Cloudfront resource with dynamic blocks and lookup functions fails at first apply

[samidbb]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

• Terraform v0.12.8
• provider.aws v2.27.0

Affected Resource(s)

• aws_cloudfront_distribution

Terraform Configuration Files

locals {
  # Determine the certificate type
  # is_iam_cert = var.iam_certificate_id != ""
  is_acm_cert = var.acm_certificate_arn != ""
}

resource "aws_cloudfront_distribution" "cloudfront_distribution" {
  price_class = "PriceClass_100"
  
  aliases = "${var.aliases}"
  viewer_certificate {
    cloudfront_default_certificate = local.is_acm_cert ? false : true
    acm_certificate_arn = local.is_acm_cert ? var.acm_certificate_arn : null
    ssl_support_method = local.is_acm_cert ? "sni-only" : null
    minimum_protocol_version = local.is_acm_cert ? var.custom_ssl_security_policy: null
  }


  http_version        = "http2"      # Supported HTTP Versions
  default_root_object = "index.html" # Default Root Object

  dynamic "logging_config" {
    for_each = var.logging_enable ? [1] : []
    content {
      include_cookies = "${var.logging_include_cookies}"
      bucket          = "${var.logging_bucket}"
      prefix          = "${var.logging_prefix}"      
    }
  }


  is_ipv6_enabled = false         
  comment         = "${var.comment}"
  enabled         = true

  dynamic "origin" {
    for_each = var.origins
    iterator = it
      content {
        domain_name = it.value.domain_name
        origin_id = it.value.origin_id
        origin_path = lookup(it.value, "origin_path", null)
              
        dynamic "s3_origin_config" {
          for_each = lookup(it.value, "is_s3_origin", false) ? [1] : []
          iterator = s3_origin_config
          content {
            origin_access_identity = "${var.origin_access_identity}"
          }          
        }

        dynamic "custom_origin_config" {
          for_each = lookup(it.value, "is_s3_origin", false) ? [] : [1]
          iterator = custom_origin_config
          content {
            http_port              = lookup(it.value, "http_port", 80)
            https_port             = lookup(it.value, "https_port", 443)
            origin_protocol_policy = lookup(it.value, "protocol_policy", "match-viewer")
            origin_ssl_protocols   = lookup(it.value, "ssl_protocols", ["TLSv1.2"]) 
          }
      } 
    }
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  dynamic "ordered_cache_behavior" {
      for_each = length(var.cache_behaviors) > 1 ? var.cache_behaviors : []
      iterator = it

      content {
        target_origin_id = it.value.origin_id
        path_pattern = it.value.path_pattern # path
        allowed_methods  = lookup(it.value, "allowed_methods", ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"])
        cached_methods   = lookup(it.value, "cached_methods", ["HEAD", "GET"])
        

        forwarded_values {
          query_string = it.value.forwarded_values_query_string

          cookies {
            forward = it.value.forwarded_values_cookies_forward
          }
        }

        viewer_protocol_policy = lookup(it.value, "viewer_protocol_policy", "allow-all")
        min_ttl                = lookup(it.value, "min_ttl", null)
        default_ttl            = lookup(it.value, "default_ttl", null)
        max_ttl                = lookup(it.value, "max_ttl", null)

        dynamic "lambda_function_association"{
          for_each = lookup(it.value, "lambda_function_association_lambda_arn", null) != null ? [1] : []
          iterator = it_sub

          content{
            event_type   = lookup(it.value, "lambda_function_association_event_type", "origin-request")
            lambda_arn   = it.value.lambda_function_association_lambda_arn
            include_body = lookup(it.value, "lambda_function_association_include_body", false)
          }
        }        
      }       
    }

  default_cache_behavior { 
    allowed_methods  = "${length(var.origins) == 1 ? lookup(var.cache_behaviors[0], "allowed_methods", ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]) : ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] }"
    cached_methods   = "${length(var.origins) == 1 ? lookup(var.cache_behaviors[0], "cached_methods", ["HEAD", "GET"]) : ["HEAD", "GET"] }" 
    target_origin_id = var.cache_behaviors[0].origin_id

    forwarded_values {
      query_string = "${length(var.origins) == 1 ? lookup(var.cache_behaviors[0], "forwarded_values_query_string", false): false }" 

      cookies {
        forward = "${length(var.origins) == 1 ? lookup(var.cache_behaviors[0], "forwarded_values_cookies_forward", "none") : "none" }" 
      }
    }

    viewer_protocol_policy = "${length(var.origins) == 1 ? lookup(var.cache_behaviors[0], "viewer_protocol_policy", "allow-all"): "allow-all"}"
    min_ttl                = "${length(var.origins) == 1 ? lookup(var.cache_behaviors[0], "min_ttl", null) : null }"
    default_ttl            = "${length(var.origins) == 1 ? lookup(var.cache_behaviors[0], "default_ttl", null): null}"
    max_ttl                = "${length(var.origins) == 1 ? lookup(var.cache_behaviors[0], "max_ttl", null) : null}"


    dynamic "lambda_function_association"{
      for_each = lookup(var.cache_behaviors[0], "lambda_function_association_lambda_arn", null) != null ? [1] : []
      iterator = it

      content{
        event_type   = lookup(var.cache_behaviors[0], "lambda_function_association_event_type", "origin-request")
        lambda_arn   = var.cache_behaviors[0].lambda_function_association_lambda_arn
        include_body = lookup(var.cache_behaviors[0], "lambda_function_association_include_body", false)
      }
    }
  }    
}

