Any resource which currently uses ARNType custom type implementation and there are many
Expected Behavior
When invalid ARN is passed to attribute of type ARNType, some kind of validation error should appear during terraform plan
Actual Behavior
An error suggesting a bug in the provider is displayed:
Error: Provider produced invalid plan
│
│ Provider "registry.terraform.io/hashicorp/aws" planned an invalid value for <RESOURCE_WITH_ARN_ATTRIBUTE>: planned value cty.UnknownVal(cty.String) does not match
│ config value cty.StringVal("<SOME_INVALID_ARN>").
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
Problem can be reproduced using any resource which has ARNType attributes. For example:
Use any of the snippets provided above and just run terraform plan
Debug Output
plan.log
This is the plan for aws_bedrockagent_agent snippet suggested above.
Panic Output
No response
Important Factoids
The cause of the issue seems to be implementation of the ARNType
This method:
func (t arnType) ValueFromString(_ context.Context, in types.String) (basetypes.StringValuable, diag.Diagnostics) {
var diags diag.Diagnostics
if in.IsNull() {
return ARNNull(), diags
}
if in.IsUnknown() {
return ARNUnknown(), diags
}
valueString := in.ValueString()
if _, err := arn.Parse(valueString); err != nil {
return ARNUnknown(), diags // Must not return validation errors.
}
return ARNValue(valueString), diags
}
returns ARNUnknown if an invalid ARN is passed. The unknown result will cause the validation method:
func (v ARN) ValidateAttribute(ctx context.Context, req xattr.ValidateAttributeRequest, resp *xattr.ValidateAttributeResponse) {
if v.IsNull() || v.IsUnknown() {
return
}
if !arn.IsARN(v.ValueString()) {
resp.Diagnostics.AddAttributeError(
req.Path,
"Invalid ARN Value",
"The provided value cannot be parsed as an ARN.\n\n"+
"Path: "+req.Path.String()+"\n"+
"Value: "+v.ValueString(),
)
}
}
to never pass the first condition thus validation will not take place.
If the lines:
if _, err := arn.Parse(valueString); err != nil {
return ARNUnknown(), diags // Must not return validation errors.
}
are removed from ValueFromString method, then terraform plan for the aws_bedrockagent_agent snippet provided above, shows this error instead:
Error: Invalid ARN Value
│
│ with aws_bedrockagent_agent.test,
│ on main.tf line 85, in resource "aws_bedrockagent_agent" "test":
│ 85: agent_resource_role_arn = "INVALID-ARN"
│
│ The provided value cannot be parsed as an ARN.
│
│ Path: agent_resource_role_arn
│ Value: INVALID-ARN
I don't feel competent to suggest that indeed those two lines should be gone as they might be critical to some other behavior, but the fact that the method returns unknown value for invalid ARNs and unknown values are never validated, causes the issue here.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Terraform Core Version
1.9.5
AWS Provider Version
5.66.0
Affected Resource(s)
Any resource which currently uses ARNType custom type implementation and there are many
Expected Behavior
When invalid ARN is passed to attribute of type ARNType, some kind of validation error should appear during
terraform plan
Actual Behavior
An error suggesting a bug in the provider is displayed:
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
Problem can be reproduced using any resource which has ARNType attributes. For example:
will cause the problem.
Also, the minimal resource implementation reproduces the problem:
this resource will demonstrate the error with the following config:
Steps to Reproduce
Use any of the snippets provided above and just run
terraform plan
Debug Output
plan.log This is the plan for
aws_bedrockagent_agent
snippet suggested above.Panic Output
No response
Important Factoids
The cause of the issue seems to be implementation of the ARNType
This method:
returns ARNUnknown if an invalid ARN is passed. The unknown result will cause the validation method:
to never pass the first condition thus validation will not take place.
If the lines:
are removed from
ValueFromString
method, thenterraform plan
for theaws_bedrockagent_agent
snippet provided above, shows this error instead:I don't feel competent to suggest that indeed those two lines should be gone as they might be critical to some other behavior, but the fact that the method returns unknown value for invalid ARNs and unknown values are never validated, causes the issue here.
References
No response
Would you like to implement a fix?
None