AWS ACM certificate does not enable Create before Destroy
Description
It is recommended to enable create_before_destroy argument inside the resource lifecycle configuration block to avoid a possible outage when the certificate needs to be recreated during an update.
Code Example
go
resource "aws_acm_certificate" "example" {
domain_name = "example.com"
validation_method = "DNS"
+ lifecycle {
+ create_before_destroy = true
+ }
}Remediation
CloudFormation
CloudFormation creates a new certificate first and then will delete the old one automatically.
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0281 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_233 |