Replaced cert on LB listener still keeps previous cert association on LB

[nitrocode]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

⨠ terraform -chdir=components/terraform/acm version
Terraform v1.2.3
on linux_amd64
+ provider registry.terraform.io/cloudposse/utils v0.17.26
+ provider registry.terraform.io/hashicorp/aws v4.21.0
+ provider registry.terraform.io/hashicorp/external v2.2.2
+ provider registry.terraform.io/hashicorp/local v2.2.3

Affected Resource(s)

• aws_lb_listener
• aws_lb

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_lb_listener" "https" {
  certificate_arn = "arn:aws:acm:us-east-1:<redacted>:certificate/<redacted>"
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

The cert should be replaced on the listener and the old referenced SNI should be removed so the old cert can be removed.

Actual Behavior

The cert was replaced on the listener and the old referenced SNI remained. This then required me to clickops delete the SNI from each load balancer in order to get the old cert to be unassociated so the old cert could be removed.

Steps to Reproduce

1. terraform apply

Important Factoids

I'm unsure if the API supports this.

From the aws elbv2 modify-listener documentation, it looks like the --certificates can be used to replace all of the SNI certs and set one as the default. I'd prefer if we could keep the --certificates as a single cert. I suppose this would point to the aws_lb resource.

References

• Similar to https://github.com/hashicorp/terraform-provider-aws/issues/8620

[pmozdzynskiwh]

same issue noticed during the certificate replacement. ( new ARN )

[VuxLuan]

I have the same issue, is there any way to fix it?

[pmozdzynskiwh]

@VuxLuan - basically the default ( main ) certificate that was previously there was moved from default to be a listener certificate. You can delete this old certificate.

the "describe-listeners" API call only shows the DEFAULT NLB certificate in use by the listeners. That API call does Not show the additional "Listener certificates for SNI" in use by the Listener. To get a list of all the certificates being used, use the API call "describe-listener-certificates" instead. In order to remove the non-default certificates on the Listeners, use the command "remove-listener-certificates". It takes in the Listener ARN & the certificate ARN as the inputs.

Alternatively, you can also remove the non-default certificates on the console by following the procedure below: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/listener-update-certificates.html#remove-certificates

[htgold]

@pmozdzynskiwh - Sure, doing this manually after running "terraform apply" is one way to do it, but I think we're all looking for a way to have terraform do it for us. I work in a system that requires separation of duties, so being able to script the deployment manager's operations is preferred.

[mobious999]

I just ran into this issue as well. Is there any progress on this?

[jakauppila]

We're running into this issue as well as we're migrating from ACM-imported certificates to Public ACM-issued certificates.

Would love to have a solution for it.