Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Provider produced inconsistent final plan #28824

Closed
cwoollard opened this issue Jan 11, 2023 · 3 comments
Closed

[Bug]: Provider produced inconsistent final plan #28824

cwoollard opened this issue Jan 11, 2023 · 3 comments
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.

Comments

@cwoollard
Copy link

cwoollard commented Jan 11, 2023
edited by justinretzolk
Loading

Terraform Core Version

1.3.7

AWS Provider Version

4.49.0

Affected Resource(s)

aws_wafv2_web_acl

Expected Behavior

Terraform apply

Actual Behavior

Error: Provider produced inconsistent final plan

Relevant Error/Panic Output Snippet

│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for aws_wafv2_web_acl.api_waf to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .rule: planned set element
│ cty.ObjectVal(map[string]cty.Value{"action":cty.ListValEmpty(cty.Object(map[string]cty.Type{"allow":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String,
│ "value":cty.String}))}))})), "block":cty.List(cty.Object(map[string]cty.Type{"custom_response":cty.List(cty.Object(map[string]cty.Type{"custom_response_body_key":cty.String, "response_code":cty.Number,
│ "response_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String, "value":cty.String}))}))})),
│ 
│ "visibility_config":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"cloudwatch_metrics_enabled":cty.True, "metric_name":cty.StringVal("mo-apigateway-waf-AWSManagedRulesCommonRuleSet"),
│ "sampled_requests_enabled":cty.True})})}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Terraform Configuration Files

resource "aws_wafv2_web_acl" "api_waf" {
  name        = "${var.resource_name_prefix}-waf"
  description = "MO API Gateway WAF Ruleset"
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "MO-IPv4IPSet-AllowList"
    priority = 1

    action {
      allow {}
    }

    statement {
      ip_set_reference_statement {
        arn = aws_wafv2_ip_set.ipv4-allowlist.arn
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.resource_name_prefix}-waf-IPv4IPSet-AllowList"
      sampled_requests_enabled   = true
    }
  }

rule {
    name     = "MO-IPv6IPSet-AllowList"
    priority = 2

    action {
      allow {}
    }

    statement {
      ip_set_reference_statement {
        arn = aws_wafv2_ip_set.ipv6-allowlist.arn
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.resource_name_prefix}-waf-IPv6IPSet-AllowList"
      sampled_requests_enabled   = true
    }
  }

rule {
    name     = "MO-IPv4IPSet-BlockList"
    priority = 3

    action {
      block {}
    }

    statement {
      ip_set_reference_statement {
        arn = aws_wafv2_ip_set.ipv4-blocklist.arn
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.resource_name_prefix}-waf-IPv4IPSet-BlockList"
      sampled_requests_enabled   = true
    }
  }

rule {
    name     = "MO-IPv6IPSet-BlockList"
    priority = 4

    action {
      block {}
    }

    statement {
      ip_set_reference_statement {
        arn = aws_wafv2_ip_set.ipv6-blocklist.arn
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.resource_name_prefix}-waf-IPv6IPSet-BlockList"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "MO-API-RateLimit"
    priority = 5

    action {
      block {}
    }

    statement {
      rate_based_statement {
        limit              = 5000
        aggregate_key_type = "IP"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.resource_name_prefix}-waf-API-RateLimit"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesKnownBadInputsRuleSet"
    priority = 10

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesKnownBadInputsRuleSet"
        vendor_name = "AWS"

      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.resource_name_prefix}-waf-AWSManagedRulesKnownBadInputsRuleSet"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesCommonRuleSet"
    priority = 11

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"

        rule_action_override {
          action_to_use {
            count {}
          }

          name = "SizeRestrictions_QUERYSTRING"
        }

        rule_action_override {
          action_to_use {
            count {}
          }

          name = "NoUserAgent_HEADER"
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.resource_name_prefix}-waf-AWSManagedRulesCommonRuleSet"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesAmazonIpReputationList"
    priority = 12

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAmazonIpReputationList"
        vendor_name = "AWS"

      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.resource_name_prefix}-waf-AWSManagedRulesAmazonIpReputationList"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesAnonymousIpList"
    priority = 13

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAnonymousIpList"
        vendor_name = "AWS"

      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.resource_name_prefix}-waf-AWSManagedRulesAnonymousIpList"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesLinuxRuleSet"
    priority = 14

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesLinuxRuleSet"
        vendor_name = "AWS"

      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.resource_name_prefix}-waf-AWSManagedRulesLinuxRuleSet"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesUnixRuleSet"
    priority = 15

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesUnixRuleSet"
        vendor_name = "AWS"

      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.resource_name_prefix}-waf-AWSManagedRulesUnixRuleSet"
      sampled_requests_enabled   = true
    }
  }

  rule {
    name     = "AWSManagedRulesSQLiRuleSet"
    priority = 16

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesSQLiRuleSet"
        vendor_name = "AWS"

      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.resource_name_prefix}-waf-AWSManagedRulesSQLiRuleSet"
      sampled_requests_enabled   = true
    }
  }
/*
  rule {
    name     = "AWSManagedRulesAdminProtectionRuleSet"
    priority = 17

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesAdminProtectionRuleSet"
        vendor_name = "AWS"

      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "${var.resource_name_prefix}-waf-AWSManagedRulesAdminProtectionRuleSet"
      sampled_requests_enabled   = true
    }
  }
*/

  tags = merge(var.tags, {
    Name = "${var.resource_name_prefix}--waf"
  })

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "${var.resource_name_prefix}-waf"
    sampled_requests_enabled   = true
  }

}

Steps to Reproduce

The attached tf file is what is currently applied. If I make any changes it generates that error.

Ideally, I want to uncomment the commented section as I had to get AWS support to increase the WCU units first.

but even modifying the following section to remove 1 of the dashes causes the error

  tags = merge(var.tags, {
    Name = "${var.resource_name_prefix}--waf"
  })

Debug Output

terraform-debug.log

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None
@cwoollard cwoollard added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Jan 11, 2023
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the service/wafv2 Issues and PRs that pertain to the wafv2 service. label Jan 11, 2023
@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Jan 11, 2023
@ewbankkit
Copy link
Contributor

@cwoollard Thanks for raising this issue.
It has already been noticed in #28191. I'm going to close this one as a duplicate so that we can concentrate discussion in the linked issue.
Please add any additional comments there.

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ewbankkit @cwoollard @justinretzolk