[Bug]: unable to apply with aws_cognito_user_pool_client

[borfig]

Terraform Core Version

1.3.0

AWS Provider Version

4.60.0

Affected Resource(s)

• aws_cognito_user_pool_client

Expected Behavior

The terraform apply should succeed with no changes.

Actual Behavior

The terraform apply fails with an error.

Relevant Error/Panic Output Snippet

╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to
│ aws_cognito_user_pool_client.this, provider
│ "provider[\"registry.terraform.io/hashicorp/aws\"]" produced an unexpected
│ new value: .allowed_oauth_scopes: was cty.SetValEmpty(cty.String), but now
│ null.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵

Terraform Configuration Files

resource "aws_cognito_user_pool_client" "this" {
  name            = "<some-name>"
  user_pool_id    = "<some-user-pool-id>"

  allowed_oauth_flows                  = []
  allowed_oauth_flows_user_pool_client = false
  allowed_oauth_scopes                 = []
  callback_urls                        = []
  logout_urls                          = []
  explicit_auth_flows                  = ["ALLOW_ADMIN_USER_PASSWORD_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"]
  read_attributes                      = []
  supported_identity_providers         = ["COGNITO"]
  prevent_user_existence_errors        = "ENABLED"
}

Steps to Reproduce

1. Deploy a user pool client with an older version of the provider (version 4.59.0 will do)
2. Update the terraform lock to install AWS provider version 4.60.0
3. run terraform apply without changing anything in the resource

Debug Output

No response

Panic Output

No response

Important Factoids

The issue does not reproduce in version 4.59.0

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ewbankkit]

Relates #30140.

terraform-provider-aws/internal/service/cognitoidp/user_pool_client.go

Lines 453 to 480 in dfcbc2c

	func newUserPoolClientData(ctx context.Context, plan resourceUserPoolClientData, in *cognitoidentityprovider.UserPoolClientType, diags *diag.Diagnostics) resourceUserPoolClientData {
	return resourceUserPoolClientData{
	AccessTokenValidity: flex.Int64ToFrameworkLegacy(ctx, in.AccessTokenValidity),
	AllowedOauthFlows: flex.FlattenFrameworkStringSet(ctx, in.AllowedOAuthFlows),
	AllowedOauthFlowsUserPoolClient: flex.BoolToFramework(ctx, in.AllowedOAuthFlowsUserPoolClient),
	AllowedOauthScopes: flex.FlattenFrameworkStringSet(ctx, in.AllowedOAuthScopes),
	AnalyticsConfiguration: flattenAnaylticsConfiguration(ctx, in.AnalyticsConfiguration, diags),
	AuthSessionValidity: flex.Int64ToFramework(ctx, in.AuthSessionValidity),
	CallbackUrls: flex.FlattenFrameworkStringSet(ctx, in.CallbackURLs),
	ClientSecret: flex.StringToFrameworkLegacy(ctx, in.ClientSecret),
	DefaultRedirectUri: flex.StringToFrameworkLegacy(ctx, in.DefaultRedirectURI),
	EnablePropagateAdditionalUserContextData: flex.BoolToFramework(ctx, in.EnablePropagateAdditionalUserContextData),
	EnableTokenRevocation: flex.BoolToFramework(ctx, in.EnableTokenRevocation),
	ExplicitAuthFlows: flex.FlattenFrameworkStringSet(ctx, in.ExplicitAuthFlows),
	ID: flex.StringToFramework(ctx, in.ClientId),
	IdTokenValidity: flex.Int64ToFrameworkLegacy(ctx, in.IdTokenValidity),
	GenerateSecret: plan.GenerateSecret,
	LogoutUrls: flex.FlattenFrameworkStringSet(ctx, in.LogoutURLs),
	Name: flex.StringToFramework(ctx, in.ClientName),
	PreventUserExistenceErrors: flex.StringToFrameworkLegacy(ctx, in.PreventUserExistenceErrors),
	ReadAttributes: flex.FlattenFrameworkStringSet(ctx, in.ReadAttributes),
	RefreshTokenValidity: flex.Int64ToFramework(ctx, in.RefreshTokenValidity),
	SupportedIdentityProviders: flex.FlattenFrameworkStringSet(ctx, in.SupportedIdentityProviders),
	TokenValidityUnits: flattenTokenValidityUnits(ctx, in.TokenValidityUnits),
	UserPoolID: flex.StringToFramework(ctx, in.UserPoolId),
	WriteAttributes: flex.FlattenFrameworkStringSet(ctx, in.WriteAttributes),
	}
	}

I think that a FlattenFrameworkStringSetLegacy function that converts nil to and empty set is required here.
Relates hashicorp/terraform-plugin-framework#510.
Relates hashicorp/terraform-plugin-framework#70.

[joshlang]

Similar bug:

│ Error: Provider produced inconsistent result after apply
--
348 | │
349 | │ When applying changes to aws_cognito_user_pool_client.client, provider
350 | │ "provider[\"registry.terraform.io/hashicorp/aws\"]" produced an unexpected
351 | │ new value: .token_validity_units: block count changed from 0 to 1.
352 | │
353 | │ This is a bug in the provider, which should be reported in the provider's
354 | │ own issue tracker.

[gdavison]

Closed by #30459

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.