Editing a AWS ELB with certificate ARN apply successfully but 443 listener entry in ELB have ben removed

[ghost]

This issue was originally opened by @scraly as hashicorp/terraform#17580. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.11.3

Terraform Configuration Files

resource "aws_elb" "elb_istio_ingress" {
    name                        = "a123456789b087811e889c20123456789
    subnets                     = ["subnet-11234", "subnet-5678"]
    security_groups             = ["sg-1234"]
    instances                   = ["i-1234", "i-5678"]
    cross_zone_load_balancing   = false
    idle_timeout                = 60
    connection_draining         = false
    connection_draining_timeout = 300
    internal                    = false

    listener {
        instance_port      = 30803
        instance_protocol  = "tcp"
        lb_port            = 80
        lb_protocol        = "tcp"
        ssl_certificate_id = ""
    }

    listener {
        instance_port      = 31727
        instance_protocol  = "tcp"
        lb_port            = 443
        lb_protocol        = "tcp"
        ssl_certificate_id = "${module.toto.toto_cert_arn.arn}"
    }

    health_check {
        healthy_threshold   = 2
        unhealthy_threshold = 6
        interval            = 10
        target              = "TCP:30803"
        timeout             = 5
    }

    tags {
        "kubernetes.io/service-name" = "istio-system/istio-ingress"
        "KubernetesCluster" = "k8s-contihub.crf.cdsf.continental.cloud"
        "kubernetes.io/cluster/k8s-contihub.crf.cdsf.continental.cloud" = "owned"
    }
}

Debug Output

Crash Output

Expected Behavior

Don't say "apply complete" but display an error mssage telling it's not posible to set a certficate ARN for AWS classic load balancer but only for AWS network load balancer.

Actual Behavior

...
Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_elb.elb_istio_ingress: Modifying... (ID: 123456789)
  listener.243243.instance_port:      "30803" => "30803"
  listener.243243.instance_protocol:  "tcp" => "tcp"
  listener.243243.lb_port:            "80" => "80"
  listener.243243.lb_protocol:        "tcp" => "tcp"
  listener.243243.ssl_certificate_id: "" => ""
  listener.10202.instance_port:      "31727" => "0"
  listener.10202.instance_protocol:  "tcp" => ""
  listener.10202.lb_port:            "443" => "0"
  listener.10202.lb_protocol:        "tcp" => ""
  listener.10202.ssl_certificate_id: "" => ""
  listener.10202.instance_port:      "" => "31727"
  listener.10202.instance_protocol:  "" => "tcp"
  listener.10202.lb_port:            "" => "443"
  listener.10202.lb_protocol:        "" => "tcp"
  listener.10202.ssl_certificate_id: "" => "arn:aws:acm:eu-central-1:123123123:certificate/f1232e45-67fa-8bf9-a123-4567e89aec01c"
aws_elb.elb_istio_ingress: Modifications complete after 8s (ID: 1324568743213545646)

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Apply complete, withut error, good ... but when we check on AWS, Terraform have delete 443 Listener on ELB! (Instead of editing 443 listener with a ssl certificate)

If this feature is not possible for AWS classic load balancer, but only for AWS network load balancer, it should be good to add it in Terraform documentation/website and to not say "success" when we apply it :-).

If Terraform apply is successful, and if we apply it in CI/CD stack, we don't know it's not working really.

Steps to Reproduce

Create a tf file with aws_eb ressouce, then terraform init, plan&apply or just apply and say "ys" in order to really apply the aws elb modifications.

Thanks.

[bflad]

Hi @scraly 👋 Hopefully you figured out what was wrong here despite Terraform being misleading! The updated listener was set to protocol tcp and using ssl_certificate_id, which is an invalid configuration. Using https or ssl protocol and ssl_certificate_id works. 👍

The aws_elb resource actually has apply-time validation for this condition baked into it, but errors were only being returned during resource creation, not during update.

I have submitted a bugfix PR for this: #4159

[bflad]

The fix for this has been merged into master and will release with v1.14.1 of the AWS provider, likely later today.

[bflad]

This has been released in version 1.14.1 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!