Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default certificate_transparency_logging_preference to true? #52

Closed
rahulk94 opened this issue Jun 11, 2020 · 3 comments
Closed

Default certificate_transparency_logging_preference to true? #52

rahulk94 opened this issue Jun 11, 2020 · 3 comments

Comments

@rahulk94
Copy link

Hi there,

Previously (v2.5 and earlier) this module would create ACM certs which had the certificate_transparency_logging_preference set to enabled. This made sense as the best practice recommendation from the AWS documentation says you should keep this on otherwise Chrome (as of 2018+) will not trust your certificate (see here). While that documentation just talks about Chrome, I expect other browsers will likely have followed suit since then.

My team runs Terraform in an automated environment so we picked up the recent v2.7 changes in our latest initialize and plan operations and noticed this has now been set to disabled by default. This forces a recreation of the ACM resources. This is because the newly added certificate_transparency_logging_preference input variable defaults to false.

  # module.load_balancer.module.acm_lb.aws_acm_certificate.this[0] must be replaced
+/- resource "aws_acm_certificate" "this" {
      ...
      ~ options {
          ~ certificate_transparency_logging_preference = "DISABLED" -> "ENABLED" # forces replacement
        }

# other validation resources will be recreated too

We've now manually added the variable and set it to true to our deployment project to get no changes to our deployed infrastructure.

Changing the default value of certificate_transparency_logging_preference to true has some benefits:

  1. certs do not need to be recreated for people who were using this module pre v2.5
  2. the module follows cert best practice by default

Would we be able to get this done?
@rahulk94
Copy link
Author

I see #51 has been raised already... My bad. Issue should be resolved by that PR.

@antonbabenko
Copy link
Member

Please use v2.8.0 which has been just released.

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 15, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@antonbabenko @rahulk94