "example" {
  name   = "example-dns-authorization"
  domain = local.domain_name
}

resource "google_certificate_manager_certificate_map" "example" {
  name = "example-certificate-map"
}

resource "google_certificate_manager_certificate" "example" {
  name = var.prefix
  managed {
    domains = [
      local.domain_name,
      "*.${local.domain_name}"
    ]
    dns_authorizations = [google_certificate_manager_dns_authorization.example.id]
  }
}

resource "google_certificate_manager_certificate_map_entry" "example" {
  name         = "example-certificate-map-entry"
  map          = google_certificate_manager_certificate_map.example.name
  matcher      = "PRIMARY"
  certificates = [google_certificate_manager_certificate.example.id]
}

Error Details

We encountered the following error:

Error: Error when reading or editing Certificate: googleapi: Error 400: can't delete certificate that is referenced by a CertificateMapEntry or other resources

Because the domain name change requires deleting and recreating the certificate, and the certificate is referenced by the certificate map entry, it cannot be deleted as is.

Solution

Below is the procedure used to resolve this issue.

  1. Comment out the google_certificate_manager_certificate and google_certificate_manager_certificate_map_entry resources while changing the domain:
locals {
-  domain_name = "before.com"
+  domain_name = "after.com"
}

resource "google_certificate_manager_dns_authorization" "example" {
  name   = "example-dns-authorization"
  domain = local.domain_name
}

resource "google_certificate_manager_certificate_map" "example" {
  name = "example-certificate-map"
}

- resource "google_certificate_manager_certificate" "example" {
-   name = var.prefix
-   managed {
-     domains = [
-       local.domain_name,
-       "*.${local.domain_name}"
-     ]
-     dns_authorizations = [google_certificate_manager_dns_authorization.example.id]
-   }
- }

- resource "google_certificate_manager_certificate_map_entry" "example" {
-   name         = "example-certificate-map-entry"
-   map          = google_certificate_manager_certificate_map.example.name
-   matcher      = "PRIMARY"
-   certificates = [google_certificate_manager_certificate.example.id]
- }
+ # resource "google_certificate_manager_certificate" "example" {
+ #   name = var.prefix
+ #   managed {
+ #     domains = [
+ #       local.domain_name,
+ #       "*.${local.domain_name}"
+ #     ]
+ #     dns_authorizations = [google_certificate_manager_dns_authorization.example.id]
+ #   }
+ # }
+
+ # resource "google_certificate_manager_certificate_map_entry" "example" {
+ #   name         = "example-certificate-map-entry"
+ #   map          = google_certificate_manager_certificate_map.example.name
+ #   matcher      = "PRIMARY"
+ #   certificates = [google_certificate_manager_certificate.example.id]
+ # }

After making these changes, run:

terraform apply
  1. Uncomment the two resources:
locals {
  domain_name = "after.com"
}

resource "google_certificate_manager_dns_authorization" "example" {
  name   = "example-dns-authorization"
  domain = local.domain_name
}

resource "google_certificate_manager_certificate_map" "example" {
  name = "example-certificate-map"
}

- # resource "google_certificate_manager_certificate" "example" {
- #   name = var.prefix
- #   managed {
- #     domains = [
- #       local.domain_name,
- #       "*.${local.domain_name}"
- #     ]
- #     dns_authorizations = [google_certificate_manager_dns_authorization.example.id]
- #   }
- # }
-
- # resource "google_certificate_manager_certificate_map_entry" "example" {
- #   name         = "example-certificate-map-entry"
- #   map          = google_certificate_manager_certificate_map.example.name
- #   matcher      = "PRIMARY"
- #   certificates = [google_certificate_manager_certificate.example.id]
- # }
+ resource "google_certificate_manager_certificate" "example" {
+   name = var.prefix
+   managed {
+     domains = [
+       local.domain_name,
+       "*.${local.domain_name}"
+     ]
+     dns_authorizations = [google_certificate_manager_dns_authorization.example.id]
+   }
+ }

+ resource "google_certificate_manager_certificate_map_entry" "example" {
+   name         = "example-certificate-map-entry"
+   map          = google_certificate_manager_certificate_map.example.name
+   matcher      = "PRIMARY"
+   certificates = [google_certificate_manager_certificate.example.id]
+ }

Finally, run:

terraform apply

This procedure updates the certificate domain successfully.

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow