ListenerCertificate logical name change may not always re-attach to Listener

[smithrobs]

Describe what happened

Customer reports possible variant of #1923 specific to ListenerCertificate.

Prerequisites:

• Ability to create DNS CNAME for certificate. This is outside the scope of this issue. The issue assumes the CNAME is already created and valid for the DomainName in question.
• The DomainName will not change throughout this issue repro.

Steps to reproduce:

1. pulumi up the sample program. Note this may require multiple ups depending on whether the DNS CNAME for the certificate is already created and correct and how long the validation takes.
2. Verify the Certificate is attached to the Listener under "Listener certificates for SNI".
3. Change the logical name of the ListenerCertificate:var exampleListenerCertificate = new Aws.LB.ListenerCertificate("example", new() to var exampleListenerCertificate = new Aws.LB.ListenerCertificate("example-chg", new()
4. Perform a pulumi up

     Type                           Name                Status              
     pulumi:pulumi:Stack            aws-cs-scratch-dev                      
 +   ├─ aws:lb:ListenerCertificate  example-chg         created (0.57s)     
 -   └─ aws:lb:ListenerCertificate  example             deleted (0.22s)     

Resources:
    + 1 created
    - 1 deleted
    2 changes. 38 unchanged

Duration: 8s

5. Verify the Certificate is attached to the Listener under "Listener certificates for SNI".

Expected Behavior:

The ListenerCertificate is attached to the Listener.

Actual Behavior:

The pulumi up succeeds however the ListenerCertificate is not attached to the Listener. A pulumi refresh followed by a pulumi up is required for the Certificate to be reattached under "Listener certificates for SNI"

Sample program

var vpc = new Vpc("scratch-vpc");

var primaryCert = new Aws.Acm.Certificate("example", new CertificateArgs
    {
        DomainName = "www.mycompany.com",
        ValidationMethod = "DNS",
        KeyAlgorithm = "RSA_2048",
        ValidationOptions = new[]
        {
            new Aws.Acm.Inputs.CertificateValidationOptionArgs
            {
                DomainName = "www.mycompany.com",
                ValidationDomain = "mycompany.com",
            },
        },
    });

var frontEnd = new Aws.LB.LoadBalancer("front_end", new()
    {
        Name = "test-lb-tf",
        Internal = false,
        LoadBalancerType = "application",
        Subnets = vpc.PrivateSubnetIds,
        EnableDeletionProtection = false
    });

var frontEndTargetGroup = new Aws.LB.TargetGroup("frontend-tg", new()
    {
        Name = "frontend-lb-tg",
        Port = 80,
        Protocol = "HTTP",
        VpcId = vpc.VpcId,
    });

var frontEndListener = new Aws.LB.Listener("front_end",
    new ListenerArgs
    {
        LoadBalancerArn = frontEnd.Arn,
        Port = 443,
        Protocol = "HTTPS",
        SslPolicy = "ELBSecurityPolicy-2016-08",

        CertificateArn = primaryCert.Arn,

        DefaultActions = new[]
        {
            new Aws.LB.Inputs.ListenerDefaultActionArgs
            {
                Type = "forward",
                TargetGroupArn = frontEndTargetGroup.Arn,
            },
        },
    });

// additional cert for SNI
var exampleListenerCertificate = new Aws.LB.ListenerCertificate("example", new()
    {
        ListenerArn = frontEndListener.Arn,
        CertificateArn = primaryCert.Arn,
    });

Log output

No response

Affected Resource(s)

Aws.Acm.Certificate Aws.LB.Listener Aws.LB.ListenerCertificate

Output of pulumi about

CLI
Version 3.133.0 Go Version go1.23.1 Go Compiler gc

Plugins KIND NAME VERSION resource aws 6.51.1 resource awsx 2.14.0 resource docker 4.5.5 language dotnet unknown resource random 4.16.4

Host
OS darwin Version 14.6.1 Arch arm64

This project is written in dotnet: executable='/Users/rsmith/.dotnet/dotnet' version='8.0.302'

Current Stack: rsmith-pulumi-corp/aws-cs-scratch/dev

TYPE URN pulumi:pulumi:Stack urn:pulumi:dev::aws-cs-scratch::pulumi:pulumi:Stack::aws-cs-scratch-dev pulumi:providers:awsx urn:pulumi:dev::aws-cs-scratch::pulumi:providers:awsx::default_2_14_0 awsx:ec2:Vpc urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc::scratch-vpc pulumi:providers:aws urn:pulumi:dev::aws-cs-scratch::pulumi:providers:aws::default_6_51_1 aws:acm/certificate:Certificate urn:pulumi:dev::aws-cs-scratch::aws:acm/certificate:Certificate::example pulumi:providers:aws urn:pulumi:dev::aws-cs-scratch::pulumi:providers:aws::default_6_47_0 aws:acm/certificateValidation:CertificateValidation urn:pulumi:dev::aws-cs-scratch::aws:acm/certificateValidation:CertificateValidation::example aws:ec2/vpc:Vpc urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc::scratch-vpc aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-private-1 aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-private-3 aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-private-2 aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-public-3 aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-public-2 aws:ec2/internetGateway:InternetGateway urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/internetGateway:InternetGateway::scratch-vpc aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-public-1 aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-private-1 aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-private-3 aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-private-2 aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-public-3 aws:ec2/eip:Eip urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::scratch-vpc-3 aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-public-2 aws:ec2/eip:Eip urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::scratch-vpc-2 aws:ec2/eip:Eip urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::scratch-vpc-1 aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-public-1 aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-private-3 aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-private-1 aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-public-3 aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-private-2 aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-public-3 aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-public-2 aws:ec2/natGateway:NatGateway urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::scratch-vpc-3 aws:ec2/natGateway:NatGateway urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::scratch-vpc-2 aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-public-2 aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-public-1 aws:ec2/natGateway:NatGateway urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::scratch-vpc-1 aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-public-1 aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-private-3 aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-private-2 aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-private-1 aws:lb/loadBalancer:LoadBalancer urn:pulumi:dev::aws-cs-scratch::aws:lb/loadBalancer:LoadBalancer::front_end pulumi:providers:pulumi urn:pulumi:dev::aws-cs-scratch::pulumi:providers:pulumi::default aws:lb/targetGroup:TargetGroup urn:pulumi:dev::aws-cs-scratch::aws:lb/targetGroup:TargetGroup::frontend-tg aws:lb/listener:Listener urn:pulumi:dev::aws-cs-scratch::aws:lb/listener:Listener::front_end aws:lb/listenerCertificate:ListenerCertificate urn:pulumi:dev::aws-cs-scratch::aws:lb/listenerCertificate:ListenerCertificate::example

Found no pending operations associated with dev

Backend
Name pulumi.com URL https://app.pulumi.com/rsmith-pulumi-corp User rsmith-pulumi-corp Organizations rsmith-pulumi-corp Token type personal

Dependencies: NAME VERSION Pulumi 3.67.1 Pulumi.Aws 6.51.1 Pulumi.Awsx 2.14.0 Pulumi.Random 4.16.4

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[corymhall]

I've been able to reproduce this as well and it does look to be the same issue as #1923. The only available workarounds are also the same as in that issue:

• Use DeleteBeforeReplace
• Use aliases

[mjeffryes]

This is blocked until we figure a strategy to resolve https://github.com/pulumi/pulumi/issues/15982