aws_lb_listener_certificate not destroyed upon "force new resource"

[Frogvall]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.11.14

Affected Resource(s)

• aws_lb_listener_certificate

Terraform Configuration Files

resource "aws_acm_certificate" "example" {
  domain_name       = "${var.uri_prefix}.${var.domain}"
  validation_method = "DNS"

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_route53_record" "example_dns_validation" {
  name    = "${aws_acm_certificate.example.domain_validation_options.0.resource_record_name}"
  type    = "${aws_acm_certificate.example.domain_validation_options.0.resource_record_type}"
  zone_id = "${data.aws_route53_zone.example}"
  records = ["${aws_acm_certificate.example.domain_validation_options.0.resource_record_value}"]
  ttl     = 300
}

resource "aws_acm_certificate_validation" "example" {
  certificate_arn         = "${aws_acm_certificate.example.arn}"
  validation_record_fqdns = ["${aws_route53_record.example_dns_validation.fqdn}"]
}

resource "aws_lb_listener_certificate" "example" {
  listener_arn    = "${data.aws_lb_listener.example.arn}"
  certificate_arn = "${aws_acm_certificate.example.arn}"
  depends_on      = ["aws_acm_certificate_validation.example"]
}

Debug Output

Panic Output

Expected Behavior

aws_lb_listener_certificate should have been destroyed (i.e, the certificate should have been removed from the alb) before the actual certificate would be destroyed,

Actual Behavior

Terraform seems to have no concept of the aws_lb_listener_certificate "resource" and it doesn't even try to remove the certificate from the lb.

Looking through the state file, I can't even see that the aws_lb_listener_certificate resource is even saved.

Running terraform plan without making any changes lists the aws_lb_listener_certificate as a new resource every time (probably overwriting the cert in the lb with itself?).

  + aws_lb_listener_certificate.example
      id:                                  <computed>
      certificate_arn:                     "${aws_acm_certificate.example.arn}"
      listener_arn:                        "<arn>"

Documentation says "forces new resource" (https://www.terraform.io/docs/providers/aws/r/lb_listener_certificate.html#listener_arn), but since terraform don't know the old value, it just doesn't.

Steps to Reproduce

1. Set up the terraform script listed above together with an alb
2. Run terraform apply twice to see that the aws_lb_listener_certificate is created as a new resource every time.
3. Make changes to the aws_acm_certificate that forces a new resource.
4. Run terraform apply to see it fail on certificate deletion (and not even try to remove it from the alb)

Important Factoids

References

[Frogvall]

@bflad
No reaction at all on this. Did I miss something crucial for it to be considered?

[Frogvall]

This bug makes it impossible to use terraform 0.12.0, since it provokes the following error:

When applying changes to aws_lb_listener_certificate.example, provider "aws" produced an unexpected new value for was present, but now absent.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

[Frogvall]

Finally had time to look into this. Turns out, the error is not per se with persisting to state, but the read function deletes it from state if the profile running terraform doesn't have the elasticloadbalancing:DescribeListenerCertificates permission. There is no error message exept in debug mode, and it just silently removes the resource.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.