search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.72k stars 9.08k forks source link

Unable to change aws_lb_listener from HTTPS to HTTP #10961

Open jcarlson opened 4 years ago

jcarlson commented 4 years ago

Community Note

Terraform Version

$ terraform -v
Terraform v0.12.12
+ provider.aws v2.38.0
+ provider.null v2.1.2
+ provider.random v2.2.1

Affected Resource(s)

Terraform Configuration Files

resource "aws_lb_listener" "listener" {
  certificate_arn   = var.acm_arn
  load_balancer_arn = var.load_balancer_arn
  port              = var.listener_port
  protocol          = var.listener_protocol

  default_action {
    target_group_arn = aws_lb_target_group.tg.arn
    type             = "forward"
  }
}

Debug Output

terraform plan:

  # aws_lb_listener.listener will be updated in-place
  ~ resource "aws_lb_listener" "listener" {
        arn               = "arn:aws:elasticloadbalancing:us-east-1:redacted"
      - certificate_arn   = "arn:aws:acm:us-east-1:redacted" -> null
        id                = "arn:aws:elasticloadbalancing:us-east-1:redacted"
        load_balancer_arn = "arn:aws:elasticloadbalancing:us-east-1:redacted"
      ~ port              = 443 -> 80
      ~ protocol          = "HTTPS" -> "HTTP"
        ssl_policy        = "ELBSecurityPolicy-2016-08"

        default_action {
            order            = 1
            target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:redacted"
            type             = "forward"
        }
    }

Expected Behavior

Changing var.protocol from HTTPS to HTTP, LB listener should be replaced, or ssl_policy should be removed.

Actual Behavior

LB Listener is updated in place, but fails because an ssl_policy cannot be applied to HTTP listeners. I have tried explicitly setting the ssl_policy attribute to null and "" but neither results in a change. I have to manually taint the resource and re-run apply.

Steps to Reproduce

Create a load balancer with an HTTPS:443 listener, then attempt to change the listener to HTTP:80.

  1. terraform apply
ewbankkit commented 4 years ago

Similar:

justinretzolk commented 2 years ago

Hey @jcarlson πŸ‘‹ Thank you for taking the time to file this issue. Given that there's been a number of AWS provider releases since you initially filed it, can you confirm whether you're still experiencing this behavior?

waltzbucks commented 2 years ago

I have run into same this issue.

Terraform will perform the following actions:

  # module.ec2.aws_lb_listener.alb["80"] will be updated in-place
  ~ resource "aws_lb_listener" "alb" {
      - certificate_arn   = "arn:aws:acm:ap-northeast-2:redacted" -> null
        id                = "arn:aws:elasticloadbalancing:ap-northeast-2:redacted"
      ~ protocol          = "HTTPS" -> "HTTP"
        tags              = {}
        # (5 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }
tophercullen commented 2 years ago

@justinretzolk I ran into a nearly identical issue with TCP listeners, and I'm using the latest AWS provider. see #7367 which was never fixed

dthvt commented 2 years ago

This is still present in v3.75.1.

Terraform will perform the following actions:

  # module.xxxx.aws_lb_listener.alb will be updated in-place
  ~ resource "aws_lb_listener" "alb" {
      - certificate_arn   = "arn:aws:acm:us-east-1:xxxxx:certificate/f77973b0-e341-46cc-bc9f-89fa245ebf57" -> null
        id                = "arn:aws:elasticloadbalancing:us-east-1:xxxxx:listener/app/xxxxx/2d484302d6119bb8/a27d94db49e829f4"
      ~ protocol          = "HTTPS" -> "HTTP"
        tags              = {}
        # (5 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
β•·
β”‚ Warning: Resource targeting is in effect
β”‚ 
β”‚ You are creating a plan with the -target option, which means that the result of this plan may not represent all of the changes requested by the current configuration.
β”‚ 
β”‚ The -target option is not for routine use, and is provided only for exceptional situations such as recovering from errors or mistakes, or when Terraform specifically suggests to use it as part of an error message.
β•΅
β•·
β”‚ Warning: Provider aws is undefined
β”‚ 
β”‚   on ses_accounts.tf line 4, in module "ses_user_region_1":
β”‚    4:     aws = aws.region_1
β”‚ 
β”‚ Module module.ses_user_region_1 does not declare a provider named aws.
β”‚ If you wish to specify a provider configuration for the module, add an entry for aws in the required_providers block within the module.
β”‚ 
β”‚ (and 7 more similar warnings elsewhere)
β•΅

Do you want to perform these actions in workspace "xxxxx"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.xxxx.aws_lb_listener.alb: Modifying... [id=arn:aws:elasticloadbalancing:us-east-1:xxxx:listener/app/xxxxx/2d484302d6119bb8/a27d94db49e829f4]
β•·
β”‚ Warning: Applied changes may be incomplete
β”‚ 
β”‚ The plan was created with the -target option in effect, so some changes requested in the configuration may have been ignored and the output values may not be fully updated. Run the following command to verify that no other changes are pending:
β”‚     terraform plan
β”‚   
β”‚ Note that the -target option is not suitable for routine use, and is provided only for exceptional situations such as recovering from errors or mistakes, or when Terraform specifically suggests to use it as part of an error message.
β•΅
β•·
β”‚ Error: error modifying ELBv2 Listener (arn:aws:elasticloadbalancing:us-east-1:xxxxx:listener/app/xxxxx/2d484302d6119bb8/a27d94db49e829f4): ValidationError: An SSL policy cannot be specifed for HTTP listeners
β”‚   status code: 400, request id: 7ae16209-9f10-4948-ba4c-74b712b23deb
β”‚ 
β”‚   with module.xxxx.aws_lb_listener.alb,
β”‚   on .terraform/modulesxxxx/elb.tf line 24, in resource "aws_lb_listener" "alb":
β”‚   24: resource "aws_lb_listener" "alb" {
β”‚ 
β•΅

Terraform is not clearing the ssl_policy of the listener even though it should. Code snippet below. You can see in the plan above it clears the certificate ARN, but not the SSL policy.

resource "aws_lb_listener" "alb" {
  load_balancer_arn = aws_lb.alb.id
  port              = var.service_port
  protocol          = var.service_protocol
  ssl_policy        = var.service_protocol == "HTTPS" ? var.tls_policy : null
  certificate_arn   = var.service_protocol == "HTTPS" ? aws_acm_certificate_validation.alb.certificate_arn : null
  default_action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.alb.id
  }
}
scastria commented 1 year ago

This is still present in v4.67.0

anywhereiromy commented 1 month ago

Still an issue

amontalban commented 1 month ago

Just faced #7367