[Bug]: fails on reading ELB Listener Certificate of removed Listener during terraform plan

[a0s]

Terraform Core Version

v1.4.2

AWS Provider Version

4.61.0

Affected Resource(s)

• aws_lb_listener
• aws_lb_listener_certificate

Expected Behavior

Should build terraform plan

Actual Behavior

reading ELB (Elastic Load Balancing) Listener Certificate (arn:aws:elasticloadbalancing:eu-west-1:XXXXXXXXX:listener/app/lb/7ce605a7417ed2ee/8f83743fb1281e26_arn:aws:acm:eu-west-1:XXXXXXXXX:certificate/a9e4d456-2e98-4c6f-a6d6-f3fd67564609): ListenerNotFound: One or more listeners not found

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

I am using cdktf with typescript, its hard to write simpler version of this code.
I am creating LbListenerCertificate, LbTargetGroup, LbListenerRule inside big loop for every sub-domain in list. Multiple LbListenerCertificate linked to the same LbListener.
I am creating common LbListener's for 80 and 443 ports outside the loop. 443 listener is linked to ACM certificate of sub-zone.

Steps to Reproduce

Create Listener with linked Certificate
Manually remove all listeners and target groups from LB
Run terraform plan

Debug Output

No response

Panic Output

No response

Important Factoids

How to override:

• download terraform state
• remove aws_lb_listener and aws_lb_listener_certificate that were already removed from aws
• increase serial number
• push terraform state back

References

https://www.reddit.com/r/Terraform/comments/125tsmb/error_when_applying_terraform_configuration_for

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @a0s 👋 Thank you for taking the time to raise this! Am I understanding correctly that the issue here arises when you've deleted resources from the AWS console that are then left in the Terraform state? Rather than downloading the state, editing it, and pushing it back to your state storage, you should be able to use terraform state rm to remove those resources from the state.

[a0s]

@justinretzolk

Am I understanding correctly that the issue here arises when you've deleted resources from the AWS console that are then left in the Terraform state?

Correct. I suspect that terraform is not properly handling a 404 or similar response from aws api (for nested resource) during plan stage.

Rather than downloading the state, editing it, and pushing it back to your state storage, you should be able to use terraform state rm to remove those resources from the state.

I keep forgetting this feature exists. Besides, if the terraform plan crashes, I won't know the id of the object I need, and in any case, I'll have to download the tf state. I also trust my hands more :)

[dommcd]

Hey would like to add since I've run into this issue recently. I ran into the same issue with running a plan after manually deleting the listener.
My workaround was to only delete the aws_lb_listener_certificate from terraform state using terraform state rm <aws_lb_listener_certificate resource name> and then terraform is able to successful detect both the listener and the aws_lb_listener_certificate to be re-created.

[rk7373]

Also getting this issue.

Was on aws provider 4.36.0 and when an alb is deleted via console, doing a terraform apply recreated the alb. After updating to 4.64.0, get the same behaviour exhibited above. Attempted to updated to provider 5.4.0 and get the same issue

Able to update to provider 4.50.0 with no issues. The issue started in aws provider 4.51.0

[github-actions]

This functionality has been released in v5.13.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.