Add tags as search criteria for aws_acm_certificate data source

[sheldonkwok]

We are currently attempting to add more domains to our certificate and need to rotate it out across our ALBs. However, the aws_acm_certificate data source functionally only accepts the domain for discovery. Discovery with tags allows matching on similar domain certificates through a method that is commonly accepted with other data sources.

There is another issue that is similar to this: #546
However, tagged resources are immune to users creating new certificates and could allow for more than two ACM resources with the same name at once.

[petewilcock]

Bump and +1 to this. The current data source isn't usable as we also have certificates with the same domain name, and so this single filter isn't sufficient.

[bflad]

I know its not exactly what you're looking for, but we did just recently merge in most_recent filtering for the aws_acm_certificate data source. You'll also be happy to know that I am just about to click the merge button on a aws_acm_certificate resource that should support importing. Both will be available in v1.9.0 of the AWS provider. 😀

I do think filtering via tags is a valid request though, even if the above items mitigate its need partially!

[petewilcock]

Thanks @bflad - the resource news is very good! Look forward to using it :)

[pocheptsov]

It's quite useful to match ACM by tags whenever domain name will be optional, cause it can be not the same in different contexts. Thx

[dgoradia]

Is this still going to be implemented? We also have multiple domain certs and need to be able to filter via tags.

[lee5i3]

Same here, would be nice to match the ACM by what tag I want rather than the specific domain name.. I've been tagging my certs with application and environment, would rather keep passing that to get the cert rather than also requiring the domain name

[gwkunze]

As the message above states, I implemented the basic functionality for this in #8352. But my familiarity with how the testing of the provider works is not enough to finish it. It is unclear to me how to properly implement the tests as I don't know where the resources the data source has to retrieve are created and what they look like.

[hc-danieltiziani]

Do we have any hopes of filtering the datasource for the certificates via tag?
I have a requirement that I can have multiple certificates for the same domain (transitioning from infrastructures), and I cannot rely on most_recent filter alone, so I'd like to be able to filter by specific tags.

Is there any workaround to achieve this using terraform aws provider?

[blevine]

Any status on this. It seems like all data sources for resources that accept tags should support search by tags.

[gibsonje]

Unable to use this data source without tag filtering.

[abualy]

filtering based only on domain_name can cause very big issues when you have certs with same domain name but different subject_alternative_names
this enhancement is a must have in this data source :/

[treksler]

to summarize this issue then

abandoned PR
looks good to me, but have not tested
#8352

another abandoned PR to do the filtering
looks ok as well, even has some tests, but is also abandoned
#6387

PR to add tag attribute, NOT filter by tag
looks like this was merged, BUT it does NOT have the filtering functionality, it only add the tags attribute
#11659

as a workaround, i am looking at using https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source

[jastsai]

+1

[TheWallOfDucks]

+1

[rromic]

+1

[rromic]

Hey guys,
I have created this #31453 to add support to filter by tags.
Every suggestion or possible improvements are welcome.

Please add reactions to the PR so it can be reviewed faster :)

Thanks!

[vishwa-trulioo]

Hello, we are also running into issues because of this. When is this going to be released? Thanks

[maharjanSaroj]

Hello, we are also running into issues because of this. When is this going to be released? Thanks

[murataksoy83]

Hi all,

I was stuck with the same issue and figured out the following workaround.
You can use the 'aws_resourcegroupstaggingapi_resources' data resource to fetch the certificate by the tag filter:

data "aws_resourcegroupstaggingapi_resources" "acm_by_tags" {
  resource_type_filters = ["acm:certificate"]

  tag_filters {
    key    = "key"
    values = ["value"]  
  }
}

You can then reference to the ARN of the certificate as follows:

data.aws_resourcegroupstaggingapi_resources.acm_by_tags.resource_tag_mapping_list[0].resource_arn

Hope this helps!

Regards,
Murat

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

This functionality has been released in v5.67.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.