Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: aws_wafv2_web_acl Error: Provider produced inconsistent final plan #30858

Closed
rickychew77 opened this issue Apr 21, 2023 · 12 comments
Closed

[Bug]: aws_wafv2_web_acl Error: Provider produced inconsistent final plan #30858

rickychew77 opened this issue Apr 21, 2023 · 12 comments
Assignees
@YakDriver
Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.

Comments

@rickychew77
Copy link

rickychew77 commented Apr 21, 2023
edited by YakDriver
Loading

Related:

Terraform Core Version

1.1.7

AWS Provider Version

4.64.0

Affected Resource(s)

aws_wafv2_web_acl, aws_wafv2_ip_set

Expected Behavior

Able to apply when updating config aws cloudfront default_action.block

Actual Behavior

After terraform apply and type "yes", it produces error below. Seems like a repetitive output.

Relevant Error/Panic Output Snippet

╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for aws_wafv2_web_acl.main to include new values
│ learned so far during apply, provider "registry.terraform.io/hashicorp/aws"
│ produced an invalid new value for .rule: planned set element
│ cty.ObjectVal(map[string]cty.Value{"action":cty.ListValEmpty(cty.Object(map[string]cty.Type{"allow":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String,
│ "value":cty.String}))}))})),
│ "block":cty.List(cty.Object(map[string]cty.Type{"custom_response":cty.List(cty.Object(map[string]cty.Type{"custom_response_body_key":cty.String,
│ "response_code":cty.Number,
│ "response_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String,
│ "value":cty.String}))}))})),
│ "captcha":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String,
│ "value":cty.String}))}))})),
│ "challenge":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String,
│ "value":cty.String}))}))})),
│ "count":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String,
│ "value":cty.String}))}))}))})),
│ "captcha_config":cty.ListValEmpty(cty.Object(map[string]cty.Type{"immunity_time_property":cty.List(cty.Object(map[string]cty.Type{"immunity_time":cty.Number}))})),
│ "name":cty.StringVal("AWS-AWSManagedRulesSQLiRuleSet"),
│ "override_action":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"count":cty.ListValEmpty(cty.EmptyObject),
│ "none":cty.ListVal([]cty.Value{cty.EmptyObjectVal})})}),
│ "priority":cty.NumberIntVal(4),
│ "rule_label":cty.SetValEmpty(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "statement":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"and_statement":cty.ListValEmpty(cty.Object(map[string]cty.Type{"statement":cty.List(cty.Object(map[string]cty.Type{"and_statement":cty.List(cty.Object(map[string]cty.Type{"statement":cty.List(cty.Object(map[string]cty.Type{"and_statement":cty.List(cty.Object(map[string]cty.Type{"statement":cty.List(cty.Object(map[string]cty.Type{"byte_match_statement":cty.List(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String,
│ "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String,
│ "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String,
│ "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String,
│ "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject),
│ "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})),
│ "positional_constraint":cty.String, "search_string":cty.String,
│ "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number,
│ "type":cty.String}))})),
│ "geo_match_statement":cty.List(cty.Object(map[string]cty.Type{"country_codes":cty.List(cty.String),
│ "forwarded_ip_config":cty.List(cty.Object(map[string]cty.Type{"fallback_behavior":cty.String,
│ "header_name":cty.String}))})),
│ "ip_set_reference_statement":cty.List(cty.Object(map[string]cty.Type{"arn":cty.String,
│ "ip_set_forwarded_ip_config":cty.List(cty.Object(map[string]cty.Type{"fallback_behavior":cty.String,
│ "header_name":cty.String, "position":cty.String}))})),
│ "label_match_statement":cty.List(cty.Object(map[string]cty.Type{"key":cty.String,
│ "scope":cty.String})),
│ "regex_match_statement":cty.List(cty.Object(map[string]cty.Type{"field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String,
│ "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String,
│ "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String,
│ "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String,
│ "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject),
│ "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})), "regex_string":cty.String,
│ "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number,
│ "type":cty.String}))})),
│ "regex_pattern_set_reference_statement":cty.List(cty.Object(map[string]cty.Type{"arn":cty.String,
│ "field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String,
│ "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "excluded_headers":cty.List(cty.String),
│ "included_headers":cty.List(cty.String)})), "match_scope":cty.String,
│ "oversize_handling":cty.String})),
│ "json_body":cty.List(cty.Object(map[string]cty.Type{"invalid_fallback_behavior":cty.String,
│ "match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "included_paths":cty.List(cty.String)})), "match_scope":cty.String,
│ "oversize_handling":cty.String})), "method":cty.List(cty.EmptyObject),
│ "query_string":cty.List(cty.EmptyObject),
│ "single_header":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})),
│ "uri_path":cty.List(cty.EmptyObject)})),
│ "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number,
│ "type":cty.String}))})),
│ "size_constraint_statement":cty.List(cty.Object(map[string]cty.Type{"comparison_operator":cty.String,
│ "field_to_match":cty.List(cty.Object(map[string]cty.Type{"all_query_arguments":cty.List(cty.EmptyObject),
│ "body":cty.List(cty.Object(map[string]cty.Type{"oversize_handling":cty.String})),
│ "cookies":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "excluded_cookies":cty.List(cty.String),
│ "included_cookies":cty.List(cty.String)})), "match_scope":cty.String,
│ "oversize_handling":cty.String})),
│ "headers":cty.List(cty.Object(map[string]cty.Type{"match_pattern":cty.List(cty.Object(map[string]cty.Type{"all":cty.List(cty.EmptyObject),
│ "excluded_headers":cty.List(cty.String),

