AWS Provider aws_elb resource error

[noahjl]

Hey team,

I was upgrading from terraform 0.6.3 to current (0.6.11) today and discovered it doesn't like my ELB config.

Scenario:
Single Provider: AWS
Error:

aws_elb.elb: [ERR] ELB Listener: ssl_certificate_id may be set only when protocol is 'https' or 'ssl'

Workaround: Every version from 0.6.7 demonstrates this error, 0.6.6 does not. Occurs wether I use "HTTPS" or "SSL". I can launch a deployment with a problem version, once it fails I can then revert to version 0.6.6 and run a terraform plan, then apply and it'll be successful.

Resource Config:

resource "aws_elb" "elb" {
        name = "${var.environment}-${var.environment_name}-elb"
        subnets = ["${aws_subnet.netd.id}"]
        security_groups = ["${aws_security_group.sg-win.id}","${aws_security_group.sg-centos.id}"]
        instances = ["${split(",", var.centos_instances)}"]
        cross_zone_load_balancing = "true"
        idle_timeout = "60"
        connection_draining = "true"
        connection_draining_timeout = "300"
        tags = {
                Name = "${var.environment}-${var.environment_name}-elb"
                Env_Name = "${var.environment}-${var.environment_name}"
                Environment = "${var.environment}"
                Version = "${var.version}"
        }
        listener {
                instance_port = "80"
                instance_protocol = "HTTP"
                lb_port = "80"
                lb_protocol = "HTTP"
        }
        listener {
                instance_port = "443"
                instance_protocol = "SSL"
                lb_port = "443"
                lb_protocol = "SSL"
                ssl_certificate_id = "arn:aws:iam::ID:Cert"
        }
        health_check {
                healthy_threshold = "10"
                unhealthy_threshold = "2"
                interval = "5"
                target = "HTTP/health"
                timeout = "2"
        }
}

Please let me know if additional info would be helpful.

[catsby]

Hey @noahjl – you're hitting an issue that was fixed in #3887, released in v0.6.7:

• https://github.com/hashicorp/terraform/blob/master/CHANGELOG.md#067-november-23-2015

The configuration you have above looks valid though, does that work post v0.6.7?

[noahjl]

Hey @catsby, no it does not. Its actually v0.6.7 when I start seeing the issue all the way through v0.6.11 (haven't tried 0.6.12). I did not try using lowercase 'https' though for the protocol.

Please let me know if anything else would be helpful.

Thank you

[catsby]

Ah, OK I think this is fixed with #5376 which will be released shortly. Sorry! It should be fixed on master, if you're able to build that, otherwise the next Terraform version should come out in the next few days.

I tried with this config and it applied fine (assuming you have keys locally for use):

provider "aws" {
  region = "us-west-2"
}

resource "aws_vpc" "foo" {
  cidr_block           = "10.1.0.0/16"
  enable_dns_hostnames = true

  tags {
    Name = "subnet-vpc"
  }
}

resource "aws_internet_gateway" "default" {
  vpc_id = "${aws_vpc.foo.id}"
}

resource "aws_subnet" "main" {
  vpc_id     = "${aws_vpc.foo.id}"
  cidr_block = "10.1.0.0/24"

  tags {
    Name = "subnet-count-test"
  }
}

resource "aws_iam_server_certificate" "test_cert" {
  name              = "some_other_7_test_cert_other"
  certificate_body  = "${file("key/self-ca-cert.pem")}"
  certificate_chain = "${file("key/self-ca-cert.pem")}"
  private_key       = "${file("key/test-key.pem")}"
  path              = "/cloudfront/"
}

resource "aws_elb" "ourapp" {
  name = "terraform-asg-deployment-example"

  #availability_zones = ["us-west-2a"]
  subnets                   = ["${aws_subnet.main.id}"]
  cross_zone_load_balancing = true

  listener {
    instance_port     = 389
    instance_protocol = "tcp"
    lb_port           = 389
    lb_protocol       = "tcp"
  }

  listener {
    instance_port      = "443"
    instance_protocol  = "SSL"
    lb_port            = "443"
    lb_protocol        = "SSL"
    ssl_certificate_id = "${aws_iam_server_certificate.test_cert.arn}"
  }
}

If I read that code change correctly, the configuration itself should be OK, it's Terraform that was incorrectly throwing that error.

Please let me know if you're still hitting this on master (if you can build that), othwerise it should be fixed in the next release.

Thanks! Sorry again 😄

[noahjl]

Good to know!

Thanks @catsby !

[catsby]

For what it's worth, Terraform v0.6.13 was released this morning! Get yours here https://www.terraform.io/downloads.html

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.