How to handle expiration of aws_acm_certificate resources?

Any thoughts on how people using this resource plan to handle expiration? Thinking we might need to drop the TF resource, and write some code to manage the ACM certificates, so we get new ones before they expire.

Our problem is we can’t do the ACM + ELB configuration in a single apply,

Does the ARN change when the certificate is renewed?

I don’t think so, that would break things even if deployed manually in the console. But I don’t know, I’ve not actually had an ACM cert deployed long enough to see the renewal process take place.

No idea, the cert I have is non-renewable though, so it wouldn’t be replaced automatically anyways

Okay then I suggest that you create a new resource for the new certificate and get it validated.
The new certificate will have its own ARN, and you can then use that ARN in your LB.

And finally remove the old, expired certificate.

I think this will be the less risky approach.