.
.
.
| This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

Output seems repetitive and too long to put here.

Terraform Configuration Files

resource "aws_wafv2_web_acl" "main" {
  name        = local.wafv2_name
  description = var.description
  scope       = var.scope

  dynamic "custom_response_body" {
    for_each = coalesce(var.custom_responses, {})
    content {
      key          = custom_response_body.key
      content      = custom_response_body.value.content
      content_type = custom_response_body.value.content_type
    }
  }

  default_action {
    dynamic "block" {
      for_each = var.block_by_default ? [1] : []
      content {
        dynamic "custom_response" {
          for_each = var.block_custom_response != null ? [1] : []
          content {
            custom_response_body_key = var.block_custom_response.custom_response_body_key
            response_code            = var.block_custom_response.response_code
          }
        }
      }
    }

    dynamic "allow" {
      for_each = var.block_by_default ? [] : [1]
      content {}
    }
  }

  dynamic "rule" {
    for_each = var.allow_ip_addresses

    content {
      name     = "${local.allow_ip_addresses_name_prefix}-${rule.key}"
      priority = rule.value.priority

      action {
        allow {
          dynamic "custom_request_handling" {
            for_each = rule.value.bypass_cognito ? [1] : []
            content {
              insert_header {
                name  = "ip-whitelist"
                value = "to-bypass-cognito"
              }
            }
          }
        }
      }

      statement {
        ip_set_reference_statement {
          arn = aws_wafv2_ip_set.allowed_ip_set[rule.key].arn
        }
      }

      visibility_config {
        cloudwatch_metrics_enabled = true
        sampled_requests_enabled   = true
        metric_name                = "${local.allow_ip_addresses_name_prefix}-${rule.key}"
      }
    }
  }


  dynamic "rule" {
    for_each = aws_wafv2_ip_set.blocked_ip_set

    content {
      name     = rule.key
      priority = var.block_ip_addresses[rule.key].priority

      action {
        block {}
      }

      statement {
        ip_set_reference_statement {
          arn = rule.value.arn
        }
      }

      visibility_config {
        cloudwatch_metrics_enabled = true
        sampled_requests_enabled   = true
        metric_name                = "${local.allow_ip_addresses_name_prefix}-${rule.key}"
      }
    }
  }

  dynamic "rule" {
    for_each = length(var.block_country_codes) != 0 ? [1] : []
    content {
      name     = local.block_countries_rule_name
      priority = 0

      statement {
        geo_match_statement {
          country_codes = var.block_country_codes
        }
      }

      action {
        block {}
      }

      visibility_config {
        cloudwatch_metrics_enabled = true
        metric_name                = local.block_countries_rule_name
        sampled_requests_enabled   = true
      }
    }
  }

