Customer reports possible variant of #1923 specific to ListenerCertificate.
Prerequisites:
Ability to create DNS CNAME for certificate. This is outside the scope of this issue. The issue assumes the CNAME is already created and valid for the DomainName in question.
The DomainName will not change throughout this issue repro.
Steps to reproduce:
pulumi up the sample program. Note this may require multiple ups depending on whether the DNS CNAME for the certificate is already created and correct and how long the validation takes.
Verify the Certificate is attached to the Listener under "Listener certificates for SNI".
Change the logical name of the ListenerCertificate:var exampleListenerCertificate = new Aws.LB.ListenerCertificate("example", new()
to
var exampleListenerCertificate = new Aws.LB.ListenerCertificate("example-chg", new()
Perform a pulumi up
Type Name Status
pulumi:pulumi:Stack aws-cs-scratch-dev
+ ├─ aws:lb:ListenerCertificate example-chg created (0.57s)
- └─ aws:lb:ListenerCertificate example deleted (0.22s)
Resources:
+ 1 created
- 1 deleted
2 changes. 38 unchanged
Duration: 8s
Verify the Certificate is attached to the Listener under "Listener certificates for SNI".
Expected Behavior:
The ListenerCertificate is attached to the Listener.
Actual Behavior:
The pulumi up succeeds however the ListenerCertificate is not attached to the Listener. A pulumi refresh followed by a pulumi up is required for the Certificate to be reattached under "Listener certificates for SNI"
Sample program
var vpc = new Vpc("scratch-vpc");
var primaryCert = new Aws.Acm.Certificate("example", new CertificateArgs
{
DomainName = "www.mycompany.com",
ValidationMethod = "DNS",
KeyAlgorithm = "RSA_2048",
ValidationOptions = new[]
{
new Aws.Acm.Inputs.CertificateValidationOptionArgs
{
DomainName = "www.mycompany.com",
ValidationDomain = "mycompany.com",
},
},
});
var frontEnd = new Aws.LB.LoadBalancer("front_end", new()
{
Name = "test-lb-tf",
Internal = false,
LoadBalancerType = "application",
Subnets = vpc.PrivateSubnetIds,
EnableDeletionProtection = false
});
var frontEndTargetGroup = new Aws.LB.TargetGroup("frontend-tg", new()
{
Name = "frontend-lb-tg",
Port = 80,
Protocol = "HTTP",
VpcId = vpc.VpcId,
});
var frontEndListener = new Aws.LB.Listener("front_end",
new ListenerArgs
{
LoadBalancerArn = frontEnd.Arn,
Port = 443,
Protocol = "HTTPS",
SslPolicy = "ELBSecurityPolicy-2016-08",
CertificateArn = primaryCert.Arn,
DefaultActions = new[]
{
new Aws.LB.Inputs.ListenerDefaultActionArgs
{
Type = "forward",
TargetGroupArn = frontEndTargetGroup.Arn,
},
},
});
// additional cert for SNI
var exampleListenerCertificate = new Aws.LB.ListenerCertificate("example", new()
{
ListenerArn = frontEndListener.Arn,
CertificateArn = primaryCert.Arn,
});
Dependencies:
NAME VERSION
Pulumi 3.67.1
Pulumi.Aws 6.51.1
Pulumi.Awsx 2.14.0
Pulumi.Random 4.16.4
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
I've been able to reproduce this as well and it does look to be the same issue as #1923. The only available workarounds are also the same as in that issue:
Describe what happened
Customer reports possible variant of #1923 specific to
ListenerCertificate
.Prerequisites:
DomainName
in question.DomainName
will not change throughout this issue repro.Steps to reproduce:
pulumi up
the sample program. Note this may require multipleup
s depending on whether the DNS CNAME for the certificate is already created and correct and how long the validation takes.ListenerCertificate
:var exampleListenerCertificate = new Aws.LB.ListenerCertificate("example", new()
tovar exampleListenerCertificate = new Aws.LB.ListenerCertificate("example-chg", new()
pulumi up
Expected Behavior:
The
ListenerCertificate
is attached to theListener
.Actual Behavior:
The
pulumi up
succeeds however theListenerCertificate
is not attached to theListener
. Apulumi refresh
followed by apulumi up
is required for theCertificate
to be reattached under "Listener certificates for SNI"Sample program
Log output
No response
Affected Resource(s)
Aws.Acm.Certificate Aws.LB.Listener Aws.LB.ListenerCertificate
Output of
pulumi about
CLI
Version 3.133.0 Go Version go1.23.1 Go Compiler gc
