Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_wafv2_web_acl apply fails when default action changes #23423

Closed
jaypeng2015 opened this issue Mar 1, 2022 · 6 comments
Closed

aws_wafv2_web_acl apply fails when default action changes #23423

jaypeng2015 opened this issue Mar 1, 2022 · 6 comments
Assignees
@YakDriver
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.

Comments

@jaypeng2015
Copy link

jaypeng2015 commented Mar 1, 2022
edited by YakDriver
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Related:

Terraform CLI and Terraform AWS Provider Version

Terraform Cloud runtime v1.1.6
Providers:

  • "registry.terraform.io/hashicorp/archive" 2.2.0
  • "registry.terraform.io/hashicorp/aws" 4.3.0
  • "registry.terraform.io/hashicorp/random" 3.1.0

Affected Resource(s)

  • aws_wafv2_web_acl

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_wafv2_web_acl" "main" {
  count = var.enabled ? 1 : 0

  name  = var.name_prefix
  scope = var.scope

  default_action {
    dynamic "allow" {
      for_each = var.allow_default_action ? [1] : []
      content {}
    }

    dynamic "block" {
      for_each = var.allow_default_action ? [] : [1]
      content {}
    }
  }

  // other config
}

Debug Output

Panic Output

  • Plan output:
# module.wafv2-cloudfront.module.wafcf.aws_wafv2_web_acl.main[0] will be updated in-place
  ~ resource "aws_wafv2_web_acl" "main" {
        id         = "31fc351b-9585-4089-8c72-9f1742a1c9ee"
        name       = "dev-wafv2-cloudfront"
        tags       = {
            "Name" = "dev-wafv2-cloudfront"
        }
        # (5 unchanged attributes hidden)

      ~ default_action {
          - allow {
            }

          + block {
            }
        }


        # (5 unchanged blocks hidden)
    }

Expected Behavior

The default action changed from allow to block.

Actual Behavior

Apply errored.

Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.wafv2-cloudfront.module.wafcf.aws_wafv2_web_acl.main[0] to include
│ new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/aws" produced an invalid new value for
│ .rule: planned set element

This is a bug in the provider, which should be reported in the provider's own issue tracker.

Steps to Reproduce

  1. terraform apply
  2. change the variable allow_default_action from true to false
  3. terraform apply

Important Factoids

It only errors when configuration changes, if deploying from scratch, no matter the default action is true of false, it will success.

References
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service. labels Mar 1, 2022
@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Mar 1, 2022
@rdubya
Copy link

rdubya commented Mar 29, 2022

I'm seeing this same error when trying to add tags. Version: registry.terraform.io/hashicorp/aws 4.8.0

Plan:

id : "****" # noop
name : "*****" # noop
tags : {  } # update
tags_all : { # create
  environment : "dev" # create
  terraform : "true" # create
}

... 5 unchanged attributes hidden

... 6 unchanged blocks hidden

@chroju chroju mentioned this issue Aug 5, 2022
Closed
@eg15
Copy link

eg15 commented Oct 5, 2022

This is happening to me on the latest AWS provider version 4.33.0 with the latest Terraform 1.3.1.
Changing default_action alone always triggers 2MB long error output.

This was referenced Nov 4, 2022
Closed
Closed
@mmaetzler
Copy link

FYI: This issues with WAFv2 has been reported multiple times:

This was referenced Nov 4, 2022
Closed
Closed
Closed
@justinretzolk justinretzolk mentioned this issue Mar 14, 2023
Closed
This was referenced Jul 13, 2023
Closed
Closed
Closed
Closed
Closed
Closed
@YakDriver
Copy link
Member

YakDriver commented Jul 13, 2023
edited
Loading

NOTE: I cannot reproduce this error using Terraform v1.5+/AWS provider v5.7+ after trying various configurations. Retry using a minimum of Terraform v1.4.2/AWS provider v4.67.0 but preferably Terraform v1.5.3+/AWS provider v5.8.0+ and let us know if this is still a problem! If we don't hear back and can't reproduce, we plan to close this on or around July 20, 2023. The evidence suggests this is OBE (ie, fixed in the interim).

For more details see #23992 (comment) and #28672 (comment).

@YakDriver YakDriver self-assigned this Jul 13, 2023
@YakDriver YakDriver added the waiting-response Maintainers are waiting on response from community or contributor. label Jul 13, 2023
@justinretzolk
Copy link
Member

Hi all 👋 As was mentioned above, this issue appears to be fixed when using a minimum Terraform version of 1.4.2 and a minimum AWS Provider version of 4.67.0 (preferably Terraform 1.5.3 or later and AWS Provider 5.8.0 or later). If you experience additional unexpected behaviors with versions that meet these parameters, please open a new issue so that we can investigate further.

@github-actions github-actions bot removed the waiting-response Maintainers are waiting on response from community or contributor. label Jul 20, 2023
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@YakDriver YakDriver

Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rdubya @jaypeng2015 @eg15 @YakDriver @justinretzolk @mmaetzler