  dynamic "rule" {
    for_each = var.allow_uri_path
    content {
      name     = "${local.allow_uri_path_prefix}-${rule.key}"
      priority = rule.value.priority

      statement {
        byte_match_statement {
          field_to_match {
            uri_path {}
          }
          positional_constraint = rule.value.positional_constraint
          search_string         = rule.value.search_string
          text_transformation {
            priority = rule.value.text_transform_priority
            type     = rule.value.text_transform_type
          }
        }
      }

      action {
        allow {}
      }

      visibility_config {
        cloudwatch_metrics_enabled = true
        metric_name                = "${local.allow_uri_path_prefix}-${rule.key}"
        sampled_requests_enabled   = true
      }
    }
  }

  //  To Count
  dynamic "rule" {
    for_each = coalesce(var.aws_managed_rule_sets_to_count, {})
    content {
      name     = "AWS-${rule.key}"
      priority = rule.value.priority
      statement {
        managed_rule_group_statement {
          name        = rule.key
          vendor_name = "AWS"

          dynamic "excluded_rule" {
            for_each = coalesce(rule.value.excluded_rules, [])
            content {
              name = excluded_rule.value
            }
          }
        }
      }

      override_action {
        count {}
      }

      visibility_config {
        sampled_requests_enabled   = true
        cloudwatch_metrics_enabled = true
        metric_name                = "AWS-${rule.key}"
      }
    }
  }

  //  To Block
  dynamic "rule" {
    for_each = coalesce(var.aws_managed_rule_sets_to_block, {})
    content {
      name     = "AWS-${rule.key}"
      priority = rule.value.priority
      statement {
        managed_rule_group_statement {
          name        = rule.key
          vendor_name = "AWS"

          dynamic "excluded_rule" {
            for_each = coalesce(rule.value.excluded_rules, [])
            content {
              name = excluded_rule.value
            }
          }
        }
      }

      override_action {
        none {}
      }

      visibility_config {
        sampled_requests_enabled   = true
        cloudwatch_metrics_enabled = true
        metric_name                = "AWS-${rule.key}"
      }
    }
  }

  visibility_config {
    sampled_requests_enabled   = true
    cloudwatch_metrics_enabled = true
    metric_name                = local.wafv2_name
  }

  tags = module.names.tags
}

resource "aws_wafv2_ip_set" "allowed_ip_set" {
  for_each           = var.allow_ip_addresses
  name               = "${local.allow_ip_addresses_name_prefix}-${each.key}"
  description        = "Whitelisted IPs for ${each.key}"
  scope              = var.scope
  ip_address_version = "IPV4"

  # Add list of ip addresses
  # addresses = [for ip in each.value.ips : "${cidrhost("${ip}/32", 0)}/32"]
  addresses = each.value.ips

  tags = module.names.tags
}

resource "aws_wafv2_ip_set" "blocked_ip_set" {
  for_each           = var.block_ip_addresses
  name               = "${local.block_ip_addresses_name_prefix}-${each.key}"
  description        = "Block ${each.key} IPs"
  scope              = var.scope
  ip_address_version = "IPV4"

  addresses = [
    for ip in split("\r\n", file(each.value.ips_file_path)) : contains(["/"], ip) ? cidrsubnet(ip, 0, 0) : cidrsubnet("${ip}/32", 0, 0)
  ]
}


### Steps to Reproduce

We used terragrunt, terragrunt apply and typed "yes" produces error above.

### Debug Output

_No response_

### Panic Output

_No response_

### Important Factoids

_No response_

### References

_No response_

### Would you like to implement a fix?

None
@rickychew77 rickychew77 added bug Addresses a defect in current functionality. needs-triage Waiting for first response or review from a maintainer. labels Apr 21, 2023
@github-actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the service/wafv2 Issues and PRs that pertain to the wafv2 service. label Apr 21, 2023
@ddouglas
Copy link

I had a very similar issue with managed_rule_group_statements earlier this week. the workaround that i figured out was to define something in the empty blocks that have properties in them. We also programmatically generate our terraform as json but you should get the gist from below

