Empty ssl_support_method when using cloudfront default certificate (#46)

cippaciong · aknysh · aknysh · commit e132823467b4 · 2020-01-15T08:25:29.000-05:00
The current implementation always uses "sni-only" as `ssl_support_method` in `viewer_certificate` configuration. According to Terraform documentation [0] this option is required only when using `acm_certificate_arn` or `iam_certificate_id`. In our experience this leads to a situation where Terraform tries to set `ssl_support_method` to "sni-only" at each run spending several time trying to do it (~10 minutes) without effectively setting anything (it doesn't fail though). With this commit we check the value of `acm_certificate_arn` and set the proper `ssl_support_method` only if such value is defined. [0] https://www.terraform.io/docs/providers/aws/r/cloudfront_distribution.html#ssl_support_method Co-authored-by: Andriy Knysh <aknysh@users.noreply.github.com>
diff --git a/main.tf b/main.tf
@@ -189,7 +189,7 @@ resource "aws_cloudfront_distribution" "default" {
 
   viewer_certificate {
     acm_certificate_arn            = var.acm_certificate_arn
-    ssl_support_method             = "sni-only"
+    ssl_support_method             = var.acm_certificate_arn == "" ? "" : "sni-only"
     minimum_protocol_version       = var.minimum_protocol_version
     cloudfront_default_certificate = var.acm_certificate_arn == "" ? true : false
   }

Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,7 @@ resource "aws_cloudfront_distribution" "default" {`
`189`	`189`
`190`	`190`	`viewer_certificate {`
`191`	`191`	`acm_certificate_arn = var.acm_certificate_arn`
`192`		`- ssl_support_method = "sni-only"`
	`192`	`+ ssl_support_method = var.acm_certificate_arn == "" ? "" : "sni-only"`
`193`	`193`	`minimum_protocol_version = var.minimum_protocol_version`
`194`	`194`	`cloudfront_default_certificate = var.acm_certificate_arn == "" ? true : false`
`195`	`195`	`}`