Error: Provider produced inconsistent final plan - invalid new value for .rule: planned set element

[joegajeckyj-ecs]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Related:

• aws_wafv2_web_acl : Provider produced inconsistent final plan #23390
• aws_wafv2_web_acl apply fails when default action changes #23423
• 👉 Error: Provider produced inconsistent final plan - invalid new value for .rule: planned set element #23936
• aws_wafv2_web_acl - Error: Provider produced inconsistent final plan #23992
• apply default tags to wafv2 or cloudfront_distribution and error #24386
• [Bug]: Error "Provider produced inconsistent final plan" when adding a default tag to a aws_wafv2_web_acl #27175
• [Bug]: Provider produced inconsistent final plan for complex aws_wafv2_web_acl configurations #27273
• [Bug]: aws_wafv2_web_acl description/tag changes result in inconsistent final plan #27479
• [Bug]: "registry.terraform.io/hashicorp/aws" produced an invalid new value for .rule: planned set element #28191
• [Bug]: aws_wafv2_web_acl is unable to use dynamic block to manage "rule_action_override" #28672
• [Bug]: Error: Provider produced inconsistent final plan #29012
• [Bug]: Error: Provider produced inconsistent final plan #29304
• [Bug]: aws_wafv2_web_acl Error: Provider produced inconsistent final plan #30858

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.7
on darwin_amd64

• provider registry.terraform.io/hashicorp/aws v4.8.0
• provider registry.terraform.io/hashicorp/external v2.2.2
• provider registry.terraform.io/hashicorp/local v2.2.2
• provider registry.terraform.io/hashicorp/null v3.1.1

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

Actual Behavior

│ Error: Provider produced inconsistent final plan
│
│ When expanding the plan for module.wafv2-acl[0].aws_wafv2_web_acl.acl to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an
│ invalid new value for .rule: planned set element
...
does not correlate with any element in actual.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Steps to Reproduce

1. terraform apply

Important Factoids

When I add the "version" value to the .rule i can get most of the managed rules to update, however one particular AWS managed rule set which has no "Version" value the error happens "AWSManagedRulesAmazonIpReputationList"

I have tried with "Default" set as version value but the resource is not found

References

Reason for trying to fix with adding the undocumented value "version" was found following related article #21732

• #0000

[vinoth-nus]

Workaround:
Since the issue is experienced only when there is a change in wafv2 acl config, the new resource creation doesnt have the issue.
As a workaround you can delete the WAFv2 ACL manually using the AWS console or CLI and re-run terraform to create the acl again with the respective tags as you need

[cristinet]

We are encountering this issue as well. It seems to be a problem only if the default action for the webacl is block.
Terraform throws the same error for any modification (not just tags) of the webacl.

[tgip-work]

Also for Terraform AWS Provider 4.15.1

[janeklb]

Also for

Terraform v1.0.1
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v4.18.0

FWIW It seems like there's some inconsistency with what TF picks up from AWS vs how it thinks it should be represented because when i run a terragrunt plan i get the following:

aws_wafv2_web_acl.waf_acl: Refreshing state... [id=REDACTED]
aws_wafv2_web_acl_logging_configuration.waf_lb_logs[0]: Refreshing state... [id=REDACTED]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply":

  # aws_wafv2_web_acl.waf_acl has been changed
  ~ resource "aws_wafv2_web_acl" "waf_acl" {
        id          = "REDACTED"
        name        = "REDACTED"
        tags        = {
            "env"     = "REDACTED"
            "name"    = "REDACTED"
            "product" = "REDACTED"
            "service" = "REDACTED"
            "team"    = "REDACTED"
        }
        # (6 unchanged attributes hidden)



        # (8 unchanged blocks hidden)
    }

[stewartcampbell]

I am running into this when updating a custom response body when rules are blocking.

  custom_response_body {
    key          = "default"
    content      = var.waf_custom_response_body_default_content
    content_type = var.waf_custom_response_body_default_content_type
  }

If I switch all rules from block to count during the update, it takes the changes. I then switch back to blocking after that and all is well.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.