Ownership Verification Certificate in Terraform

I have certificate which is singed by third party (Not AWS issued). I imported this certificate in ACM, and I am trying to set up Api gateway custom domain names that will use this certificate. Since they are not AWS issued I know that I have to select ‘Imported or private certificate’ in the Endpoint Configuration, and select Ownership Verification Certificate. It is very clear what I should do in the AWS console. However, the problem appears when I am trying to create the Custom Domain Name by Terraform. It looks like I cannot define ‘ownership_verification_certificate_arn’ in the aws_api_gateway_domain_name resource. This is what I have:

resource "aws_api_gateway_domain_name" "example" {

  regional_certificate_arn = var.example_resource_arn

  domain_name     = "example.com"
  security_policy = "TLS_1_2"

  endpoint_configuration {
    types = ["REGIONAL"]

  ownership_verification_certificate_arn = var.acm_public_certificate_arn

  mutual_tls_authentication {
    truststore_uri =  "s3://${aws_s3_bucket.api_gw_truststore[0].bucket}/truststore.pem"

  tags = var.tags

acm_public_certificate_arn is a certificate issued by ACM that can validate the domain name. However I got an error “Error: Unsupported argument. An argument named ownership_verification_certificate_arn” is not expected here."

If I remove it I am getting: Error: Error creating API Gateway Domain Name: BadRequestException: Missing ownershipVerificationCertificate. To use an imported or private certificate for the domain name, ownershipVerificationCertificate is required.

FYI, I cannot have the certificate and the key pem files in the terraform code.

I cannot find any solutions or examples. Any help is highly appreciated.

Thanks, Anna

Can anyone help? I am hitting a wall . Thanks

I’m having exactly the same error, with exactly the same message. Is there any answer for it now?

Terraform    : v013.0.6
AWS Provider : v3.63.0


ownership_verification_certificate_arn is supported from AWS provider version 4.X. You have to update the AWS provider, but this brings a lot of changes, especially for s3 definitions.
Good luck :slight_smile:

That’s what I was afraid of!!
So, there is actually no way to make API Gateway custom_domain to work with an imported certificate, unless we updated to v4 of AWS provider?


@ana.bozevska - did you ever solve this issue?
I updated to provider v4.0.0 and things are okay up to this point. Now I’m getting:

BadRequestException: Invalid ownershipVerificationCertificate. OwnershipVerificationCertificate should be a public ACM certificate.

but my cert is neither public or ACM-issued, like yours. What did you do fix it?