Skip to content

fix(elbv2): prevent duplicate listener creation on same port/protocol #44814

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

fix(elbv2): prevent duplicate listener creation on same port/protocol #44814

wants to merge 3 commits into from

Conversation

@Aeolun
Copy link

@Aeolun Aeolun commented Oct 27, 2025

Rollback Plan

If a change needs to be reverted, we will publish an updated version of the library.

Changes to Security Controls

No changes to security controls. This change adds defensive validation to prevent duplicate resource creation but does not modify access controls, encryption, or logging.

Description

Adds defensive validation to prevent duplicate listener creation on AWS load balancers when the AWS API fails to raise a DuplicateListener error.

Problem: The AWS CreateListener API sometimes silently returns an existing listener instead of raising an error when attempting to create a listener with the same port and protocol combination. This causes Terraform/Pulumi to incorrectly treat the operation as successful, leading to state inconsistencies where multiple listener resources point to the same ARN. When one listener is subsequently deleted, all resources referencing that ARN are affected.

Solution: Before attempting to create a listener, query existing listeners on the load balancer and explicitly check for port/protocol conflicts. If a duplicate is detected, return an error immediately. This follows the same defensive pattern already implemented in load_balancer.go and target_group.go.

Tradeoff: Adds one DescribeListeners API call before each listener creation (~50-200ms additional latency), but prevents silent data corruption and state inconsistencies.

Relations

Closes #35121

References

Output from Acceptance Testing

Note: Acceptance tests require AWS IAM permissions not available in contributor's account. Tests will need to be run by maintainers with appropriate access.

Expected Test Results:

The following tests should pass when run with proper AWS credentials:

% make testacc TESTS=TestAccELBV2Listener_duplicate PKG=elbv2
% make testacc TESTS=TestAccELBV2Listener_duplicate_ALB_protocolDefaulting_HTTP PKG=elbv2
% make testacc TESTS=TestAccELBV2Listener_duplicate_ALB_protocolDefaulting_HTTPS PKG=elbv2
% make testacc TESTS=TestAccELBV2Listener_duplicate_NLB_TCP PKG=elbv2
% make testacc TESTS=TestAccELBV2Listener_duplicate_NLB_TLS PKG=elbv2

Aeolun and others added 3 commits October 27, 2025 11:47
@Aeolun @claude
fix(elbv2): prevent duplicate listener creation on same port/protocol
07b0ae8 
AWS CreateListener API sometimes silently returns an existing listener
instead of raising a DuplicateListener error when attempting to create
a listener with the same port and protocol combination on a load balancer.
This causes Terraform/Pulumi to incorrectly treat the operation as successful,
leading to state inconsistencies where multiple listener resources point to
the same ARN.

This change adds defensive validation before listener creation by:
- Querying existing listeners on the load balancer
- Checking for port/protocol conflicts
- Returning an explicit error if a duplicate is detected
- Properly handling protocol defaulting for ALBs

This follows the same defensive pattern used in load_balancer.go and
target_group.go for preventing duplicate resources.

Fixes hashicorp#35121

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@Aeolun
chore: add changelog entry for issue hashicorp#35121
f36a809
@Aeolun @claude
test(elbv2): add comprehensive duplicate listener test coverage
9e1525b 
Adds 4 high-priority test cases to ensure duplicate listener detection works correctly across different scenarios:

1. TestAccELBV2Listener_duplicate_ALB_protocolDefaulting_HTTP
   - Tests duplicate detection when ALB protocol defaults to HTTP (no explicit protocol, no certificate)

2. TestAccELBV2Listener_duplicate_ALB_protocolDefaulting_HTTPS
   - Tests duplicate detection when ALB protocol defaults to HTTPS (no explicit protocol, with certificate)

3. TestAccELBV2Listener_duplicate_NLB_TCP
   - Tests duplicate detection for Network Load Balancers with TCP protocol

4. TestAccELBV2Listener_duplicate_NLB_TLS
   - Tests duplicate detection for NLB with TLS protocol and certificate

These tests validate that the defensive duplicate check correctly handles:
- Protocol defaulting logic for ALBs
- Different load balancer types (ALB and NLB)
- Listeners with and without certificates

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>
@github-actions
Copy link
Contributor

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

  • Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
  • Please see our prioritization guide for additional information on how the maintainers handle prioritization.
  • Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/elbv2 Issues and PRs that pertain to the elbv2 service. size/XL Managed by automation to categorize the size of a PR. labels Oct 27, 2025
@justinretzolk justinretzolk added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Oct 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Addresses a defect in current functionality. service/elbv2 Issues and PRs that pertain to the elbv2 service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Implicit import of aws_lb_listener instead of error "A listener already exists on this port for this load balancer"

2 participants

@Aeolun @justinretzolk