Terraform forces replacement of 'aws_acm_certificate' with multiple 'subject_alternative_names'

Question

I'm trying to create a aws_acm_certificate with multiple subject_alternative_names

resource "aws_acm_certificate" "cert" {
  provider          = aws.acm
  domain_name       = local.domain_name
  validation_method = "DNS"
  subject_alternative_names = [local.domain_name, "www.${local.domain_name}"]
}

Running apply for the first time works as advertised. However, when I re-run apply with exactly the same vars terraform wants to re-create the cert with the following reason:

   ~ subject_alternative_names = [ # forces replacement
       + "xyz.com",
         "www.xyz.com",
     ]

It appears that [local.domain_name, "www.${local.domain_name}"] when compared with its current state comes up as different.

Any ideas on what's going on here?

Answer 1

Looks like subject_alternative_names shouldn't include the cert's own domain name.

If I change subject_alternative_names to ["www.${local.domain_name}"] it seem to do the right thing. Not sure if this is a bug or enforcement of the proper way of using subject_alternative_names as I have seen many certs which include the own domain name in the subject_alternative_names.

If anybody has a better analysis I would love to hear it.