Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error: Provider produced inconsistent final plan - invalid new value for .rule: planned set element #23936

Closed
joegajeckyj-ecs opened this issue Mar 30, 2022 · 6 comments
Assignees
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.

Comments

@joegajeckyj-ecs
Copy link

joegajeckyj-ecs commented Mar 30, 2022

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Related:

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.7
on darwin_amd64

  • provider registry.terraform.io/hashicorp/aws v4.8.0
  • provider registry.terraform.io/hashicorp/external v2.2.2
  • provider registry.terraform.io/hashicorp/local v2.2.2
  • provider registry.terraform.io/hashicorp/null v3.1.1

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

Actual Behavior

│ Error: Provider produced inconsistent final plan

│ When expanding the plan for module.wafv2-acl[0].aws_wafv2_web_acl.acl to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an
│ invalid new value for .rule: planned set element
...
does not correlate with any element in actual.

│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Steps to Reproduce

  1. terraform apply

Important Factoids

When I add the "version" value to the .rule i can get most of the managed rules to update, however one particular AWS managed rule set which has no "Version" value the error happens "AWSManagedRulesAmazonIpReputationList"

I have tried with "Default" set as version value but the resource is not found

References

Reason for trying to fix with adding the undocumented value "version" was found following related article #21732

  • #0000
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service. labels Mar 30, 2022
@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Mar 30, 2022
@vinoth-nus
Copy link

Workaround:
Since the issue is experienced only when there is a change in wafv2 acl config, the new resource creation doesnt have the issue.
As a workaround you can delete the WAFv2 ACL manually using the AWS console or CLI and re-run terraform to create the acl again with the respective tags as you need

@cristinet
Copy link

We are encountering this issue as well. It seems to be a problem only if the default action for the webacl is block.
Terraform throws the same error for any modification (not just tags) of the webacl.

@tgip-work
Copy link

Also for Terraform AWS Provider 4.15.1

@janeklb
Copy link

janeklb commented Jun 14, 2022

Also for

Terraform v1.0.1
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v4.18.0

FWIW It seems like there's some inconsistency with what TF picks up from AWS vs how it thinks it should be represented because when i run a terragrunt plan i get the following:

aws_wafv2_web_acl.waf_acl: Refreshing state... [id=REDACTED]
aws_wafv2_web_acl_logging_configuration.waf_lb_logs[0]: Refreshing state... [id=REDACTED]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply":

  # aws_wafv2_web_acl.waf_acl has been changed
  ~ resource "aws_wafv2_web_acl" "waf_acl" {
        id          = "REDACTED"
        name        = "REDACTED"
        tags        = {
            "env"     = "REDACTED"
            "name"    = "REDACTED"
            "product" = "REDACTED"
            "service" = "REDACTED"
            "team"    = "REDACTED"
        }
        # (6 unchanged attributes hidden)



        # (8 unchanged blocks hidden)
    }

@stewartcampbell
Copy link

I am running into this when updating a custom response body when rules are blocking.

  custom_response_body {
    key          = "default"
    content      = var.waf_custom_response_body_default_content
    content_type = var.waf_custom_response_body_default_content_type
  }

If I switch all rules from block to count during the update, it takes the changes. I then switch back to blocking after that and all is well.

@joegajeckyj-ecs joegajeckyj-ecs closed this as not planned Won't fix, can't repro, duplicate, stale Jun 29, 2022
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 30, 2022
@YakDriver YakDriver self-assigned this Jul 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Development

No branches or pull requests

8 participants