ListenerCertificate logical name change may not always re-attach to Listener

[smithrobs]

Describe what happened

Customer reports possible variant of #1923 specific to ListenerCertificate.

Prerequisites:

• Ability to create DNS CNAME for certificate. This is outside the scope of this issue. The issue assumes the CNAME is already created and valid for the DomainName in question.
• The DomainName will not change throughout this issue repro.

Steps to reproduce:

1. pulumi up the sample program. Note this may require multiple ups depending on whether the DNS CNAME for the certificate is already created and correct and how long the validation takes.
2. Verify the Certificate is attached to the Listener under "Listener certificates for SNI".
3. Change the logical name of the ListenerCertificate:var exampleListenerCertificate = new Aws.LB.ListenerCertificate("example", new()
   to
   var exampleListenerCertificate = new Aws.LB.ListenerCertificate("example-chg", new()
4. Perform a pulumi up

     Type                           Name                Status              
     pulumi:pulumi:Stack            aws-cs-scratch-dev                      
 +   ├─ aws:lb:ListenerCertificate  example-chg         created (0.57s)     
 -   └─ aws:lb:ListenerCertificate  example             deleted (0.22s)     

Resources:
    + 1 created
    - 1 deleted
    2 changes. 38 unchanged

Duration: 8s

5. Verify the Certificate is attached to the Listener under "Listener certificates for SNI".

Expected Behavior:

The ListenerCertificate is attached to the Listener.

Actual Behavior:

The pulumi up succeeds however the ListenerCertificate is not attached to the Listener. A pulumi refresh followed by a pulumi up is required for the Certificate to be reattached under "Listener certificates for SNI"

Sample program

var vpc = new Vpc("scratch-vpc");

var primaryCert = new Aws.Acm.Certificate("example", new CertificateArgs
    {
        DomainName = "www.mycompany.com",
        ValidationMethod = "DNS",
        KeyAlgorithm = "RSA_2048",
        ValidationOptions = new[]
        {
            new Aws.Acm.Inputs.CertificateValidationOptionArgs
            {
                DomainName = "www.mycompany.com",
                ValidationDomain = "mycompany.com",
            },
        },
    });

var frontEnd = new Aws.LB.LoadBalancer("front_end", new()
    {
        Name = "test-lb-tf",
        Internal = false,
        LoadBalancerType = "application",
        Subnets = vpc.PrivateSubnetIds,
        EnableDeletionProtection = false
    });

var frontEndTargetGroup = new Aws.LB.TargetGroup("frontend-tg", new()
    {
        Name = "frontend-lb-tg",
        Port = 80,
        Protocol = "HTTP",
        VpcId = vpc.VpcId,
    });

var frontEndListener = new Aws.LB.Listener("front_end",
    new ListenerArgs
    {
        LoadBalancerArn = frontEnd.Arn,
        Port = 443,
        Protocol = "HTTPS",
        SslPolicy = "ELBSecurityPolicy-2016-08",
        
        CertificateArn = primaryCert.Arn,

        DefaultActions = new[]
        {
            new Aws.LB.Inputs.ListenerDefaultActionArgs
            {
                Type = "forward",
                TargetGroupArn = frontEndTargetGroup.Arn,
            },
        },
    });

// additional cert for SNI
var exampleListenerCertificate = new Aws.LB.ListenerCertificate("example", new()
    {
        ListenerArn = frontEndListener.Arn,
        CertificateArn = primaryCert.Arn,
    });

Log output

No response

Affected Resource(s)

Aws.Acm.Certificate
Aws.LB.Listener
Aws.LB.ListenerCertificate

Output of pulumi about

CLI
Version 3.133.0
Go Version go1.23.1
Go Compiler gc

Plugins
KIND NAME VERSION
resource aws 6.51.1
resource awsx 2.14.0
resource docker 4.5.5
language dotnet unknown
resource random 4.16.4

Host
OS darwin
Version 14.6.1
Arch arm64

This project is written in dotnet: executable='/Users/rsmith/.dotnet/dotnet' version='8.0.302'

Current Stack: rsmith-pulumi-corp/aws-cs-scratch/dev

TYPE URN
pulumi:pulumi:Stack urn:pulumi:dev::aws-cs-scratch::pulumi:pulumi:Stack::aws-cs-scratch-dev
pulumi:providers:awsx urn:pulumi:dev::aws-cs-scratch::pulumi:providers:awsx::default_2_14_0
awsx:ec2:Vpc urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc::scratch-vpc
pulumi:providers:aws urn:pulumi:dev::aws-cs-scratch::pulumi:providers:aws::default_6_51_1
aws:acm/certificate:Certificate urn:pulumi:dev::aws-cs-scratch::aws:acm/certificate:Certificate::example
pulumi:providers:aws urn:pulumi:dev::aws-cs-scratch::pulumi:providers:aws::default_6_47_0
aws:acm/certificateValidation:CertificateValidation urn:pulumi:dev::aws-cs-scratch::aws:acm/certificateValidation:CertificateValidation::example
aws:ec2/vpc:Vpc urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc::scratch-vpc
aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-private-1
aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-private-3
aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-private-2
aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-public-3
aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-public-2
aws:ec2/internetGateway:InternetGateway urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/internetGateway:InternetGateway::scratch-vpc
aws:ec2/subnet:Subnet urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::scratch-vpc-public-1
aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-private-1
aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-private-3
aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-private-2
aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-public-3
aws:ec2/eip:Eip urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::scratch-vpc-3
aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-public-2
aws:ec2/eip:Eip urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::scratch-vpc-2
aws:ec2/eip:Eip urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::scratch-vpc-1
aws:ec2/routeTable:RouteTable urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::scratch-vpc-public-1
aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-private-3
aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-private-1
aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-public-3
aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-private-2
aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-public-3
aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-public-2
aws:ec2/natGateway:NatGateway urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::scratch-vpc-3
aws:ec2/natGateway:NatGateway urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::scratch-vpc-2
aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-public-2
aws:ec2/routeTableAssociation:RouteTableAssociation urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::scratch-vpc-public-1
aws:ec2/natGateway:NatGateway urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::scratch-vpc-1
aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-public-1
aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-private-3
aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-private-2
aws:ec2/route:Route urn:pulumi:dev::aws-cs-scratch::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::scratch-vpc-private-1
aws:lb/loadBalancer:LoadBalancer urn:pulumi:dev::aws-cs-scratch::aws:lb/loadBalancer:LoadBalancer::front_end
pulumi:providers:pulumi urn:pulumi:dev::aws-cs-scratch::pulumi:providers:pulumi::default
aws:lb/targetGroup:TargetGroup urn:pulumi:dev::aws-cs-scratch::aws:lb/targetGroup:TargetGroup::frontend-tg
aws:lb/listener:Listener urn:pulumi:dev::aws-cs-scratch::aws:lb/listener:Listener::front_end
aws:lb/listenerCertificate:ListenerCertificate urn:pulumi:dev::aws-cs-scratch::aws:lb/listenerCertificate:ListenerCertificate::example

Found no pending operations associated with dev

Backend
Name pulumi.com
URL https://app.pulumi.com/rsmith-pulumi-corp
User rsmith-pulumi-corp
Organizations rsmith-pulumi-corp
Token type personal

Dependencies:
NAME VERSION
Pulumi 3.67.1
Pulumi.Aws 6.51.1
Pulumi.Awsx 2.14.0
Pulumi.Random 4.16.4

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[corymhall]

I've been able to reproduce this as well and it does look to be the same issue as #1923. The only available workarounds are also the same as in that issue:

• Use DeleteBeforeReplace
• Use aliases