Plugins KIND NAME VERSION resource aws 6.51.1 resource awsx 2.14.0 resource docker 4.5.5 language dotnet unknown resource random 4.16.4
Host
OS darwin Version 14.6.1 Arch arm64
This project is written in dotnet: executable='/Users/rsmith/.dotnet/dotnet' version='8.0.302'
Current Stack: rsmith-pulumi-corp/aws-cs-scratch/dev
TYPE URN pulumi:pulumi:Stack urn:pulumi:dev::aws-cs-scratch::pulumi:pulumi:Stack::aws-cs-scratch-dev pulumi:providers:awsx urn:pulumi:dev::aws-cs-scratch::pulumi:providers:awsx::default_2_14_0 awsx:ec2:Vpc urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc::scratch-vpc pulumi:providers:aws urn:pulumi:dev::aws-cs-scratch::pulumi:providers:aws::default_6_51_1 aws:acm/certificate:Certificate urn:pulumi:dev::aws-cs-scratch::aws:acm/certificate:Certificate::example pulumi:providers:aws urn:pulumi:dev::aws-cs-scratch::pulumi:providers:aws::default_6_47_0 aws:acm/certificateValidation:CertificateValidation urn:pulumi:dev::aws-cs-scratch::aws:acm/certificateValidation:CertificateValidation::example aws:ec2/vpc:Vpc urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc::scratch-vpc aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-private-1 aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-private-3 aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-private-2 aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-public-3 aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-public-2 aws:ec2/internetGateway:InternetGateway urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/internetGateway:InternetGateway::scratch-vpc aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-public-1 aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-private-1 aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-private-3 aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-private-2 aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-public-3 aws:ec2/eip:Eip urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::scratch-vpc-3 aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-public-2 aws:ec2/eip:Eip urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::scratch-vpc-2 aws:ec2/eip:Eip urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::scratch-vpc-1 aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-public-1 aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-private-3 aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-private-1 aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-public-3 aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-private-2 aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-public-3 aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-public-2 aws:ec2/natGateway:NatGateway urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::scratch-vpc-3 aws:ec2/natGateway:NatGateway urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::scratch-vpc-2 aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-public-2 aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-public-1 aws:ec2/natGateway:NatGateway urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::scratch-vpc-1 aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-public-1 aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-private-3 aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-private-2 aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-private-1 aws:lb/loadBalancer:LoadBalancer urn:pulumi:dev::aws-cs-scratch::aws:lb/loadBalancer:LoadBalancer::front_end pulumi:providers:pulumi urn:pulumi:dev::aws-cs-scratch::pulumi:providers:pulumi::default aws:lb/targetGroup:TargetGroup urn:pulumi:dev::aws-cs-scratch::aws:lb/targetGroup:TargetGroup::frontend-tg aws:lb/listener:Listener urn:pulumi:dev::aws-cs-scratch::aws:lb/listener:Listener::front_end aws:lb/listenerCertificate:ListenerCertificate urn:pulumi:dev::aws-cs-scratch::aws:lb/listenerCertificate:ListenerCertificate::example
Found no pending operations associated with dev
Backend
Name pulumi.com URL https://app.pulumi.com/rsmith-pulumi-corp User rsmith-pulumi-corp Organizations rsmith-pulumi-corp Token type personal
Dependencies: NAME VERSION Pulumi 3.67.1 Pulumi.Aws 6.51.1 Pulumi.Awsx 2.14.0 Pulumi.Random 4.16.4
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).