IAM ELB dependency on IAM certificate does not exist when modules are used

[hashibot]

This issue was originally opened by @stevendborrelli as hashicorp/terraform#3891. It was migrated here as part of the provider split. The original body of the issue is below.

---

When an ELB resource is using a IAM certificate created in another module, the dependency is not created. This means that terraform apply will often fail due to ordering issues.

Below is a picture of the graph:

[hashibot]

This comment was originally opened by @jen20 as hashicorp/terraform#3891 (comment). It was migrated here as part of the provider split. The original comment is below.

---

Hi @stevendborrelli! Can you post the relevant snippet of the configuration that generated this graph? If the certificate is referenced via a module variable the dependency should be generated correctly, and if not that's a bug.

[hashibot]

This comment was originally opened by @stevendborrelli as hashicorp/terraform#3891 (comment). It was migrated here as part of the provider split. The original comment is below.

---

Cert is created like this:

module "ssl-cert" {
  source = "./modules/iam_cert"
  cert_name = "test-cert"
  cert_body = "cert.txt"
  cert_chain = "chain.txt"
  cert_private_key = "private.txt"
  cert_iam_path = "test-cert/"   
}

It is referenced in the ecs task definition like:

module "web-ecs-app" {
  source = "./modules/ecs-app"
  ...
  container_port = 8080
  elb_internal = true
  lb_port = 443
  lb_protocol = "https"
  ssl_certificate_id = "${module.ssl-cert.arn}"

}

The elb resource is:

resource "aws_elb" "elb" {
  name = "${var.name}-${var.environment}-${var.appname}"
  internal = "${var.elb_internal}"
  subnets = [ "${split(",", var.subnets)}" ]
  cross_zone_load_balancing = true

  security_groups = [ "${split(",", var.security_groups)}" ]

  listener {
    instance_port = "${var.container_port}"
    instance_protocol = "${var.instance_protocol}"
    lb_port = "${var.lb_port}" 
    lb_protocol = "${var.lb_protocol}"
    ssl_certificate_id = "${var.ssl_certificate_id}"
  }

  tags {
    Name = "${var.name}-${var.environment}-${var.appname}"
  }
}

[hashibot]

This comment was originally opened by @catsby as hashicorp/terraform#3891 (comment). It was migrated here as part of the provider split. The original comment is below.

---

hashicorp/terraform#3898 is a patch that will retry ELB creation if it fails due to an SSL Cert not being found. That may help here, though I don't know about the actually dependency and ordering with respect to the graph

[hashibot]

This comment was originally opened by @catsby as hashicorp/terraform#3891 (comment). It was migrated here as part of the provider split. The original comment is below.

---

#3898 has been merged, but this may be a core thing. Re-labling for @phinze or @jen20 to take a dive

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!