How to Troubleshoot a Failed Re-creation of Google Cloud Certificate Manager Resources with Terraform

#webdev #googlecloud #terraform #programming

This note describes how to address an error that occurred when trying to recreate a certificate in Google Cloud’s Certificate Manager, which is managed via Terraform.

Note

This operation was performed in a development environment, so downtime during the troubleshooting process was not considered.

Versions

Terraform: 1.9.8
hashicorp/google: 6.16.0

Goal

We wanted to change the domain in the certificate from before.com to after.com, as shown below:

locals {
-  domain_name = "before.com"
+  domain_name = "after.com"
}

resource "google_certificate_manager_dns_authorization" "example" {
  name   = "example-dns-authorization"
  domain = local.domain_name
}

resource "google_certificate_manager_certificate_map" "example" {
  name = "example-certificate-map"
}

resource "google_certificate_manager_certificate" "example" {
  name = var.prefix
  managed {
    domains = [
      local.domain_name,
      "*.${local.domain_name}"
    ]
    dns_authorizations = [google_certificate_manager_dns_authorization.example.id]
  }
}

resource "google_certificate_manager_certificate_map_entry" "example" {
  name         = "example-certificate-map-entry"
  map          = google_certificate_manager_certificate_map.example.name
  matcher      = "PRIMARY"
  certificates = [google_certificate_manager_certificate.example.id]
}

Error Details

We encountered the following error:

Error: Error when reading or editing Certificate: googleapi: Error 400: can't delete certificate that is referenced by a CertificateMapEntry or other resources

Because the domain name change requires deleting and recreating the certificate, and the certificate is referenced by the certificate map entry, it cannot be deleted as is.

Solution

Below is the procedure used to resolve this issue.

Comment out the google_certificate_manager_certificate and google_certificate_manager_certificate_map_entry resources while changing the domain:

locals {
-  domain_name = "before.com"
+  domain_name = "after.com"
}

resource "google_certificate_manager_dns_authorization" "example" {
  name   = "example-dns-authorization"
  domain = local.domain_name
}

resource "google_certificate_manager_certificate_map" "example" {
  name = "example-certificate-map"
}

-　resource "google_certificate_manager_certificate" "example" {
-   name = var.prefix
-   managed {
-     domains = [
-       local.domain_name,
-       "*.${local.domain_name}"
-     ]
-     dns_authorizations = [google_certificate_manager_dns_authorization.example.id]
-   }
- }

- resource "google_certificate_manager_certificate_map_entry" "example" {
-   name         = "example-certificate-map-entry"
-   map          = google_certificate_manager_certificate_map.example.name
-   matcher      = "PRIMARY"
-   certificates = [google_certificate_manager_certificate.example.id]
- }
+ # resource "google_certificate_manager_certificate" "example" {
+ #   name = var.prefix
+ #   managed {
+ #     domains = [
+ #       local.domain_name,
+ #       "*.${local.domain_name}"
+ #     ]
+ #     dns_authorizations = [google_certificate_manager_dns_authorization.example.id]
+ #   }
+ # }
+
+ # resource "google_certificate_manager_certificate_map_entry" "example" {
+ #   name         = "example-certificate-map-entry"
+ #   map          = google_certificate_manager_certificate_map.example.name
+ #   matcher      = "PRIMARY"
+ #   certificates = [google_certificate_manager_certificate.example.id]
+ # }

After making these changes, run:

terraform apply

Uncomment the two resources:

locals {
  domain_name = "after.com"
}

resource "google_certificate_manager_dns_authorization" "example" {
  name   = "example-dns-authorization"
  domain = local.domain_name
}

resource "google_certificate_manager_certificate_map" "example" {
  name = "example-certificate-map"
}

- # resource "google_certificate_manager_certificate" "example" {
- #   name = var.prefix
- #   managed {
- #     domains = [
- #       local.domain_name,
- #       "*.${local.domain_name}"
- #     ]
- #     dns_authorizations = [google_certificate_manager_dns_authorization.example.id]
- #   }
- # }
-
- # resource "google_certificate_manager_certificate_map_entry" "example" {
- #   name         = "example-certificate-map-entry"
- #   map          = google_certificate_manager_certificate_map.example.name
- #   matcher      = "PRIMARY"
- #   certificates = [google_certificate_manager_certificate.example.id]
- # }
+ resource "google_certificate_manager_certificate" "example" {
+   name = var.prefix
+   managed {
+     domains = [
+       local.domain_name,
+       "*.${local.domain_name}"
+     ]
+     dns_authorizations = [google_certificate_manager_dns_authorization.example.id]
+   }
+ }

+ resource "google_certificate_manager_certificate_map_entry" "example" {
+   name         = "example-certificate-map-entry"
+   map          = google_certificate_manager_certificate_map.example.name
+   matcher      = "PRIMARY"
+   certificates = [google_certificate_manager_certificate.example.id]
+ }

Finally, run:

terraform apply

This procedure updates the certificate domain successfully.

How I fixed 20 seconds of lag for every user in just 20 minutes.

Our AI agent was running 10-20 seconds slower than it should, impacting both our own developers and our early adopters. See how I used Sentry Profiling to fix it in record time.

DEV Community