Skip to content

fix: acm certificate export defaults to ENABLED when options block is omitted#47414

Open
kantajpn wants to merge 1 commit intohashicorp:mainfrom
kantajpn:fix/acm-certificate-export-default
Open

fix: acm certificate export defaults to ENABLED when options block is omitted#47414
kantajpn wants to merge 1 commit intohashicorp:mainfrom
kantajpn:fix/acm-certificate-export-default

Conversation

@kantajpn
Copy link
Copy Markdown

@kantajpn kantajpn commented Apr 12, 2026

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

This fix changes the default value of export in options from ENABLED to DISABLED, which reduces the attack surface by preventing unintended certificate exports. No other security controls are affected.

Description

When the options block is omitted from aws_acm_certificate, the export attribute incorrectly defaults to ENABLED instead of DISABLED.

The root cause is that certificate_transparency_logging_preference has Default: ENABLED, which causes the options object to always be sent to the AWS API even when the block is omitted. When AWS receives an Options object without an explicit Export value, it sets Export to ENABLED. In contrast, when no Options object is sent at all (e.g., via AWS CLI), AWS defaults to DISABLED.

This fix explicitly sets Export: DISABLED in expandCertificateOptions when no value is provided, matching the behavior of the AWS CLI and Console.

Relations

Closes #46498

References

Output from Acceptance Testing

I was unable to run acceptance tests due to the cost of AWS Private CA. The existing TestAccACMCertificate_emailValidation test covers this fix by verifying that options.0.export defaults to DISABLED when the options block is omitted.

% make testacc TESTS=TestAccACMCertificate_emailValidation PKG=acm

...

@kantajpn kantajpn requested a review from a team as a code owner April 12, 2026 13:31
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 12, 2026

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

  • Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
  • Please see our prioritization guide for additional information on how the maintainers handle prioritization.
  • Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@dosubot dosubot bot added the bug Addresses a defect in current functionality. label Apr 12, 2026
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. service/acm Issues and PRs that pertain to the acm service. size/XS Managed by automation to categorize the size of a PR. labels Apr 12, 2026
@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Apr 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Addresses a defect in current functionality. service/acm Issues and PRs that pertain to the acm service. size/XS Managed by automation to categorize the size of a PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

acm_certificate - default value for options.export

2 participants

@kantajpn @justinretzolk