[Bug]: Error "Provider produced inconsistent final plan" when adding a default tag to a `aws_wafv2_web_acl`

[sgametrio]

Related:

• 23390

• 23423

• 23936

• 23992

• 24386

• 👉 #27175

• 27273

• 27479

• 28191

• 28672

• 29012

• 29304

• 30858

Terraform Core Version

1.3.1,1.3.2

AWS Provider Version

4.33.0,4.34.0

Affected Resource(s)

• aws_wafv2_web_acl

Expected Behavior

Apply worked correctly and added the AWS tag.

Actual Behavior

The apply command returned an error "Provider produced an inconsistent final plan" and panicked.

Relevant Error/Panic Output Snippet

| Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for module.waf.aws_wafv2_web_acl.waf to include new
│ values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/aws" produced an invalid new value for
│ .rule: planned set element ... (very long output, 12k lines) ... does not correlate with any
│ element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

Terraform Configuration Files

terraform {
  required_version = "~> 1.3.0"
  backend "s3" {}
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
}

provider "aws" {
  region = "us-east-1"
  alias  = "us"
  default_tags {
    tags = {
      # Adding this tag throws an error "Provider produced an inconsistent final plan".
      # Github-Repo = "github_repo"
    }
  }
}

resource "aws_wafv2_web_acl {
...
}

...

Steps to Reproduce

1. Create the resource with no tags.
2. Uncomment the tag in the aws.us provider
3. Apply modifications
4. Error

Debug Output

No response

Panic Output

output_failed_plan.txt

It's an ANSI file (console colored output). To visualize it I use the ANSI extension in VSCode and by changing the file extension to .ans you can preview it.

Important Factoids

No response

References

No response

Would you like to implement a fix?

No response

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[mmaetzler]

FYI: This issues with WAFv2 has been reported multiple times:

• 23390

• 23423

• 23936

• 23992

• 24386

• 27175

• 27273

• 27479

[errriclee]

I ran into the same issue with default_tags. Reverting to AWS 3.74.0 (while keeping Terraform 1.3.4) worked for me.

[puneetpunj]

As a worksround run this script before plan to update tags using aws cli

#!/bin/bash
set -euo pipefail

echo "--- Update WAF tags"

web_acl_name="test"
scope=REGIONAL

web_acls_list=$(aws wafv2 list-web-acls --scope $scope)
web_acl_arn=$(echo $web_acls_list | jq -r --arg WEB_ACL_NAME "$web_acl_name" '.WebACLs[] | select(.Name==$WEB_ACL_NAME).ARN')
echo "web acl arn : ${web_acl_arn}"

# update tags if waf exists
if [ "${web_acl_arn}" ]; then

    echo "--- Tags list before update"
    echo $(aws wafv2 list-tags-for-resource --resource-arn $web_acl_arn)

    echo "--- Update tags for : $web_acl_arn"
    response=$(aws wafv2 tag-resource --resource-arn $web_acl_arn --tags Key=Tag1,Value=test 

    echo "--- Tags list after update"
    echo $(aws wafv2 list-tags-for-resource --resource-arn $web_acl_arn)
else
    echo "Web ACL with name ${web_acl_name} not found" 1>&2
fi

echo "success"

[garthkerr]

This is still an issue with v4.51.0 of the provider.

[roimor]

i am having the same issue with aws_wafv2_web_acl and tags_all

UPDATE: renamed the ACL to recreate the ACL and it solved the issue :)

[thatguythat1031]

i am having the same issue with aws_wafv2_web_acl and tags_all

UPDATE: renamed the ACL to recreate the ACL and it solved the issue :)

I tried this, however if you have the waf associated with other resources (cloudfront, api gateway, etc.) the terraform recreation will fail. Manually disassociating the resources from the waf web acl in the aws console and then applying the name change to recreate the waf will fix it.

[apagliara]

Upgrading terraform to 1.4.x fixed this for me

[sgametrio]

Upgrading terraform to 1.4.x fixed this for me

I can confirm I run this via terraform 1.5.x and it got fixed. Closing the ticket.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.