[Bug]: Provider produced inconsistent final plan

[lusche]

Terraform Core Version

1.3.6

AWS Provider Version

v4.48.0

Affected Resource(s)

aws_wafv2_web_acl

Expected Behavior

When I change something in the managed_rule_group_statement it should apply without error.

Actual Behavior

I tried to change from excluded_rule to rule_action_override. This works in most cases. But it looks like any changes in the managed_rule_group_statement results in an error if you use the AWSManagedRulesBotControlRuleSet.

Relevant Error/Panic Output Snippet

│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for aws_wafv2_web_acl.sge to include new values
│ learned so far during apply, provider "registry.terraform.io/hashicorp/aws"
│ produced an invalid new value for .rule: planned set element

Terraform Configuration Files

resource "aws_wafv2_web_acl" "bug" {
  name        = "bug-report-waf"
  description = "bug WAF for env: report"
  scope       = var.scope

  default_action {
    allow {}
  }

  tags = {
    Environment = "report"
    Name        = "bug"
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "global-waf"
    sampled_requests_enabled   = false
  }

  # Start: Rule 30
  # Kostet! 
  # https://aws.amazon.com/de/waf/pricing/
  # 10/montat + 1/mio req
  rule {
    name     = "aws-BotControl-RuleSet"
    priority = 30

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesBotControlRuleSet"
        vendor_name = "AWS"

        excluded_rule {
          name = "SignalNonBrowserUserAgent"
        }

#        rule_action_override {
#          action_to_use {
#            count {}
#          }
#
#          name = "SignalNonBrowserUserAgent"
#        }

      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "BotControl-RuleSet"
      sampled_requests_enabled   = true
    }
  }
  # Ende: Rule 30

  # Start: Rule 100
  # OWASP Top 10
  rule {
    name     = "aws-common-rules"
    priority = 100

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"

        excluded_rule {
          name = "SizeRestrictions_QUERYSTRING"
        }

#        rule_action_override {
#          action_to_use {
#            count {}
#          }
#
#          name = "SizeRestrictions_QUERYSTRING"
#        }

      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "aws-common-rules"
      sampled_requests_enabled   = true
    }
  }
  # Ende: Rule 100

}

Steps to Reproduce

• Run the provided Config. This should create a WAF2 with 2 AWS manged rulesets.
• change excluded_rule to rule_action_override in the managed_rule_group_statement in the rule: AWSManagedRulesCommonRuleSet (is prepared just comment and uncomment)
• run again. Works fine for me. No error
• change excluded_rule to rule_action_override in the managed_rule_group_statement in the rule: AWSManagedRulesBotControlRuleSet (is prepared just comment and uncomment)
• run again. Produces an Error

But if you:

• destroy WAF via terraform
• run code again and it works fine.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ewbankkit]

@lusche Thanks for raising this issue. It has already been noticed in #28191. I'm going to close this one as a duplicate so that we can concentrate discussion in the linked issue. Please add any additional comments there.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.