{
  "aws_wafv2_web_acl": {
    "[REDACTED]": {
      "default_action": {
        "allow": [
          {}
        ]
      },
      "description": "[REDACTED]",
      "name": "[REDACTED]",
      "rule": [
        {
          "name": "AWSManagedRulesCommonRuleSet",
          "priority": 0,
          "action": null,
          "override_action": [
            {
              "none": {}
            }
          ],
          "statement": [
            {
              "managed_rule_group_statement": {
                "name": "AWSManagedRulesCommonRuleSet",
                "rule_action_override": {
                  "name": "AWSManagedRulesCommonRuleSet",
                  "action_to_use": {
                    "block": [
                      {
                        "custom_response": {
                          "response_code": 200 // This is faked
                        }
                      }
                    ]
                  }
                },
                "managed_rule_group_configs": null,
                "vendor_name": "AWS"
              }
            }
          ],
          "visibility_config": [
            {
              "cloudwatch_metrics_enabled": true,
              "metric_name": "[REDACTED]-AWSManagedRulesCommonRuleSet",
              "sampled_requests_enabled": true
            }
          ]
        },
        {
          "name": "AWSManagedRulesAmazonIpReputationList",
          "priority": 1,
          "action": null,
          "override_action": [
            {
              "none": {}
            }
          ],
          "statement": [
            {
              "managed_rule_group_statement": {
                "name": "AWSManagedRulesAmazonIpReputationList",
                "rule_action_override": {
                  "name": "AWSManagedRulesAmazonIpReputationList",
                  "action_to_use": {
                    "block": [
                      {
                        "custom_response": {
                          "response_code": 200 // This is faked
                        }
                      }
                    ]
                  }
                },
                "managed_rule_group_configs": null,
                "vendor_name": "AWS"
              }
            }
          ],
          "visibility_config": [
            {
              "cloudwatch_metrics_enabled": true,
              "metric_name": "[REDACTED]-AWSManagedRulesAmazonIpReputationList",
              "sampled_requests_enabled": true
            }
          ]
        },
        {
          "name": "AWSManagedRulesBotControlRuleSet",
          "priority": 2,
          "action": null,
          "override_action": [
            {
              "count": {}
            }
          ],
          "statement": [
            {
              "managed_rule_group_statement": {
                "name": "AWSManagedRulesBotControlRuleSet",
                "rule_action_override": {
                  "name": "AWSManagedRulesBotControlRuleSet",
                  "action_to_use": {
                    "count": [
                      {
                        "custom_request_handling": {
                          "insert_header": [
                            {
                              "name": "fake",
                              "value": "value"
                            }
                          ]
                        }
                      }
                    ]
                  }
                },
                "managed_rule_group_configs": null,
                "vendor_name": "AWS"
              }
            }
          ],
          "visibility_config": [
            {
              "cloudwatch_metrics_enabled": true,
              "metric_name": "[REDACTED]-AWSManagedRulesBotControlRuleSet",
              "sampled_requests_enabled": true
            }
          ]
        },
        {
          "name": "AWSManagedRulesKnownBadInputsRuleSet",
          "priority": 3,
          "action": null,
          "override_action": [
            {
              "count": {}
            }
          ],
          "statement": [
            {
              "managed_rule_group_statement": {
                "name": "AWSManagedRulesKnownBadInputsRuleSet",
                "rule_action_override": {
                  "name": "AWSManagedRulesKnownBadInputsRuleSet",
                  "action_to_use": {
                    "count": [
                      {
                        "custom_request_handling": {
                          "insert_header": [
                            {
                              "name": "fake",
                              "value": "value"
                            }
                          ]
                        }
                      }
                    ]
                  }
                },
                "managed_rule_group_configs": null,
                "vendor_name": "AWS"
              }
            }
          ],
          "visibility_config": [
            {
              "cloudwatch_metrics_enabled": true,
              "metric_name": "[REDACTED]-AWSManagedRulesKnownBadInputsRuleSet",
              "sampled_requests_enabled": true
            }
          ]
        }
      ],
      "scope": "CLOUDFRONT",
      "visibility_config": {
        "cloudwatch_metrics_enabled": false,
        "metric_name": "[REDACTED]",
        "sampled_requests_enabled": false
      }
    }
  }
}

