providers/aws: Document and validate ELB ssl_cert and protocol require

[catsby]

While not explicitly documented, the ssl_certificate_id attribute of an ELB Listener is only valid if the protocols are either SSL or HTTPS. If you include ssl_certificate_id in a listener of any other protocol, AWS will not return an error, however, follow up terraform plan will reveal that the Listener returned will have had it's ssl_certificate_id omitted.

For example:

resource "aws_elb" "ourapp" {
  name = "terraform-asg-deployment-example"
  availability_zones = ["us-west-2a"]
  cross_zone_load_balancing = true

  listener {
    instance_port = 443
    instance_protocol = "tcp"
    lb_port = 443
    lb_protocol = "tcp"
    ssl_certificate_id = "<some cert arn>" # assume valid cert
  }
}

This will succeed, however, the state file will have an empty ssl_certificate_id:

listener.# = 1
  listener.610193557.instance_port = 443
  listener.610193557.instance_protocol = tcp
  listener.610193557.lb_port = 443
  listener.610193557.lb_protocol = tcp
  listener.610193557.ssl_certificate_id =

which gives us a plan loop:

~ aws_elb.ourapp
    listener.610193557.instance_port:      "443" => "0"
    listener.610193557.instance_protocol:  "tcp" => ""
    listener.610193557.lb_port:            "443" => "0"
    listener.610193557.lb_protocol:        "tcp" => ""
    listener.610193557.ssl_certificate_id: "" => ""
    listener.613970091.instance_port:      "" => "443"
    listener.613970091.instance_protocol:  "" => "tcp"
    listener.613970091.lb_port:            "" => "443"
    listener.613970091.lb_protocol:        "" => "tcp"
    listener.613970091.ssl_certificate_id: "" => "<some cert arn>"

With this PR, we get a validation error in Terraform:

1 error(s) occurred:

* aws_elb.ourapp: [ERR] Invalid ssl_certificate_id / Protocol combination. Must be either HTTPS or SSL

This PR is built off of #3863

[jen20]

LGTM

[apparentlymart]

This message isn't the clearest, I think. There are two properties mentioned in the first part of the message, and then a statement in the second part about only one of them, but which one isn't mentioned. Also not sure why "protocol" got an uppercase P here.

Suggest instead: "ssl_certificate_id may be set only when protocol is 'https' or 'ssl'".

[catsby]

Good call, I updated the wording in 5cafe74 , thanks!

[mrwilby]

Is this check case-sensitive? My previously valid Terraform scripts fail to deploy after upgrading to 0.6.7 because I am using "HTTPS" rather than "https" in my listener block.

Does AWS really reject "HTTPS" (NB: Given this used to work, I suspect the answer is no).

Easy for me to fix this I guess, but I wonder if the code could be a bit more tolerant of what is effectively an enum with the 'wrong' capitalization.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.