Fix testAccAwsAppmeshVirtualNode_tls acceptance test.

aws/resource_aws_acm_certificate_test.go

@@ -2,15 +2,15 @@ package aws
 
 import (
 	"fmt"
+	"os"
+	"regexp"
 	"strconv"
 	"strings"
 	"testing"
 
-	"os"
-	"regexp"
-
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/acm"
+	"github.com/aws/aws-sdk-go/service/acmpca"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/terraform"
@@ -151,7 +151,7 @@ func TestAccAWSAcmCertificate_root(t *testing.T) {
 
 func TestAccAWSAcmCertificate_privateCert(t *testing.T) {
 	certificateAuthorityResourceName := "aws_acmpca_certificate_authority.test"
-	resourceName := "aws_acm_certificate.cert"
+	resourceName := "aws_acm_certificate.test"
 	rName := acctest.RandomWithPrefix("tf-acc-test")
 
 	resource.ParallelTest(t, resource.TestCase{
@@ -162,8 +162,9 @@ func TestAccAWSAcmCertificate_privateCert(t *testing.T) {
 			{
 				Config: testAccAcmCertificateConfig_privateCert(rName),
 				Check: resource.ComposeTestCheckFunc(
+					testAccMatchResourceAttrRegionalARN(resourceName, "arn", "acm", regexp.MustCompile(`certificate/.+`)),
 					resource.TestMatchResourceAttr(resourceName, "arn", certificateArnRegex),
-					resource.TestCheckResourceAttr(resourceName, "domain_name", fmt.Sprintf("%s.terraformtesting.com", rName)),
+					resource.TestCheckResourceAttr(resourceName, "domain_name", fmt.Sprintf("test.%s.com", rName)),
 					resource.TestCheckResourceAttr(resourceName, "domain_validation_options.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "subject_alternative_names.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "validation_emails.#", "0"),
@@ -607,23 +608,9 @@ resource "aws_acm_certificate" "cert" {
 }
 
 func testAccAcmCertificateConfig_privateCert(rName string) string {
-	return fmt.Sprintf(`
-resource "aws_acmpca_certificate_authority" "test" {
-  permanent_deletion_time_in_days = 7
-  type                            = "ROOT"
-
-  certificate_authority_configuration {
-    key_algorithm     = "RSA_4096"
-    signing_algorithm = "SHA512WITHRSA"
-
-    subject {
-      common_name = "terraformtesting.com"
-    }
-  }
-}
-
-resource "aws_acm_certificate" "cert" {
-  domain_name               = "%s.terraformtesting.com"
+	return testAccAwsAcmpcaCertificateAuthorityConfigType(rName, acmpca.CertificateAuthorityTypeRoot) + fmt.Sprintf(`
+resource "aws_acm_certificate" "test" {
+  domain_name               = "test.%[1]s.com"
   certificate_authority_arn = "${aws_acmpca_certificate_authority.test.arn}"
 }
 `, rName)

aws/resource_aws_acmpca_certificate_authority_test.go

@@ -541,7 +541,7 @@ func testAccCheckAwsAcmpcaCertificateAuthorityActivateCA(certificateAuthority *a
 			TemplateArn:             aws.String("arn:aws:acm-pca:::template/RootCACertificate/V1"),
 			Validity: &acmpca.Validity{
 				Type:  aws.String(acmpca.ValidityPeriodTypeYears),
-				Value: aws.Int64(1),
+				Value: aws.Int64(10),
 			},
 		})
 		if err != nil {

aws/resource_aws_appmesh_virtual_node_test.go

@@ -362,8 +362,10 @@ func testAccAwsAppmeshVirtualNode_tags(t *testing.T) {
 
 func testAccAwsAppmeshVirtualNode_tls(t *testing.T) {
 	var vn appmesh.VirtualNodeData
+	var ca acmpca.CertificateAuthority
 	resourceName := "aws_appmesh_virtual_node.test"
-	acmCertificateResourceName := "aws_acm_certificate.cert"
+	acmCAResourceName := "aws_acmpca_certificate_authority.test"
+	acmCertificateResourceName := "aws_acm_certificate.test"
 	meshName := acctest.RandomWithPrefix("tf-acc-test")
 	vnName := acctest.RandomWithPrefix("tf-acc-test")
 
