Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Error "Provider produced inconsistent final plan" when adding a default tag to a aws_wafv2_web_acl #27175

Closed
sgametrio opened this issue Oct 10, 2022 · 10 comments
Closed

[Bug]: Error "Provider produced inconsistent final plan" when adding a default tag to a aws_wafv2_web_acl #27175

sgametrio opened this issue Oct 10, 2022 · 10 comments
Assignees
@YakDriver
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service. tags Pertains to resource tagging.

Comments

@sgametrio
Copy link

sgametrio commented Oct 10, 2022
edited by YakDriver
Loading

Related:

Terraform Core Version

1.3.1,1.3.2

AWS Provider Version

4.33.0,4.34.0

Affected Resource(s)

  • aws_wafv2_web_acl

Expected Behavior

Apply worked correctly and added the AWS tag.

Actual Behavior

The apply command returned an error "Provider produced an inconsistent final plan" and panicked.

Relevant Error/Panic Output Snippet

| Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for module.waf.aws_wafv2_web_acl.waf to include new
│ values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/aws" produced an invalid new value for
│ .rule: planned set element ... (very long output, 12k lines) ... does not correlate with any
│ element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

Terraform Configuration Files

terraform {
  required_version = "~> 1.3.0"
  backend "s3" {}
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
}

provider "aws" {
  region = "us-east-1"
  alias  = "us"
  default_tags {
    tags = {
      # Adding this tag throws an error "Provider produced an inconsistent final plan".
      # Github-Repo = "github_repo"
    }
  }
}

resource "aws_wafv2_web_acl {
...
}

...

Steps to Reproduce

  1. Create the resource with no tags.
  2. Uncomment the tag in the aws.us provider
  3. Apply modifications
  4. Error

Debug Output

No response

Panic Output

output_failed_plan.txt

It's an ANSI file (console colored output). To visualize it I use the ANSI extension in VSCode and by changing the file extension to .ans you can preview it.

Important Factoids

No response

References

No response

Would you like to implement a fix?

No response
@sgametrio sgametrio added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Oct 10, 2022
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the service/wafv2 Issues and PRs that pertain to the wafv2 service. label Oct 10, 2022
@breathingdust breathingdust added tags Pertains to resource tagging. and removed needs-triage Waiting for first response or review from a maintainer. labels Oct 13, 2022
@xael-fry xael-fry mentioned this issue Oct 26, 2022
Closed
This was referenced Oct 26, 2022
Open
Closed
@mmaetzler
Copy link

mmaetzler commented Nov 4, 2022
edited
Loading

FYI: This issues with WAFv2 has been reported multiple times:

This was referenced Nov 4, 2022
Closed
Closed
Closed
Closed
@errriclee
Copy link
Contributor

I ran into the same issue with default_tags. Reverting to AWS 3.74.0 (while keeping Terraform 1.3.4) worked for me.

@puneetpunj
Copy link

puneetpunj commented Dec 22, 2022
edited
Loading

As a worksround run this script before plan to update tags using aws cli

#!/bin/bash
set -euo pipefail

echo "--- Update WAF tags"

web_acl_name="test"
scope=REGIONAL

web_acls_list=$(aws wafv2 list-web-acls --scope $scope)
web_acl_arn=$(echo $web_acls_list | jq -r --arg WEB_ACL_NAME "$web_acl_name" '.WebACLs[] | select(.Name==$WEB_ACL_NAME).ARN')
echo "web acl arn : ${web_acl_arn}"

# update tags if waf exists
if [ "${web_acl_arn}" ]; then

    echo "--- Tags list before update"
    echo $(aws wafv2 list-tags-for-resource --resource-arn $web_acl_arn)

    echo "--- Update tags for : $web_acl_arn"
    response=$(aws wafv2 tag-resource --resource-arn $web_acl_arn --tags Key=Tag1,Value=test 

    echo "--- Tags list after update"
    echo $(aws wafv2 list-tags-for-resource --resource-arn $web_acl_arn)
else
    echo "Web ACL with name ${web_acl_name} not found" 1>&2
fi

echo "success"

@garthkerr
Copy link

garthkerr commented Jan 23, 2023
edited
Loading

This is still an issue with v4.51.0 of the provider.

@roimor
Copy link

roimor commented Feb 19, 2023
edited
Loading

i am having the same issue with aws_wafv2_web_acl and tags_all

UPDATE: renamed the ACL to recreate the ACL and it solved the issue :)

@justinretzolk justinretzolk mentioned this issue Mar 14, 2023
Closed
@thatguythat1031
Copy link

thatguythat1031 commented Mar 17, 2023
edited
Loading

i am having the same issue with aws_wafv2_web_acl and tags_all

UPDATE: renamed the ACL to recreate the ACL and it solved the issue :)

I tried this, however if you have the waf associated with other resources (cloudfront, api gateway, etc.) the terraform recreation will fail. Manually disassociating the resources from the waf web acl in the aws console and then applying the name change to recreate the waf will fix it.

@apagliara
Copy link
Contributor

Upgrading terraform to 1.4.x fixed this for me

@sgametrio
Copy link
Author

Upgrading terraform to 1.4.x fixed this for me

I can confirm I run this via terraform 1.5.x and it got fixed. Closing the ticket.

This was referenced Jul 13, 2023
Closed
Closed
Closed
Closed
Closed
Closed
@YakDriver YakDriver self-assigned this Jul 13, 2023
@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@YakDriver YakDriver

Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service. tags Pertains to resource tagging.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@errriclee @garthkerr @breathingdust @sgametrio @apagliara @puneetpunj @YakDriver @thatguythat1031 @roimor @mmaetzler