Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_wafv2_web_acl : Provider produced inconsistent final plan #23390

Closed
janul opened this issue Feb 25, 2022 · 11 comments
Closed

aws_wafv2_web_acl : Provider produced inconsistent final plan #23390

janul opened this issue Feb 25, 2022 · 11 comments
Assignees
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.

Comments

@janul
Copy link

janul commented Feb 25, 2022

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Related:

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.6
on linux_amd64

  • provider registry.terraform.io/hashicorp/archive v2.2.0
  • provider registry.terraform.io/hashicorp/aws v3.74.3
  • provider registry.terraform.io/hashicorp/null v3.1.0
  • provider registry.terraform.io/hashicorp/template v2.2.0

Affected Resource(s)

  • aws_wafv2_web_acl
  • aws_wafv2_regex_pattern_set

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_wafv2_regex_pattern_set" "example-regex" {
  name        = "example"
  description = "Example regex pattern set"
  scope       = "REGIONAL"

  regular_expression {
    regex_string = "one"
  }
  regular_expression {
    regex_string = "two"
  }
}
resource "aws_wafv2_web_acl" "test-waf" {
  name  = "Test-ACLS-dev"
  scope = "REGIONAL"
  default_action {
    allow {}
  }
  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "Test-ACLS-metrics-dev"
    sampled_requests_enabled   = false
  }
  tags = {
    #"desc" = "sd  ample test"
  }
 rule {
    name     = "Test-Rate-Limits-dev"
    priority = 0
    statement {
      rate_based_statement {
        aggregate_key_type = "IP"
        limit              = 500
      }
    }
    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Test-Rate-Limits-dev"
      sampled_requests_enabled   = true
    }
    action {
      block {
        custom_response {
          response_code = 403
        }
      }
    }
  }
  rule {
    name     = "HEAnet-custom-deny-URL-Rule"
    priority = 8
    action {
      block {}
    }


    statement {

      regex_pattern_set_reference_statement {

        arn = aws_wafv2_regex_pattern_set.example-regex.arn
        field_to_match {
          query_string {}
        }
        text_transformation {
          priority = 0
          type     = "NONE"
        }
      }
    }


    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Test-custom-deny-URL-Rule-dev"
      sampled_requests_enabled   = true
    }

  }

}

Debug Output

Panic Output

Expected Behavior

created/updated resourse

Actual Behavior

There are two issues.

  1. I can create resource but every time doing plan/apply I get following output
    Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply": aws_wafv2_web_acl.test-waf has changed ~ resource "aws_wafv2_web_acl" "test-waf" { id = "663afe0a-40f9-44f7-881a-74cea5ded06c" name = "Test-ACLS-dev" tags = {} # (5 unchanged attributes hidden) # (4 unchanged blocks hidden) }
    2 . then when you update for example tags in aws_wafv2_web_acl and run apply the terraform throws an error.
    vertex "aws_wafv2_web_acl.test-waf" error: Provider produced inconsistent final plan

when modified tags in aws_wafv2_web_acl and apply changes:

vertex "aws_wafv2_web_acl.test-waf" error: Provider produced inconsistent final plan

Steps to Reproduce

  1. terraform apply
  2. modify for example tags in aws_wafv2_web_acl
  3. again terraform apply

Important Factoids

References

  • #0000
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service. labels Feb 25, 2022
@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Mar 4, 2022
@janul
Copy link
Author

janul commented Mar 13, 2022

I have tested with
provider registry.terraform.io/hashicorp/aws v4.5.0
So tags are not allowed anymore for aws_wafv2_web_acl which is good.
However every time I run : terraform plan
I get Note: Objects have changed outside of Terraform for aws_wafv2_web_acl
terraform apply doesn't do anything : No changes. Your infrastructure matches the configuration.

@trallnag
Copy link

Hey @janul, this is likely related to #19727

@chrisnellis
Copy link

I was seeing this issue due to setting default tags in the AWS provider. That may be a legitimate outstanding issue

@dbdoyle182
Copy link

I ran into this issue the other day with tags on the WAF, it seems there may be an issue with the way tags are handled by the aws provider for some resources.

Workaround was:

  1. Modify the tags via CLI to the desired values.
  2. Modify the remote state directly to match the tags I wanted.
  3. Run plan to ensure there were no changes related to tags on the wafv2 resources.

@tolidano
Copy link

Dupe of #23992 additional workarounds available there.

@apagliara
Copy link
Contributor

Upgrading terraform to 1.4.x fixed this for me

@YakDriver
Copy link
Member

YakDriver commented Jul 13, 2023

NOTE: I cannot reproduce this error using Terraform v1.5+/AWS provider v5.7+ after trying various configurations. Retry using a minimum of Terraform v1.4.2/AWS provider v4.67.0 but preferably Terraform v1.5.3+/AWS provider v5.8.0+ and let us know if this is still a problem! If we don't hear back and can't reproduce, we plan to close this on or around July 20, 2023. The evidence suggests this is OBE (ie, fixed in the interim).

For more details see #23992 (comment) and #28672 (comment).

@YakDriver YakDriver self-assigned this Jul 13, 2023
@YakDriver
Copy link
Member

I tried this config to reproduce this specific issue. I got no errors.

Here's my process to attempt to reproduce the problem:

  1. apply config as is
  2. remove default_tags and apply
  3. change tags values and apply
  4. remove tags and apply
  5. apply again

Config

provider "aws" {
  default_tags {
    tags = {
      fine_night = "tonight"
      fine_day   = "tomorrow"
    }
  }
}

resource "aws_wafv2_regex_pattern_set" "test" {
  name        = "wafv23992test"
  description = "Example regex pattern set"
  scope       = "REGIONAL"

  regular_expression {
    regex_string = "one"
  }

  regular_expression {
    regex_string = "two"
  }
}

resource "aws_wafv2_web_acl" "test" {
  name  = "wafv23992test"
  scope = "REGIONAL"
  default_action {
    allow {}
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "Test-ACLS-metrics-dev"
    sampled_requests_enabled   = false
  }

  tags = {
    "desc" = "sample test"
  }

  rule {
    name     = "Test-Rate-Limits-dev"
    priority = 0
    statement {
      rate_based_statement {
        aggregate_key_type = "IP"
        limit              = 500
      }
    }
    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Test-Rate-Limits-dev"
      sampled_requests_enabled   = true
    }
    action {
      block {
        custom_response {
          response_code = 403
        }
      }
    }
  }

  rule {
    name     = "HEAnet-custom-deny-URL-Rule"
    priority = 8
    action {
      block {}
    }

    statement {
      regex_pattern_set_reference_statement {
        arn = aws_wafv2_regex_pattern_set.test.arn
        field_to_match {
          query_string {}
        }
        text_transformation {
          priority = 0
          type     = "NONE"
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Test-custom-deny-URL-Rule-dev"
      sampled_requests_enabled   = true
    }
  }
}

@YakDriver YakDriver added the waiting-response Maintainers are waiting on response from community or contributor. label Jul 13, 2023
@justinretzolk
Copy link
Member

Hi all 👋 As was mentioned above, this issue appears to be fixed when using a minimum Terraform version of 1.4.2 and a minimum AWS Provider version of 4.67.0 (preferably Terraform 1.5.3 or later and AWS Provider 5.8.0 or later). If you experience any additional unexpected behaviors with versions that meet these requirements, please open a new issue so that we can investigate further.

@github-actions github-actions bot removed the waiting-response Maintainers are waiting on response from community or contributor. label Jul 20, 2023
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Development

No branches or pull requests

9 participants