@@ -372,8 +374,16 @@ func testAccAwsAppmeshVirtualNode_tls(t *testing.T) {
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckAppmeshVirtualNodeDestroy,
 		Steps: []resource.TestStep{
+			// We need to create and active the CA before issuing a certificate.
 			{
-				Config: testAccAppmeshVirtualNodeConfig_tlsFile(meshName, vnName),
+				Config: testAccAwsAcmpcaCertificateAuthorityConfigType(meshName, acmpca.CertificateAuthorityTypeRoot),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsAcmpcaCertificateAuthorityExists(acmCAResourceName, &ca),
+					testAccCheckAwsAcmpcaCertificateAuthorityActivateCA(&ca),
+				),
+			},
+			{
+				Config: testAccAppmeshVirtualNodeConfig_tlsAcm(meshName, vnName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAppmeshVirtualNodeExists(resourceName, &vn),
 					resource.TestCheckResourceAttr(resourceName, "name", vnName),
@@ -385,17 +395,7 @@ func testAccAwsAppmeshVirtualNode_tls(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "spec.0.backend.2622272660.virtual_service.0.virtual_service_name", "servicea.simpleapp.local"),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.backend_defaults.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.health_check.#", "0"),
-					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.port_mapping.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.port_mapping.0.port", "8080"),
-					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.port_mapping.0.protocol", "http"),
-					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.tls.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.tls.0.certificate.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.tls.0.certificate.0.acm.#", "0"),
-					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.tls.0.certificate.0.file.#", "1"),
-					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.tls.0.certificate.0.file.0.certificate_chain", "/cert_chain.pem"),
-					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.tls.0.certificate.0.file.0.private_key", "/key.pem"),
-					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.tls.0.mode", "PERMISSIVE"),
+					testAccCheckAppmeshVirtualNodeTlsAcmCertificateArn(acmCertificateResourceName, "arn", &vn),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.logging.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.service_discovery.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.service_discovery.0.dns.#", "1"),
@@ -407,6 +407,14 @@ func testAccAwsAppmeshVirtualNode_tls(t *testing.T) {
 			},
 			{
 				Config: testAccAppmeshVirtualNodeConfig_tlsAcm(meshName, vnName),
+				Check: resource.ComposeTestCheckFunc(
+					// CA must be DISABLED for deletion.
+					testAccCheckAwsAcmpcaCertificateAuthorityDisableCA(&ca),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+			{
+				Config: testAccAppmeshVirtualNodeConfig_tlsFile(meshName, vnName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAppmeshVirtualNodeExists(resourceName, &vn),
 					resource.TestCheckResourceAttr(resourceName, "name", vnName),
@@ -418,14 +426,23 @@ func testAccAwsAppmeshVirtualNode_tls(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "spec.0.backend.2622272660.virtual_service.0.virtual_service_name", "servicea.simpleapp.local"),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.backend_defaults.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.#", "1"),
-					testAccCheckAppmeshVirtualNodeTlsAcmCertificateArn(acmCertificateResourceName, "arn", &vn),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.health_check.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.port_mapping.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.port_mapping.0.port", "8080"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.port_mapping.0.protocol", "http"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.tls.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.tls.0.certificate.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.tls.0.certificate.0.acm.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.tls.0.certificate.0.file.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.tls.0.certificate.0.file.0.certificate_chain", "/cert_chain.pem"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.tls.0.certificate.0.file.0.private_key", "/key.pem"),
+					resource.TestCheckResourceAttr(resourceName, "spec.0.listener.180467016.tls.0.mode", "PERMISSIVE"),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.logging.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.service_discovery.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.service_discovery.0.dns.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "spec.0.service_discovery.0.dns.0.hostname", "serviceb.simpleapp.local"),
 					resource.TestCheckResourceAttrSet(resourceName, "created_date"),
 					resource.TestCheckResourceAttrSet(resourceName, "last_updated_date"),
-
 					testAccCheckResourceAttrRegionalARN(resourceName, "arn", "appmesh", fmt.Sprintf("mesh/%s/virtualNode/%s", meshName, vnName)),
 				),
 			},
@@ -1030,7 +1047,7 @@ resource "aws_appmesh_virtual_node" "test" {
       tls {
         certificate {
           acm {
-            certificate_arn = "${aws_acm_certificate.cert.arn}"
+            certificate_arn = "${aws_acm_certificate.test.arn}"
           }
         }