terraform-provider-aws
terraform-provider-aws copied to clipboard
aws_wafv2_web_acl : Provider produced inconsistent final plan
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform CLI and Terraform AWS Provider Version
Terraform v1.1.6 on linux_amd64
- provider registry.terraform.io/hashicorp/archive v2.2.0
- provider registry.terraform.io/hashicorp/aws v3.74.3
- provider registry.terraform.io/hashicorp/null v3.1.0
- provider registry.terraform.io/hashicorp/template v2.2.0
Affected Resource(s)
- aws_wafv2_web_acl
- aws_wafv2_regex_pattern_set
Terraform Configuration Files
Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.
resource "aws_wafv2_regex_pattern_set" "example-regex" {
name = "example"
description = "Example regex pattern set"
scope = "REGIONAL"
regular_expression {
regex_string = "one"
}
regular_expression {
regex_string = "two"
}
}
resource "aws_wafv2_web_acl" "test-waf" {
name = "Test-ACLS-dev"
scope = "REGIONAL"
default_action {
allow {}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "Test-ACLS-metrics-dev"
sampled_requests_enabled = false
}
tags = {
#"desc" = "sd ample test"
}
rule {
name = "Test-Rate-Limits-dev"
priority = 0
statement {
rate_based_statement {
aggregate_key_type = "IP"
limit = 500
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "Test-Rate-Limits-dev"
sampled_requests_enabled = true
}
action {
block {
custom_response {
response_code = 403
}
}
}
}
rule {
name = "HEAnet-custom-deny-URL-Rule"
priority = 8
action {
block {}
}
statement {
regex_pattern_set_reference_statement {
arn = aws_wafv2_regex_pattern_set.example-regex.arn
field_to_match {
query_string {}
}
text_transformation {
priority = 0
type = "NONE"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "Test-custom-deny-URL-Rule-dev"
sampled_requests_enabled = true
}
}
}
Debug Output
Panic Output
Expected Behavior
created/updated resourse
Actual Behavior
There are two issues.
- I can create resource but every time doing plan/apply I get following output
Note: Objects have changed outside of Terraform Terraform detected the following changes made outside of Terraform since the last "terraform apply": aws_wafv2_web_acl.test-waf has changed ~ resource "aws_wafv2_web_acl" "test-waf" { id = "663afe0a-40f9-44f7-881a-74cea5ded06c" name = "Test-ACLS-dev" tags = {} # (5 unchanged attributes hidden) # (4 unchanged blocks hidden) }
2 . then when you update for example tags in aws_wafv2_web_acl and run apply the terraform throws an error.vertex "aws_wafv2_web_acl.test-waf" error: Provider produced inconsistent final plan
when modified tags in aws_wafv2_web_acl and apply changes:
vertex "aws_wafv2_web_acl.test-waf" error: Provider produced inconsistent final plan
Steps to Reproduce
-
terraform apply
- modify for example tags in aws_wafv2_web_acl
- again
terraform apply
Important Factoids
References
- #0000
I have tested with
provider registry.terraform.io/hashicorp/aws v4.5.0
So tags are not allowed anymore for aws_wafv2_web_acl which is good.
However every time I run : terraform plan
I get Note: Objects have changed outside of Terraform
for aws_wafv2_web_acl
terraform apply
doesn't do anything : No changes. Your infrastructure matches the configuration.
Hey @janul, this is likely related to https://github.com/hashicorp/terraform-provider-aws/issues/19727
I was seeing this issue due to setting default tags in the AWS provider. That may be a legitimate outstanding issue
I ran into this issue the other day with tags on the WAF, it seems there may be an issue with the way tags are handled by the aws provider for some resources.
Workaround was:
- Modify the tags via CLI to the desired values.
- Modify the remote state directly to match the tags I wanted.
- Run plan to ensure there were no changes related to tags on the wafv2 resources.
Dupe of https://github.com/hashicorp/terraform-provider-aws/issues/23992 additional workarounds available there.
FYI: This issues with WAFv2 has been reported multiple times:
- #23390
- #23423
- #23936
- #23992
- #24386
- #27175
- #27273
- #27479
Upgrading terraform to 1.4.x fixed this for me
NOTE: I cannot reproduce this error using Terraform v1.5+/AWS provider v5.7+ after trying various configurations. Retry using a minimum of Terraform v1.4.2/AWS provider v4.67.0 but preferably Terraform v1.5.3+/AWS provider v5.8.0+ and let us know if this is still a problem! If we don't hear back and can't reproduce, we plan to close this on or around July 20, 2023. The evidence suggests this is OBE (ie, fixed in the interim).
I tried this config to reproduce this specific issue. I got no errors.
Here's my process to attempt to reproduce the problem:
-
apply
config as is - remove
default_tags
andapply
- change
tags
values andapply
- remove
tags
andapply
-
apply
again
Config
provider "aws" {
default_tags {
tags = {
fine_night = "tonight"
fine_day = "tomorrow"
}
}
}
resource "aws_wafv2_regex_pattern_set" "test" {
name = "wafv23992test"
description = "Example regex pattern set"
scope = "REGIONAL"
regular_expression {
regex_string = "one"
}
regular_expression {
regex_string = "two"
}
}
resource "aws_wafv2_web_acl" "test" {
name = "wafv23992test"
scope = "REGIONAL"
default_action {
allow {}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "Test-ACLS-metrics-dev"
sampled_requests_enabled = false
}
tags = {
"desc" = "sample test"
}
rule {
name = "Test-Rate-Limits-dev"
priority = 0
statement {
rate_based_statement {
aggregate_key_type = "IP"
limit = 500
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "Test-Rate-Limits-dev"
sampled_requests_enabled = true
}
action {
block {
custom_response {
response_code = 403
}
}
}
}
rule {
name = "HEAnet-custom-deny-URL-Rule"
priority = 8
action {
block {}
}
statement {
regex_pattern_set_reference_statement {
arn = aws_wafv2_regex_pattern_set.test.arn
field_to_match {
query_string {}
}
text_transformation {
priority = 0
type = "NONE"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "Test-custom-deny-URL-Rule-dev"
sampled_requests_enabled = true
}
}
}
Hi all :wave: As was mentioned above, this issue appears to be fixed when using a minimum Terraform version of 1.4.2 and a minimum AWS Provider version of 4.67.0 (preferably Terraform 1.5.3 or later and AWS Provider 5.8.0 or later). If you experience any additional unexpected behaviors with versions that meet these requirements, please open a new issue so that we can investigate further.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.