Destroying an aws_elb results in an orphaned aws_load_balancer_policy state

[awilkins]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

$ terraform version
Terraform v0.11.7
+ provider.aws v1.19.0
+ provider.external v1.0.0
+ provider.null v1.0.0
+ provider.template v1.0.0

Affected Resource(s)

• aws_load_balancer_policy
• aws_elb

Terraform Configuration Files

# Plus two aws_elb load balancers somewhere else

locals {
  internal_load_balancer_count = 2
  internal_load_balancers {
    # load balancer = instance_port
    "${aws_elb.prs_elb_app.name}" = 3000
    "${aws_elb.prs_elb_prx.name}" = 443
  }
}

resource "aws_load_balancer_policy" "elb-pubkey-policy" {
  count = "${local.internal_load_balancer_count}"
  load_balancer_name = "${element(keys(local.internal_load_balancers), count.index)}"
  policy_name = "elb-pubkey-policy-${count.index}"
  policy_type_name = "PublicKeyPolicyType"

  policy_attribute = {
    name = "PublicKey"
    value = "${file("${path.module}/internal-elb-pubkey.pem")}"
  }
  depends_on = ["aws_elb.prs_elb_app", "aws_elb.prs_elb_prx"]
}

resource "aws_load_balancer_policy" "elb-backend-auth-policy" {
  count = "${local.internal_load_balancer_count}"
  load_balancer_name = "${element(keys(local.internal_load_balancers), count.index)}"
  policy_name = "elb-backend-auth-policy-${count.index}"
  policy_type_name = "BackendServerAuthenticationPolicyType"

  policy_attribute = {
    name = "PublicKeyPolicyName"
    value = "${element(aws_load_balancer_policy.elb-pubkey-policy.*.policy_name, count.index)}"
  }
  depends_on = ["aws_elb.prs_elb_app", "aws_elb.prs_elb_prx"]
}

resource "aws_load_balancer_backend_server_policy" "elb-auth-policy-attach" {
  count = "${local.internal_load_balancer_count}"
  load_balancer_name = "${element(keys(local.internal_load_balancers), count.index)}"
  instance_port = "${element(values(local.internal_load_balancers), count.index)}"
  policy_names = [
    "${element(aws_load_balancer_policy.elb-backend-auth-policy.*.policy_name, count.index)}"
  ]
  depends_on = ["aws_elb.prs_elb_app", "aws_elb.prs_elb_prx"]
}

resource "aws_iam_server_certificate" "prs" {
  name_prefix = "prs-internal-cert"
  certificate_body = "${file("${path.module}/star.prs.internal.crt")}"
  private_key = "${file("${path.module}/star.prs.internal.key")}"
  lifecycle {
    create_before_destroy = true
  }
}

Debug Output

Error: Error applying plan:

1 error(s) occurred:

* module.mod_prs.aws_load_balancer_policy.elb-backend-auth-policy[2] (destroy): 1 error(s) occurred:

* aws_load_balancer_policy.elb-backend-auth-policy.2: Error deleting Load Balancer Policy prs-elbfrtdev-nonprod:elb-backend-auth-policy-2: LoadBalancerNotFound: There is no ACTIVE Load Balancer named 'prs-elbfrtdev-nonprod'
    status code: 400, request id: 56f87343-bab5-11e8-b2b0-dddb9de2aa75

Expected Behavior

Destruction of environment as planned.

Actual Behavior

Seems like the aws_elb was destroyed before the policy objects. Despite the policy + attachment + load balancer pattern used in the resources, it appears from the console that these policies are actually an integral part of the load balancer and are destroyed along with it. The results in orphaned state which then cannot be destroyed.

Steps to Reproduce

1. Create a configuration that has an aws_elb with attached policy
2. Apply it
3. To reliably reproduce, manually destroy the elb from the console
4. do terraform destroy and observe it failing
5. Subsequent plans also fail as the state cannot be refreshed

[bflad]

Hi @awilkins 👋 Thanks for reporting and sorry you ran into this. This is indeed a bug in our handling of this resource and I should be able to fix this up with a verifying acceptance test shortly.

[bflad]

The fix for this has been merged and will release with version 1.38.0 of the AWS provider, likely later today.

[bflad]

This has been released in version 1.38.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!