Terraform-provider-aws: Deleting ACM certificate fails with ResourceInUseException by a deleted ELB.
We are seeing an issue with using acm certificates during terraform destroy where the certificate is still seen as in use by a load balancer that was just deleted. Due to eventually consistent apis, this error makes sense. In the way that the iam certificates retry deletion when the error is due to the resource still being in use, would it be possible to PR the same functionality for acm certificates during deletion?
Terraform Version
Terraform v0.11.3
AWS Provider v1.11.0
Affected Resource(s)
- aws_acm_certificate
- aws_elb
Terraform Configuration Files
resource "aws_acm_certificate" "cert" {
domain_name = "*.${var.system_domain}"
validation_method = "DNS"
}
resource "aws_acm_certificate_validation" "cert" {
certificate_arn = "${aws_acm_certificate.cert.arn}"
validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}
resource "aws_elb" "cf_router_lb" {
...
listener {
instance_port = 80
instance_protocol = "http"
lb_port = 443
lb_protocol = "https"
ssl_certificate_id = "${aws_acm_certificate.cert.arn}"
}
}
...
Debug Output
...
2018-03-21T13:54:08.369-0700 [DEBUG] plugin.terraform-provider-aws_v1.11.0_x4: 2018/03/21 13:54:08 [DEBUG] [aws-sdk-go] {"__type":"ResourceInUseException","message":"Certificate arn:aws:acm:us-west-2:165902344549:certificate/d631c8ec-26c5-4a3b-9d82-b33380e10df6 in account 1 is in use."}
2018-03-21T13:54:08.369-0700 [DEBUG] plugin.terraform-provider-aws_v1.11.0_x4: 2018/03/21 13:54:08 [DEBUG] [aws-sdk-go] DEBUG: Validate Response acm/DeleteCertificate failed, not retrying, error ResourceInUseException: Certificate arn:aws:acm:us-west-2:165902344549:certificate/d631c8ec-26c5-4a3b-9d82-b33380e10df6 in account 1 is in use.
...
Error: Error applying plan:
1 error(s) occurred:
* aws_acm_certificate.cert (destroy): 1 error(s) occurred:
* aws_acm_certificate.cert: Error deleting certificate: ResourceInUseException: Certificate arn:aws:acm:us-west-2:165902344549:certificate/0a80888d-8fda-4805-81ff-57a18534c95d in account 1 is in use.
status code: 400, request id: 26d65b89-2d3c-11e8-8983-45e5e53ecd9f
Expected Behavior
It should have deleted the acm certificate.
Actual Behavior
It didn't. It requires a second terraform destroy for the certificate to be deleted.
Steps to Reproduce
terraform applyterraform destroy
References
genevieve
All 8 comments
Certainly seems like a reasonable request! For starters we can simply retry around isAWSErr(err, acm.ErrCodeResourceInUseException, "") for a few minutes. Would you be willing to submit a pull request?
bflad
on 21 Mar 2018
Yep. Thank you!
genevieve
on 21 Mar 2018
+1
Seeing the exact same thing.
brian-rose-sp
on 21 Mar 2018
The retry logic (for up to 10 minutes) has been merged into master via #3868 and will release in v1.12.0 of the AWS provider, likely 🔜 . 🎉
bflad
on 22 Mar 2018
This has been released in version 1.12.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
bflad
on 23 Mar 2018
This is still an issue in v1.41
10min is not long enough.
marcuswl345
on 7 Nov 2018
Just hit this issue. Can we configure the timeout length?
tomaszdudek7
on 12 Sep 2019
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 1 Nov 2019
Related issues
hashibot
·
3Comments
hashibot
·
3Comments
hashibot
·
3Comments
ccslamstack
·
3Comments
andywirv
·
3Comments
Most helpful comment
This is still an issue in v1.41
10min is not long enough.