IAM ELB dependency on IAM certificate does not exist when modules are used

[stevendborrelli]

When an ELB resource is using a IAM certificate created in another module, the dependency is not created. This means that terraform apply will often fail due to ordering issues.

Below is a picture of the graph:

[jen20]

Hi @stevendborrelli! Can you post the relevant snippet of the configuration that generated this graph? If the certificate is referenced via a module variable the dependency should be generated correctly, and if not that's a bug.

[stevendborrelli]

Cert is created like this:

module "ssl-cert" {
  source = "./modules/iam_cert"
  cert_name = "test-cert"
  cert_body = "cert.txt"
  cert_chain = "chain.txt"
  cert_private_key = "private.txt"
  cert_iam_path = "test-cert/"   
}

It is referenced in the ecs task definition like:

module "web-ecs-app" {
  source = "./modules/ecs-app"
  ...
  container_port = 8080
  elb_internal = true
  lb_port = 443
  lb_protocol = "https"
  ssl_certificate_id = "${module.ssl-cert.arn}"

}

The elb resource is:

resource "aws_elb" "elb" {
  name = "${var.name}-${var.environment}-${var.appname}"
  internal = "${var.elb_internal}"
  subnets = [ "${split(",", var.subnets)}" ]
  cross_zone_load_balancing = true

  security_groups = [ "${split(",", var.security_groups)}" ]

  listener {
    instance_port = "${var.container_port}"
    instance_protocol = "${var.instance_protocol}"
    lb_port = "${var.lb_port}" 
    lb_protocol = "${var.lb_protocol}"
    ssl_certificate_id = "${var.ssl_certificate_id}"
  }

  tags {
    Name = "${var.name}-${var.environment}-${var.appname}"
  }
}

[catsby]

#3898 is a patch that will retry ELB creation if it fails due to an SSL Cert not being found. That may help here, though I don't know about the actually dependency and ordering with respect to the graph

[catsby]

#3898 has been merged, but this may be a core thing. Re-labling for @phinze or @jen20 to take a dive

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.