How to Troubleshoot a Failed Re-creation of Google Cloud Certificate Manager Resources with Terraform

This note describes how to address an error that occurred when trying to recreate a certificate in Google Cloud’s Certificate Manager, which is managed via Terraform.

Note

This operation was performed in a development environment, so downtime during the troubleshooting process was not considered.

Versions

• Terraform: 1.9.8
• hashicorp/google: 6.16.0

Goal

We wanted to change the domain in the certificate from before.com to after.com, as shown below:

locals {
-  domain_name = "before.com"
+  domain_name = "after.com"
}

resource "google_certificate_manager_dns_authorization" "example" {
  name   = "example-dns-authorization"
  domain = local.domain_name
}

resource "google_certificate_manager_certificate_map" "example" {
  name = "example-certificate-map"
}

resource "google_certificate_manager_certificate" "example" {
  name = var.prefix
  managed {
    domains = [
      local.domain_name,
      "*.${local.domain_name}"
    ]
    dns_authorizations = [google_certificate_manager_dns_authorization.example.id]
  }
}

resource "google_certificate_manager_certificate_map_entry" "example" {
  name         = "example-certificate-map-entry"
  map          = google_certificate_manager_certificate_map.example.name
  matcher      = "PRIMARY"
  certificates = [google_certificate_manager_certificate.example.id]
}

Error Details

We encountered the following error:

Error: Error when reading or editing Certificate: googleapi: Error 400: can't delete certificate that is referenced by a CertificateMapEntry or other resources

Because the domain name change requires deleting and recreating the certificate, and the certificate is referenced by the certificate map entry, it cannot be deleted as is.

Solution

Below is the procedure used to resolve this issue.

1. Comment out the google_certificate_manager_certificate and google_certificate_manager_certificate_map_entry resources while changing the domain:

locals {
-  domain_name = "before.com"
+  domain_name = "after.com"
}

resource "google_certificate_manager_dns_authorization" "example" {
  name   = "example-dns-authorization"
  domain = local.domain_name
}

resource "google_certificate_manager_certificate_map" "example" {
  name = "example-certificate-map"
}

-　resource "google_certificate_manager_certificate" "example" {
-   name = var.prefix
-   managed {
-     domains = [
-       local.domain_name,
-       "*.${local.domain_name}"
-     ]
-     dns_authorizations = [google_certificate_manager_dns_authorization.example.id]
-   }
- }

- resource "google_certificate_manager_certificate_map_entry" "example" {
-   name         = "example-certificate-map-entry"
-   map          = google_certificate_manager_certificate_map.example.name
-   matcher      = "PRIMARY"
-   certificates = [google_certificate_manager_certificate.example.id]
- }
+ # resource "google_certificate_manager_certificate" "example" {
+ #   name = var.prefix
+ #   managed {
+ #     domains = [
+ #       local.domain_name,
+ #       "*.${local.domain_name}"
+ #     ]
+ #     dns_authorizations = [google_certificate_manager_dns_authorization.example.id]
+ #   }
+ # }
+
+ # resource "google_certificate_manager_certificate_map_entry" "example" {
+ #   name         = "example-certificate-map-entry"
+ #   map          = google_certificate_manager_certificate_map.example.name
+ #   matcher      = "PRIMARY"
+ #   certificates = [google_certificate_manager_certificate.example.id]
+ # }

After making these changes, run:

terraform apply

1. Uncomment the two resources:

locals {
  domain_name = "after.com"
}

resource "google_certificate_manager_dns_authorization" "example" {
  name   = "example-dns-authorization"
  domain = local.domain_name
}

resource "google_certificate_manager_certificate_map" "example" {
  name = "example-certificate-map"
}

- # resource "google_certificate_manager_certificate" "example" {
- #   name = var.prefix
- #   managed {
- #     domains = [
- #       local.domain_name,
- #       "*.${local.domain_name}"
- #     ]
- #     dns_authorizations = [google_certificate_manager_dns_authorization.example.id]
- #   }
- # }
-
- # resource "google_certificate_manager_certificate_map_entry" "example" {
- #   name         = "example-certificate-map-entry"
- #   map          = google_certificate_manager_certificate_map.example.name
- #   matcher      = "PRIMARY"
- #   certificates = [google_certificate_manager_certificate.example.id]
- # }
+ resource "google_certificate_manager_certificate" "example" {
+   name = var.prefix
+   managed {
+     domains = [
+       local.domain_name,
+       "*.${local.domain_name}"
+     ]
+     dns_authorizations = [google_certificate_manager_dns_authorization.example.id]
+   }
+ }

+ resource "google_certificate_manager_certificate_map_entry" "example" {
+   name         = "example-certificate-map-entry"
+   map          = google_certificate_manager_certificate_map.example.name
+   matcher      = "PRIMARY"
+   certificates = [google_certificate_manager_certificate.example.id]
+ }

Finally, run:

terraform apply

This procedure updates the certificate domain successfully.