[Bug]: aws_lb_listener - header modification on existing listeners is not applied

[MatMit]

Terraform Core Version

1.10.4

AWS Provider Version

5.84.0

Affected Resource(s)

When I try to turn off Server header in aws_lb_lisnener using routing_http_response_server_enabled parameter, correct plan is created, but no changes to the listener are done.

Expected Behavior

ALB listener will be modified and Server header value will be changed to Off

Actual Behavior

Server header attribute is not modified. Next plan will still show changes, and still it will be untouched.

Relevant Error/Panic Output Snippet

Terraform Configuration Files

data "aws_vpc" "default" {
  default = true
}

data "aws_subnets" "default" {
    filter {
      name = "vpc-id"
      values = [data.aws_vpc.default.id]
    }
}

resource "aws_lb" "test" {
  name               = "test-lb"
  internal           = false
  load_balancer_type = "application"
  subnets = data.aws_subnets.default.ids
}

resource "aws_lb_listener" "test" {
  load_balancer_arn = aws_lb.test.arn
  port              = "80"
  protocol          = "HTTP"

  routing_http_response_server_enabled = false

  default_action {
    type             = "fixed-response"
    
    fixed_response {
      content_type = "text/plain"
      message_body = "OK"
      status_code = "200"
    }
  }
}

  # aws_lb_listener.test will be updated in-place
  ~ resource "aws_lb_listener" "test" {
        id                                                                  = "arn:aws:elasticloadbalancing:us-east-1:<account-id>:listener/app/test-lb/<id>"
      ~ routing_http_response_server_enabled                                = true -> false
        tags                                                                = {}
        # (16 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

And there is this warning in logs:

{"@level":"warn","@message":"Provider \"provider[\\\"registry.terraform.io/hashicorp/aws\\\"]\" produced an unexpected new value for aws_lb_listener.test, but we are tolerating it because it is using the legacy plugin SDK.\n    The following problems may be the cause of any confusing errors from downstream operations:\n      - .routing_http_response_server_enabled: was cty.False, but now cty.True","@timestamp":"2025-01-17T12:58:04.550456+01:00"}

apply log

Steps to Reproduce

1. Create ALB without routing_http_response_server_enabled parameter used. Please note, that in my example in this step I used version 5.76.0
2. Update provider hashicorp/aws to version 5.84.0
3. Set routing_http_response_server_enabled = false
4. Apply changes
5. Verify listener attributes. There should be no changes. You could also create another plan. It will once again try to modify header once again.

I also created respository with example available here

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ekirmayer-sam]

Saw this as well. It will update only on new creation and recreate.

[nathanbowang]

Have the same issue

[oycyc]

Reacted with a 👍 - having the same issue here.

[cssoftware-main]

Also encountering this. Current workaround is to taint the listener and then recreate. but this is not desirable.

[pedrofurlanetto90]

Having the same issue here. Any update on this?

[JonCaine-Sophos]

Same issue here.
Also discovered that setting the HSTS header doesn't work on existing listeners either. Looks like all header support added by #40736 doesn't work for existing listeners.

[mkdewidar]

I have raised #41299 to address this.