Deleting ACM certificate fails with ResourceInUseException by a deleted ELB.

[genevieve]

We are seeing an issue with using acm certificates during terraform destroy where the certificate is still seen as in use by a load balancer that was just deleted. Due to eventually consistent apis, this error makes sense. In the way that the iam certificates retry deletion when the error is due to the resource still being in use, would it be possible to PR the same functionality for acm certificates during deletion?

Terraform Version

Terraform v0.11.3
AWS Provider v1.11.0

Affected Resource(s)

• aws_acm_certificate
• aws_elb

Terraform Configuration Files

resource "aws_acm_certificate" "cert" {
  domain_name       = "*.${var.system_domain}"
  validation_method = "DNS"
}

resource "aws_acm_certificate_validation" "cert" {
  certificate_arn         = "${aws_acm_certificate.cert.arn}"
  validation_record_fqdns = ["${aws_route53_record.cert_validation.fqdn}"]
}

resource "aws_elb" "cf_router_lb" {
  ...
  listener {
    instance_port      = 80
    instance_protocol  = "http"
    lb_port            = 443
    lb_protocol        = "https"
    ssl_certificate_id = "${aws_acm_certificate.cert.arn}"
  }
}
...

Debug Output

...
2018-03-21T13:54:08.369-0700 [DEBUG] plugin.terraform-provider-aws_v1.11.0_x4: 2018/03/21 13:54:08 [DEBUG] [aws-sdk-go] {"__type":"ResourceInUseException","message":"Certificate arn:aws:acm:us-west-2:165902344549:certificate/d631c8ec-26c5-4a3b-9d82-b33380e10df6 in account 1 is in use."}
2018-03-21T13:54:08.369-0700 [DEBUG] plugin.terraform-provider-aws_v1.11.0_x4: 2018/03/21 13:54:08 [DEBUG] [aws-sdk-go] DEBUG: Validate Response acm/DeleteCertificate failed, not retrying, error ResourceInUseException: Certificate arn:aws:acm:us-west-2:165902344549:certificate/d631c8ec-26c5-4a3b-9d82-b33380e10df6 in account 1 is in use.
...
Error: Error applying plan:

1 error(s) occurred:

* aws_acm_certificate.cert (destroy): 1 error(s) occurred:

* aws_acm_certificate.cert: Error deleting certificate: ResourceInUseException: Certificate arn:aws:acm:us-west-2:165902344549:certificate/0a80888d-8fda-4805-81ff-57a18534c95d in account 1 is in use.
	status code: 400, request id: 26d65b89-2d3c-11e8-8983-45e5e53ecd9f

Expected Behavior

It should have deleted the acm certificate.

Actual Behavior

It didn't. It requires a second terraform destroy for the certificate to be deleted.

Steps to Reproduce

1. terraform apply
2. terraform destroy

References

hashicorp/terraform#3898

[bflad]

Certainly seems like a reasonable request! For starters we can simply retry around isAWSErr(err, acm.ErrCodeResourceInUseException, "") for a few minutes. Would you be willing to submit a pull request?

[genevieve]

Yep. Thank you!

[brian-rose-sp]

+1

Seeing the exact same thing.

[bflad]

The retry logic (for up to 10 minutes) has been merged into master via #3868 and will release in v1.12.0 of the AWS provider, likely 🔜 . 🎉

[bflad]

This has been released in version 1.12.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

[marcuswl345]

This is still an issue in v1.41

10min is not long enough.

[tomaszdudek7]

Just hit this issue. Can we configure the timeout length?

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!