Bad error message in aws_lb_listener_certificate when ARN isn't valid

[aquarion]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.11

• provider.aws v1.21.0
• provider.template v1.0.0

Affected Resource(s)

• aws_lb_listener_certificate

Terraform Configuration Files

resource "aws_lb_listener" "newaccount_lb_listener_https" {
  provider          = "aws.newaccount"
  load_balancer_arn = "${aws_lb.newaccount-ext-lb.arn}"
  port              = "443"
  protocol          = "HTTPS"

  default_action {
    target_group_arn = "${aws_lb_target_group.newaccount_lb_target_group.arn}"
    type             = "forward"
  }

  // Certificates. Add more with aws_lb_listener_certificate stanzas
  certificate_arn = "arn:aws:acm:eu-central-1:849877073988:certificate/XXX"
}

resource "aws_lb_listener_certificate" "newsite" {
  listener_arn    = "${aws_lb_listener.newsite_lb_listener_https.id}"
  certificate_arn = "arn:aws:acm:eu-central-1:XXX:certificate/XXX"
}

Output

* aws_lb_listener_certificate.ourvodka_wp: Error creating LB Listener Certificate: ValidationError: 'arn:aws:elasticloadbalancing:eu-central-1:XXX:listener/app/newsite-prod-wp-alb/XXX/XXX' must be in ARN format
	status code: 400, request id: XXX

Expected Behavior

Terraform should say that the ARN isn't valid. (Because the aws_lb_listener_certificate is in a different provider to the aws_lb_listener)

Actual Behavior

Terraform said the ARN wasn't in ARN format.

Steps to Reproduce

Use code above

1. terraform apply

Important Factoids

• This terraform is running across multiple accounts with separate provider sections

[mcpyramid]

I have this same issue. The bulk of my project is in us-east-2 but cloudfront requires cert to come from us-east-1. I hard-coded the copied ARN from the AWS console and still received this error. I've checked the change logs and this doesn't seem to have been addressed in v0.12.x so I'm assuming it is still outstanding. I don't have time at the moment to manually test the latest release to see if this is still a thing (deadline in two days).

[hunkeelin]

I was able to reproduce the error when I didn't set providers to the right region

resource "aws_lb_listener_certificate" "foo" {
  listener_arn    = ... // listener arn in east but default provider in west
  certificate_arn = ...// listener arn in east
}

By simply adding
provider = "aws.us-east-1" it fix the problem. This is indeed a bug because the error message should give better info than mislead us.

[crazyoptimist]

Thank you @hunkeelin!
It took an hour for me to find out my typo(us-west-1 vs us-east-1).