Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

r/aws_lb_listener: Updating protocol from TLS to TCP leads to "ValidationError: An SSL policy cannot be specifed for TCP listeners" #7367

Closed
ewbankkit opened this issue Jan 28, 2019 · 10 comments
Closed

r/aws_lb_listener: Updating protocol from TLS to TCP leads to "ValidationError: An SSL policy cannot be specifed for TCP listeners" #7367

ewbankkit opened this issue Jan 28, 2019 · 10 comments
Labels
bug Addresses a defect in current functionality. service/elbv2 Issues and PRs that pertain to the elbv2 service.

Comments

@ewbankkit
Copy link
Contributor

ewbankkit commented Jan 28, 2019
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
resource "aws_lb_listener" "foo" {
  ...
  protocol          = "TLS"
  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06"
  ...
}
$ terraform apply

Change to:

resource "aws_lb_listener" "foo" {
  ...
  protocol          = "TCP"
  ssl_policy        = "" # Or removed completely
  ...
}
$ terraform plan
...
protocol:        "TLS" => "TCP"
...
$ terraform apply
...
Error modifying LB Listener: ValidationError: An SSL policy cannot be specifed for TCP listeners
...

NLB support for TLS added via #7338.
@nywilken nywilken added the service/elbv2 Issues and PRs that pertain to the elbv2 service. label Jan 29, 2019
@bflad bflad added the bug Addresses a defect in current functionality. label Jan 29, 2019
@ewbankkit
Copy link
Contributor Author

The problem is that https://github.com/terraform-providers/terraform-provider-aws/blob/f1c24b3125d85bffc33394e7e931f9557881cefd/aws/resource_aws_lb_listener.go#L344-L346 returns ok as true with sslPolicy equal to ELBSecurityPolicy-TLS-1-2-Ext-2018-06, the value set during resource creation.

@ewbankkit
Copy link
Contributor Author

See this comment.

@Rohithzr
Copy link

@ewbankkit I viewed the comment you linked but I did not understand the solution to the issue. where do I set enable_dns_hostnames = false/true.

@ewbankkit
Copy link
Contributor Author

@Rohithzr Unfortunately there currently is no solution 😞 due to the way that Terraform handles Optional + Computed attributes (which the ssl_policy attribute is).

@Rohithzr
Copy link

Rohithzr commented Jun 10, 2019
edited
Loading

@ewbankkit ah! got you, that's actually a sad thing considering it seems very simple in this specific case.
I am actually trying to delay the situation where i would have to fork about 3-4 repositories (maybe more) of tf script that I am deploying. Because I need to modify the nlb listener created by that module's sub module. :(
https://serverfault.com/questions/970658/terraform-modify-lb-listener

@ewbankkit ewbankkit mentioned this issue Nov 21, 2019
Open
@Frogvall
Copy link

Frogvall commented Dec 10, 2019
edited
Loading

Tainting the resource got me around this issue. Could turn out to be very annoying in the long run, since we run terraform apply in our ci/cd pipeline.

@github-actions
Copy link

github-actions bot commented Jan 2, 2022

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

@github-actions github-actions bot added the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Jan 2, 2022
@github-actions github-actions bot closed this as completed Feb 2, 2022
@tophercullen
Copy link

This is still an issue in the latest provider.

@github-actions github-actions bot removed the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Feb 25, 2022
@nisalupendra
Copy link

We still have this issue

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 11, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/elbv2 Issues and PRs that pertain to the elbv2 service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@bflad @Rohithzr @nywilken @ewbankkit @tophercullen @Frogvall @nisalupendra