Cannot import alb listener: incorrectly claims invalid arn

Ezward commented 4 years ago

I'm trying to import an existing alb listener into my terraform state. I've successfully initialized the state. I can plan against this state and it looks correct. I need import that alb listener because is already exists (my plan shows it being added, but that fails because it already exists). In hte code below I've obfuscated my account id.

terraform import aws_alb_listener.server_80 "arn:aws:elasticloadbalancing:us-west-2:XXXXXXXXX:listener/app/june-ota-server-prod/200823d67612a997/43d40dbedf34579b"
aws_alb_listener.server_80: Importing from ID "arn:aws:elasticloadbalancing:us-west-2:XXXXXXXXX:listener/app/june-ota-server-prod/200823d67612a997/43d40dbedf34579b"...
aws_alb_listener.server_80: Import prepared!
  Prepared aws_alb_listener for import
aws_alb_listener.server_80: Refreshing state... [id=arn:aws:elasticloadbalancing:us-west-2:XXXXXXXXX:listener/app/june-ota-server-prod/200823d67612a997/43d40dbedf34579b]

Error: Error retrieving Listener: ValidationError: 'arn:aws:elasticloadbalancing:us-west-2:XXXXXXXXX:listener/app/june-ota-server-prod/200823d67612a997/43d40dbedf34579b' is not a valid listener ARN
    status code: 400, request id: 75e98b1e-c5b6-4846-b643-da664f01e284

I can describe the existing alb listener using the aws cli and that arn:

aws elbv2 describe-listeners --listener-arns arn:aws:elasticloadbalancing:us-west-2:XXXXXXXXX:listener/app/june-ota-server-prod/200823d67612a997/43d40dbedf34579b
{
    "Listeners": [
        {
            "ListenerArn": "arn:aws:elasticloadbalancing:us-west-2:XXXXXXXXX:listener/app/june-ota-server-prod/200823d67612a997/43d40dbedf34579b",
            "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-west-2:XXXXXXXXX:loadbalancer/app/june-ota-server-prod/200823d67612a997",
            "Port": 80,
            "Protocol": "HTTP",
            "DefaultActions": [
                {
                    "Type": "forward",
                    "TargetGroupArn": "arn:aws:elasticloadbalancing:us-west-2:XXXXXXXXX:targetgroup/june-ota-server-prod/dff38229c82b51ab",
                    "Order": 1,
                    "ForwardConfig": {
                        "TargetGroups": [
                            {
                                "TargetGroupArn": "arn:aws:elasticloadbalancing:us-west-2:XXXXXXXXX:targetgroup/june-ota-server-prod/dff38229c82b51ab",
                                "Weight": 1
                            }
                        ],
                        "TargetGroupStickinessConfig": {
                            "Enabled": false
                        }
                    }
                }
            ]
        }
    ]
}

I use a single provider. I use a single region. I use two aws accounts, but not in the same state. I know this state is clearly pointing to the correct backend based on the output of plan.

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.18
+ provider.aws v2.45.0
+ provider.template v2.1.2

Affected Resource(s)

aws_alb_listener

Terraform Configuration Files

I've tried with this:

resource "aws_alb_listener" "server_80" {
    load_balancer_arn = "${aws_alb.server.arn}"
    port = "80"
    protocol = "HTTP"

    default_action {
        type = "redirect"

        redirect {
            port = "443"
            protocol = "HTTPS"
            status_code = "HTTP_301"
        }
    }
}

and with this:

resource "aws_alb_listener" "server_80" {
}

Debug Output

terraform import aws_alb_listener.server_80 "arn:aws:elasticloadbalancing:us-west-2:XXXXXXXXX:listener/app/june-ota-server-prod/200823d67612a997/43d40dbedf34579b"
aws_alb_listener.server_80: Importing from ID "arn:aws:elasticloadbalancing:us-west-2:XXXXXXXXX:listener/app/june-ota-server-prod/200823d67612a997/43d40dbedf34579b"...
aws_alb_listener.server_80: Import prepared!
  Prepared aws_alb_listener for import
aws_alb_listener.server_80: Refreshing state... [id=arn:aws:elasticloadbalancing:us-west-2:XXXXXXXXX:listener/app/june-ota-server-prod/200823d67612a997/43d40dbedf34579b]

Error: Error retrieving Listener: ValidationError: 'arn:aws:elasticloadbalancing:us-west-2:XXXXXXXXX:listener/app/june-ota-server-prod/200823d67612a997/43d40dbedf34579b' is not a valid listener ARN
    status code: 400, request id: 75e98b1e-c5b6-4846-b643-da664f01e284

Expected Behavior

It should import the aws_alb_listener into the state.

Actual Behavior

Tt did not import the aws_alb_listener into the state, but rather said the arn was invalid (which it is not), Set Debug Output section

Steps to Reproduce

Here, substitute a valid alb arn.

terraform import aws_alb_listener.server_80 "arn:aws:elasticloadbalancing:us-west-2:XXXXXXXXX:listener/app/june-ota-server-prod/200823d67612a997/43d40dbedf34579b"

0000

fabiojvalente commented 4 years ago

Updating from 0.11 to 0.12.17 "solved" it for me

ketzacoatl commented 4 years ago

FWIW, I've seen this on v0.12.26 and 2.67 of the AWS provider. I've also seen this same type of error on both listeners as well as the aws_lb resource. Both had very valid ARNs and were tracked in another Terraform project without issue.

ketzacoatl commented 4 years ago

FWIW, I've seen this on v0.12.26 and 2.67 of the AWS provider. I've also seen this same type of error on both listeners as well as the aws_lb resource. Both had very valid ARNs and were tracked in another Terraform project without issue.

I was able to work around the block with tf import by using tf state mv -state-out to-move.json in one project and tf state pull > to-update.json, and then manually merging the resource in to-move.json with the state in to-update.json. Be sure to bump the serial int in to-update.json. Then overwrite the project state (where you want to import the listener) with tf state push to-update.json. Obviously, this is manual, error-prone, and could ruin your life, so YMMV.

justinretzolk commented 3 years ago

Hey y'all 👋 Thank you for taking the time to file this issue and for the continued discussion around it! Given that there's been a number of AWS provider releases since the last update, can anyone confirm whether you're still experiencing this behavior?

leeelcocks commented 2 years ago

Hi, I am getting this exact issue with provider version 3.68.0 and terraform v 1.0.10

nullbytesoftware commented 2 years ago

Having the same error in terraform v1.1.7 and aws provider v4.2.0

nullbytesoftware commented 2 years ago

I found the issue. After running apply with TF_LOG=DEBUG i noticed that i was getting 403 response with the error

xxxxx is not authorized to perform: elasticloadbalancing:AddTags on resource

I removed tags = {Environment = "production"} from my aws_lb resource block and now it works

The error was misleading.

Mark-Smithh commented 2 years ago

I agree with nullbytesoftware. The error is misleading. After running with TF_LOG=DEBUG I saw the message

HTTP/1.1 403 Forbidden ...
<Message>xxx is not authorized to perform: elasticloadbalancing:RemoveTags

After manually removing the ALB tags and running apply it worked as expected.

github-actions[bot] commented 2 days ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

hashicorp / terraform-provider-aws