Search code examples
amazon-web-servicesterraformamazon-elastic-beanstalkamazon-elbamazon-ebs

Terraform attaching a load balancer listener to an Elastic Beanstalk load balancer. Not a valid load balancer ARN


I am trying to attach a SSL certificate to Elastic Beanstalk load balancer that is created via terraform and attaches on spin up. The EBS Environment being spun up is going to be a web api, which is why I need to attach the https ssl certificate to the environment because I want to spin it up/down on command without having to manually attach it to the service every time.

What I have done is the code below, but I keep getting the error:

Error: error creating ELBv2 Listener (arn:aws:elasticloadbalancing:us-east-1:profile:loadbalancer/name: ValidationError: 'arn:aws:elasticloadbalancing:us-east-1:profile:loadbalancer/name' is not a valid load balancer ARN
status code: 400, request id: xxxxxxxxxxxxxxxxxxx

I originally tried: load_balancer_arn = "${aws_elastic_beanstalk_environment.ebs-env.load_balancers[0].arn}" but aws_elastic_beanstalk_environment.ebs-env.load_balancers[0] returns the name so I couldn't just do .arn which led me to doing it by writing a custom string for the arn and having the name given from the EBS environments load balancer and appending that onto the ARN.

EBS creates a classic load balancer, and the ARN on AWSs website that I found is below, and the way I am formatting everything I quadruple checked and I am still get that error that it's not a valid ARN.

I've checked that the EBS name is the actual name of the load balancer in the AWS console and it is with the terraform made name on the spin up. So it is a valid name for the load balancer, but the error I keep getting described above still shows up even though I validated manually that the name is correct. The AWS documentation led me to using: arn:partition:service:region:account-id:resource-id for the arn custom name, and finding that: arn:aws:elasticloadbalancing:region:account-id:loadbalancer/name is the correct ARN for a load balancer which is what I am using.

Here is my terraform code that I am using to spin up/down this infrastructure:

provider "aws" {
  region = "us-east-1"
}
resource "aws_elastic_beanstalk_application" "ebaTest" {
  name        = "EBA-test"
  description = "Development test EBS system"
}

resource  "aws_elastic_beanstalk_environment" "ebs-env" {
  name = "ebs-env"
  application = aws_elastic_beanstalk_application.ebaTest.name
  solution_stack_name = "64bit Amazon Linux 2 v2.2.10 running .NET Core" 
  cname_prefix = "ebsp-env"
  setting {
    namespace = "aws:autoscaling:launchconfiguration"
    name = "IamInstanceProfile"
    value = "aws-elasticbeanstalk-ec2-role"
  }
  setting {
    namespace = "aws:autoscaling:launchconfiguration"
    name = "InstanceType"
    value = "t3a.micro"
  }
}
resource "aws_lb_listener" "cert-listener" {
  load_balancer_arn = "arn:aws:elasticloadbalancing:us-east-1:aws-id:loadbalancer/${aws_elastic_beanstalk_environment.ebs-env.load_balancers[0]}"
  port = "443"
  protocol = "HTTPS"
  certificate_arn = "arn:aws:acm:us-east-1:aws-id:certificate/cert-id"
  default_action {
    type = "fixed-response"
  }
}

If you have any other clarifying questions/confused about something I will reply as fast as I can.


Solution

  • aws_lb_listener is part of AWS ELBv2, which is only for Application Load Balancers and Network Load Balancers. You stated you are creating a classic load balancer. I don't think you can update the certificate of a CLB through Terraform if Terraform itself is not managing the load balancer.

    Is there any reason you are using a CLB instead of the newer ALB? Either way, the correct method to do this is by passing the ARN of the SSL certificate directly to the Elastic Beanstalk resource, as a setting:

      setting {
        namespace = "aws:elb:listener:443"
        name = "SSLCertificateId"
        value = "arn:aws:acm:us-east-1:aws-id:certificate/cert-id"
      }