No differences during aws_lb_listener plan when modifying routing attributes

[BehnH]

Terraform and AWS Provider Version

Terraform v1.11.4
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.91.0

Affected Resource(s) or Data Source(s)

• aws_lb_listener

Expected Behavior

Able to remove/unset the following attributes on an LB:

routing_http_response_access_control_allow_origin_header_value     
routing_http_response_access_control_allow_credentials_header_value
routing_http_response_access_control_allow_headers_header_value    
routing_http_response_access_control_allow_methods_header_value    

Actual Behavior

Removing the attributes, setting them to null, or setting them to "" does not show any changes during plan

Relevant Error/Panic Output

Sample Terraform Configuration

Click to expand configuration

data "aws_vpc" "this" {
  id = "some-vpc-id"
}

data "aws_subnets" "public" {
  filter {
    name   = "subnet-id"
    values = ["some-subnet-ids"]
  }
}

data "aws_subnets" "private" {
  filter {
    name   = "subnet-id"
    values = ["some-subnet-ids"]
  }
}

resource "aws_lb" "public_alb" {
  name                       = "some-public-alb"
  internal                   = false
  load_balancer_type         = "application"
  security_groups            = ["some-sg-id"]
  subnets                    = data.aws_subnets.public.ids
  enable_deletion_protection = false
  idle_timeout               = 300
}

resource "aws_lb_listener" "public_alb_https" {
  load_balancer_arn = aws_lb.public_alb.arn
  port              = "443"
  protocol          = "HTTPS"
  certificate_arn   = "some-certificate-arn"
  default_action {
    type = "fixed-response"
    fixed_response {
      status_code  = "400"
      content_type = "text/plain"
      message_body = "request malformed"
    }
  }

  routing_http_response_access_control_allow_origin_header_value      = "https://example.org"
  routing_http_response_access_control_allow_credentials_header_value = "true"
  routing_http_response_access_control_allow_headers_header_value     = "Origin, Content-Type, Accept, Authorization"
  routing_http_response_access_control_allow_methods_header_value     = "GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH"
}

afterwards, change the routing attributes to be "" or null values

Steps to Reproduce

1. Apply the sample configuration provided
2. Attempt to change the routing_* attributes to null or ""
3. Observe no differences show for the resource in the plan

Debug Logging

Click to expand log output

2025-05-07T09:01:55.702Z [DEBUG] provider.terraform-provider-aws_v5.91.0_x5: HTTP Response Received:
  http.response.body=
  | <DescribeListenerAttributesResponse xmlns="http://elasticloadbalancing.amazonaws.com/doc/2015-12-01/">
  |   <DescribeListenerAttributesResult>
  |     <Attributes>
  |       <member>
  |         <Value/>
  |         <Key>routing.http.response.strict_transport_security.header_value</Key>
  |       </member>
  |       <member>
  |         <Value/>
  |         <Key>routing.http.response.access_control_expose_headers.header_value</Key>
  |       </member>
  |       <member>
  |         <Value>true</Value>
  |         <Key>routing.http.response.access_control_allow_credentials.header_value</Key>
  |       </member>
  |       <member>
  |         <Value/>
  |         <Key>routing.http.request.x_amzn_mtls_clientcert_subject.header_name</Key>
  |       </member>
  |       <member>
  |         <Value/>
  |         <Key>routing.http.request.x_amzn_mtls_clientcert_issuer.header_name</Key>
  |       </member>
  |       <member>
  |         <Value/>
  |         <Key>routing.http.request.x_amzn_mtls_clientcert_serial_number.header_name</Key>
  |       </member>
  |       <member>
  |         <Value/>
  |         <Key>routing.http.request.x_amzn_mtls_clientcert.header_name</Key>
  |       </member>
  |       <member>
  |         <Value/>
  |         <Key>routing.http.response.x_content_type_options.header_value</Key>
  |       </member>
  |       <member>
  |         <Value/>
  |         <Key>routing.http.response.content_security_policy.header_value</Key>
  |       </member>
  |       <member>
  |         <Value>GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH</Value>
  |         <Key>routing.http.response.access_control_allow_methods.header_value</Key>
  |       </member>
  |       <member>
  |         <Value/>
  |         <Key>routing.http.response.x_frame_options.header_value</Key>
  |       </member>
  |       <member>
  |         <Value/>
  |         <Key>routing.http.request.x_amzn_mtls_clientcert_leaf.header_name</Key>
  |       </member>
  |       <member>
  |         <Value> </Value>
  |         <Key>routing.http.response.access_control_allow_origin.header_value</Key>
  |       </member>
  |       <member>
  |         <Value/>
  |         <Key>routing.http.request.x_amzn_tls_cipher_suite.header_name</Key>
  |       </member>
  |       <member>
  |         <Value/>
  |         <Key>routing.http.request.x_amzn_mtls_clientcert_validity.header_name</Key>
  |       </member>
  |       <member>
  |         <Value>false</Value>
  |         <Key>routing.http.response.server.enabled</Key>
  |       </member>
  |       <member>
  |         <Value/>
  |         <Key>routing.http.request.x_amzn_tls_version.header_name</Key>
  |       </member>
  |       <member>
  |         <Value/>
  |         <Key>routing.http.response.access_control_max_age.header_value</Key>
  |       </member>
  |       <member>
  |         <Value>Origin, Content-Type, Accept, Authorization</Value>
  |         <Key>routing.http.response.access_control_allow_headers.header_value</Key>
  |       </member>
  |     </Attributes>
  |   </DescribeListenerAttributesResult>
  |   <ResponseMetadata>
  |     <RequestId> </RequestId>
  |   </ResponseMetadata>
  | </DescribeListenerAttributesResponse>

GenAI / LLM Assisted Development

n/a

Important Facts and References

I believe a similar issue was raised in relation to this, but for no changes made during apply - #40986

Would you like to implement a fix?

No

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.

[justinretzolk]

Vaguely similar, so making a link just in case: #41902