[Bug]: "Provider produced inconsistent result after apply" in aws_cognito_user_pool_client" (in aws 4.62.0 / 4.63.0)

[HarryBo112]

Terraform Core Version

1.4.2

AWS Provider Version

4.62.0

Affected Resource(s)

aws_cognito_user_pool_client

Expected Behavior

Shall apply the cognito definition

Actual Behavior

Fails with "Provider produced inconsistent result after apply"

Relevant Error/Panic Output Snippet

Error: Provider produced inconsistent result after apply │  │ When applying changes to aws_cognito_user_pool_client.my_ui, provider │ "provider[\"registry.terraform.io/hashicorp/aws\"]" produced an unexpected │ new value: .token_validity_units: block count changed from 0 to 1. │  │ This is a bug in the provider, which should be reported in the provider's │ own issue tracker. ╵

Terraform Configuration Files

resource "aws_cognito_user_pool_client" "UI" {
  name            = "UI"
  user_pool_id    = tolist(data.aws_cognito_user_pools.UI.ids)[0]
  generate_secret = false # Must be false for Amplify to work.
  supported_identity_providers = [
    "COGNITO",
    aws_cognito_identity_provider.FOO_ad.provider_name,
  ]
  allowed_oauth_flows_user_pool_client = true
  allowed_oauth_flows = [
    "code",
    "implicit",
  ]
  allowed_oauth_scopes = [
    "email",
    "openid",
    "profile",
  ]
  explicit_auth_flows = ["ALLOW_USER_SRP_AUTH", "ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_CUSTOM_AUTH"]
  callback_urls = [
    "https://ui.${var.environment}.FOO.BAR",
    "http://localhost:3000",
  ]
  logout_urls = [
    "https://ui.${var.environment}.FOO.BAR",
    "http://localhost:3000",
  ]
  refresh_token_validity        = 1
  prevent_user_existence_errors = "ENABLED"
}

resource "aws_cognito_user_pool_domain" "UI" {
  domain          = "auth.ui.${var.environment}.FOO.BAR"
  certificate_arn = data.aws_acm_certificate.cert.arn
  user_pool_id    = tolist(data.aws_cognito_user_pools.UI.ids)[0]
}

resource "aws_route53_record" "UI_auth" {
  name    = aws_cognito_user_pool_domain.UI.domain
  type    = "A"
  zone_id = data.aws_route53_zone.public.zone_id
  alias {
    evaluate_target_health = false
    name                   = aws_cognito_user_pool_domain.UI.cloudfront_distribution_arn

    zone_id = "SOME_ZONE_ID"
  }
}

resource "aws_cognito_identity_provider" "FOO_ad" {
  user_pool_id  = tolist(data.aws_cognito_user_pools.UI.ids)[0]
  provider_name = "FOO"
  provider_type = "SAML"

  provider_details = {
    MetadataFile = data.template_file.saml.rendered
    IDPSignout   = "false"
    SLORedirectBindingURI = "URL"
    SSORedirectBindingURI = "URL"
  }

  attribute_mapping = {
    email = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  }
}

resource "aws_cognito_user_group" "role_FOO_admin" {
  name         = "role_FOO_admin"
  user_pool_id = tolist(data.aws_cognito_user_pools.UI.ids)[0]
  description  = "Members of this group will have admin level access to the FOO backend"
}

resource "aws_cognito_user_group" "role_FOO_support" {
  name         = "role_FOO_support"
  user_pool_id = tolist(data.aws_cognito_user_pools.UI.ids)[0]
  description  = "Members of this group will have support level access to the FOO backend"
}

output "aws_cognito_user_pool_id" {
  value = tolist(data.aws_cognito_user_pools.UI.ids)[0]
}

output "aws_cognito_user_pool_client_id" {
  value = aws_cognito_user_pool_client.UI.id
}

Steps to Reproduce

Planning TF is fine, but applying the changes leads to the error.

Debug Output

No response

Panic Output

No response

Important Factoids

I've also tried other combinations (upgraded to aws provider 4.63.0, downgraded tf core), but it still gives me the error. Running aws provider 4.59.0 works fine and can apply cognito changes.

References

Seems to be the same bug as in https://github.com/hashicorp/terraform-provider-aws/issues/30268 which should have been fixed, but for some reasons I am still running still into it.

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[HarryBo112]

Seems to be fixed with 4.64.0

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.