DeleteConflict on destroy when an aws_iam_server_certificate is associated with an aws_elb listener

[ryane]

Running terraform destroy on an environment with an aws_elb that has an aws_iam_server_certificate attached always fails with a DeleteConflict:

$ terraform destroy -force
aws_vpc.main: Refreshing state... (ID: pc-6409b821)

...

aws_vpc.main: Destroying...
aws_vpc.main: Destruction complete
Error applying plan:

1 error(s) occurred:

* aws_iam_server_certificate.elb_cert: [WARN] Error deleting server certificate: DeleteConflict: Certificate: ASCAI6AIR34JR35XQFY3O is currently in use by arn:aws:elasticloadbalancing:us-west-1:144107380008:loadbalancer/test-elb. Please remove it first before deleting it from IAM.

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Subsequent terraform destroy commands are able to complete successfully:

$ terraform destroy -force
aws_iam_server_certificate.elb_cert: Refreshing state... (ID: ASCAI6AIR34JR35XQFY3O)
aws_iam_server_certificate.elb_cert: Destroying...
aws_iam_server_certificate.elb_cert: Destruction complete

Apply complete! Resources: 0 added, 0 changed, 1 destroyed.

Reproducible terraform template here: https://gist.github.com/ryane/cc4b400df6a269c1868e

[james-s-nduka]

Facing the same issue. It only becomes a real pain when the implementation is part of a pipeline that fails every time on the first run.

[asafdav]

+1

[lusis]

Just ran into this last night. +1

[farridav]

Having this issue too.. It is also a problem on apply, i need to apply my plan twice, and destroy it twice in order to get things working... It seems to be that the ssl cert read (immediately after the write) cannot get the arn... is there any way it can poll like it does with other resources?

If ive misunderstood something here please let me know... still learning :)

[catsby]

This should be fixed in #3898

[farridav]

thanks @catsby! once this fix is in I can remove my sleep 10 👍

[Kuberchaun]

I'm still seeing some issues that look similar, on terraform 0.6.12.

On the first run everything gets created as it should. If I run terraform plan) I get the output below. Nothing has changed in my tf file or in the AWS account so nothing should be changed of course.
Note certificate_body: "WASX" => "NOWY" (forces new resource). I replaced the data with X and Y.

`~ aws_elb.bob-dev-lb-tf
listener.952035762.instance_port: "8080" => "0"
listener.952035762.instance_protocol: "http" => ""
listener.952035762.lb_port: "443" => "0"
listener.952035762.lb_protocol: "https" => ""
listener.952035762.ssl_certificate_id: "arn:aws:iam::99999999:server-certificate/bob-dev-bob_bob_com-cert-tf" => ""
listener.~305396292.instance_port: "" => "8080"
listener.~305396292.instance_protocol: "" => "http"
listener.~305396292.lb_port: "" => "443"
listener.~305396292.lb_protocol: "" => "https"
listener.~305396292.ssl_certificate_id: "" => "${aws_iam_server_certificate.bob-dev-bob_bob_com-cert-tf.arn}"

-/+ aws_iam_server_certificate.bob-dev-bob_bob_com-cert-tf
arn: "arn:aws:iam::999999999:server-certificate/bob-dev-bob_bob_com-cert-tf" => ""
certificate_body: "WASX" => "NOWY" (forces new resource)
name: "bob-dev-bob_bob_com-cert-tf" => "bob-dev-bob_bob_com-cert-tf"
path: "/" => "/"
private_key: "bob-same" => "bob-same"`

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.