@ddouglas
Copy link

This is most likely a duplicate of #23992, which has some helpful information

@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Apr 25, 2023
This was referenced Jul 13, 2023
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@YakDriver
Copy link
Member

YakDriver commented Jul 13, 2023
edited
Loading

NOTE: I cannot reproduce this error using Terraform v1.5+/AWS provider v5.7+ after trying various configurations. Retry using a minimum of Terraform v1.4.2/AWS provider v4.67.0 but preferably Terraform v1.5.3+/AWS provider v5.8.0+ and let us know if this is still a problem! If we don't hear back and can't reproduce, we plan to close this on or around July 20, 2023. The evidence suggests this is OBE (ie, fixed in the interim).

For more details see #23992 (comment) and #28672 (comment).

@YakDriver YakDriver self-assigned this Jul 13, 2023
@YakDriver YakDriver added the waiting-response Maintainers are waiting on response from community or contributor. label Jul 13, 2023
@ferschubert-hm
Copy link

A similar error with Terraform v1.3.3 and AWS provider 5.8, fix is to upgrade Terraform to 1.5.3.

@github-actions github-actions bot removed the waiting-response Maintainers are waiting on response from community or contributor. label Jul 19, 2023
@YakDriver YakDriver added the waiting-response Maintainers are waiting on response from community or contributor. label Jul 19, 2023
@justinretzolk
Copy link
Member

Hi all 👋 As was mentioned above, this issue appears to be fixed when using a minimum Terraform version of 1.4.2 and a minimum AWS Provider version of 4.67.0 (preferably Terraform 1.5.3 or later and AWS Provider 5.8.0 or later). If you experience additional unexpected behaviors with versions that meet these parameters, please open a new issue so that we can investigate further.

@github-actions github-actions bot removed the waiting-response Maintainers are waiting on response from community or contributor. label Jul 20, 2023
@ananth-manney
Copy link

Hi All,

we have updated the AWS provider version to 4.67.0 and 5.8.0 and 5.11.0. But we still see the below error.
Error: Provider produced inconsistent final plan
When expanding the plan for aws_wafv2_web_acl.cnbej92222twebacl001 to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .rule: planned set element cty.ObjectVal(map[string]cty.Value{"action":cty.ListValEmpty(cty.Object(map[string]cty.Type{"allow":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String, "value":cty.String}))}))})), "block":cty.List(cty.Object(map[string]cty.Type{"custom_response":cty.List(cty.Object(map[string]cty.Type{"custom_response_body_key":cty.String, "response_code":cty.Number, "response_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String, "value":cty.String}))}))})), "captcha":cty.List(cty.Object(map[string]cty.Type{"custom_request_handling":cty.List(cty.Object(map[string]cty.Type{"insert_header":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String, "value":cty.String}))}))})),

"single_query_argument":cty.List(cty.Object(map[string]cty.Type{"name":cty.String})), "uri_path":cty.List(cty.EmptyObject)})), "text_transformation":cty.Set(cty.Object(map[string]cty.Type{"priority":cty.Number, "type":cty.String}))}))})}), "visibility_config":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"cloudwatch_metrics_enabled":cty.True, "metric_name":cty.StringVal("AWSManagedRulesSQLiRuleSet"), "sampled_requests_enabled":cty.True})})}) does not correlate with any element in actual. This is a bug in the provider, which should be reported in the provider's own issue tracker.

@PoonamTiwari77
Copy link

Hey, just wanted to know which terraform version you are using.

@ananth-manney
Copy link

ananth-manney commented Aug 14, 2023 via email

@ananth-manney
Copy link

ananth-manney commented Aug 14, 2023 via email

@PoonamTiwari77
Copy link

Have you tried with terraform version 1.5.3+ and aws provider 5.11.0+

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 18, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@YakDriver YakDriver

Labels
bug Addresses a defect in current functionality. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@YakDriver @rickychew77 @justinretzolk @ddouglas @PoonamTiwari77 @ferschubert-hm @ananth-manney