(elasticloadbalancingv2): adding a new certificate to a multi-certificate listener will lose old extra ceritifactes #13150
Description
If you try to add a new certificate to a listener that has already at least one extra certificate (i.e. one in addition to the main certificate), the old extract certificate will be lost by the end of update operation.
Reproduction Steps
(In my case, it happened like this:)
- Create an HTTPS listener with two certificates;
foo.com(main one) andbar.com(additional one) stack and deploy it. - Change the code and add a new certificate;
baz.comto the list and deploy it.
What did you expect to happen?
The listener should keep one main certificate and two extra certificates.
What actually happened?
The old extra certificate (bar.com) is gone.
Environment
- CLI Version : 1.89.0
- Framework Version: 1.89.0 (build df7253c)
- Node.js Version: v15.5.1
- OS : Mac OS X 11.2
- Language (Version): typescript ~3.8.2
Other
Please note that, according to my findings from AWS support, this seems to be a bug/feature of CloudFormation. Interestingly, even though the Certificates field is of type Array, the documentation says: You can specify one certificate per resource.
If my understanding is correct, CDK should not put all additional certificates into one AWS::ElasticLoadBalancingV2::ListenerCertificate resource. It should be one AWS::ElasticLoadBalancingV2::ListenerCertificate resource per each additional certificate.
This is 🐛 Bug Report