[Enhancement]: Elastic Beanstalk `SSLCertificateId` environment setting is not checked if appropriate for namespace

[ogoding]

Terraform Core Version

1.2.1

AWS Provider Version

4.67.0

Affected Resource(s)

aws_elastic_beanstalk_environment

Expected Behavior

Terraform would throw an error when SSLCertificateId is not specified when aws:elb:listener:443 settings are specified, as well as preventing SSLCertificateId from being specified for the aws:elb:listener namespace.

Actual Behavior

1. The following HTTPS ELB listener setting specified in ElasticBeanstalk Environment:
2. ElasticBeanstalk environment updated by running terraform apply
3. Environment updated without error
4. ElasticBeanstalk environment updated via AWS web console (e.g. min/max instance capacity)
5. AWS web console displays error (see below) no matter the change and rejects change

Relevant Error/Panic Output Snippet

# Elastic Beanstalk Terraform settings that cause the problem:
setting {
  namespace = "aws:elb:listener"
  name      = "ListenerProtocol"
  value     = "HTTPS"
}
setting {
  namespace = "aws:elb:listener"
  name      = "SSLCertificateId"
  value     = "<certificate_ARN>"
}

# AWS Web Console error no matter how the environment is updated:
"Invalid option value: 'aws:elb:listener:443' (Namespace: 'aws:elb:listener:443', OptionName: 'ListenerProtocol'): Secure Listeners need to specify a SSLCertificateId"

Terraform Configuration Files

resource "aws_elastic_beanstalk_environment" "tfenvtest" {
  name                = "tf-test-name"
  setting {
    name = "InstanceProtocol"
    namespace = "aws:elb:listener:443"
    value = "HTTP"
  }
  setting {
    name = "InstancePort"
    namespace = "aws:elb:listener:443"
    value = "8080"
  }
  setting {
    namespace = "aws:elb:listener:443"
    name      = "ListenerProtocol"
    value     = "HTTPS"
  }
  # Add SSLCertificateID option as well when specifying ListenerProtocol option name.
  setting {
    namespace = "aws:elb:listener:443"
    name      = "SSLCertificateId"
    value     = "<certificate_ARN>"
  }
}

Steps to Reproduce

1. Create a test certificate (manually or via aws_acm_certificate)
2. Use the above minimal aws_elastic_beanstalk_environment snippet to create a new beanstalk stack
3. Once created modify any setting in the new environment via the AWS web console
4. Verify whether configuration has changed

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @ogoding 👋 Thank you for taking the time to raise this! I'm not certain that this is behavior that the provider can validate at runtime, but will leave this request open as an enhancement so that one of the maintainers may verify my thoughts.

[ogoding]

Hey @justinretzolk, so sorry for taking so long to respond. Thanks for taking the time to read and updating the issue to an Enhancement.

I'm not particularly familiar with golang or the codebase, however I did find this line in environment.go that seems to do some sort of EB setting error checking. If I can help at all I'd be happy to as it was a nasty gotcha to encounter and hopefully preventing it will save others until Elastic Beanstalk starts rejecting the setting combination directly.