Debug Output

Panic Output

Error: Provider produced inconsistent final plan

When expanding the plan for
module.aws_cloudfront_uiam-portal.module.aws_cf_dist.aws_cloudfront_distribution.cloudfront_distribution
to include new values learned so far during apply, provider "aws" produced an
invalid new value for .origin: planned set element
cty.ObjectVal(map[string]cty.Value{"custom_header":cty.SetValEmpty(cty.Object(map[string]cty.Type{"name":cty.String,
"value":cty.String})),
"custom_origin_config":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"http_port":cty.UnknownVal(cty.Number),
"https_port":cty.UnknownVal(cty.Number),
"origin_keepalive_timeout":cty.NumberIntVal(5),
"origin_protocol_policy":cty.UnknownVal(cty.String),
"origin_read_timeout":cty.NumberIntVal(30),
"origin_ssl_protocols":cty.UnknownVal(cty.Set(cty.String))})}),
"domain_name":cty.UnknownVal(cty.String), "origin_id":cty.StringVal("someid"),
"origin_path":cty.UnknownVal(cty.String),
become an error in a future release. If you wish to provide certain "global"
settings to all configurations in your organization, use TF_VAR_...
environment variables to set these instead.

"s3_origin_config":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"origin_access_identity":cty.UnknownVal(cty.String)})})})
does not correlate with any element in actual.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

Expected Behavior

The Apply should run without error in first run

Actual Behavior

The Apply fail the first time, but succeed with second run

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[schammah]

I guess my issue #12098 is a duplicate of this
anyone had a chance to look at the provider to fix this resource to allow its creation on the first run?

[grahamhar]

This just occured for us and the only change was an update to the tags on the distribution, the associated buckets and lambda functions

[schammah]

@grahamhar are you using TF 0.13 and above or not? alot of these issues were solved there, even though there's still some bugs on AWS side especially on the update tags functionality

[funkyboeddha]

This just occured for us and the only change was an update to the tags on the distribution, the associated buckets and lambda functions

@grahamhar we are also encountering this issue, and I am wondering: what did you update exactly in tags? Did you have broken links for example? Really curious, I hope it will work for us as well.

[grahamhar]

This just occured for us and the only change was an update to the tags on the distribution, the associated buckets and lambda functions

@grahamhar we are also encountering this issue, and I am wondering: what did you update exactly in tags? Did you have broken links for example? Really curious, I hope it will work for us as well.

We simply ran the plan and apply for a second time and it worked which was just as worrying as the error. We upgrade the provider and terraform frequently and have not seen a repeat of this. We're now on terraform 1.0.0 and provider version 3.45.0

[noahh40]

Hi I am receiving a similar error:

Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for aws_cloudfront_distribution.s3_distribution to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/aws" produced an invalid new value for .origin: planned set element
│ cty.ObjectVal(map[string]cty.Value{"connection_attempts":cty.NumberIntVal(3), "connection_timeout":cty.NumberIntVal(10),
│ "custom_header":cty.SetValEmpty(cty.Object(map[string]cty.Type{"name":cty.String, "value":cty.String})),
│ "custom_origin_config":cty.ListValEmpty(cty.Object(map[string]cty.Type{"http_port":cty.Number, "https_port":cty.Number,
│ "origin_keepalive_timeout":cty.Number, "origin_protocol_policy":cty.String, "origin_read_timeout":cty.Number,
│ "origin_ssl_protocols":cty.Set(cty.String)})), "domain_name":cty.StringVal("mapper.polygon.technology"),
│ "origin_id":cty.StringVal("S3-mapper.polygon.technology"), "origin_path":cty.StringVal(""),
│ "origin_shield":cty.ListValEmpty(cty.Object(map[string]cty.Type{"enabled":cty.Bool, "origin_shield_region":cty.String})),
│ "s3_origin_config":cty.ListValEmpty(cty.Object(map[string]cty.Type{"origin_access_identity":cty.String}))}) does not correlate with
│ any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

From what I was reading it seems like I might need to add aws_cloudfront_origin_access_identity but I am not sure why because it is not required.

[thoellrich]

I'm receiving exactly the same error as @noahh40 above (XXX are redacted items):

│ Error: Provider produced inconsistent final plan
│
│ When expanding the plan for aws_cloudfront_distribution.cf-hawaii to
│ include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/aws" produced an invalid new value for
│ .origin: planned set element
│ cty.ObjectVal(map[string]cty.Value{"connection_attempts":cty.NumberIntVal(3),
│ "connection_timeout":cty.NumberIntVal(10),
│ "custom_header":cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"name":cty.StringVal("X-HOST"),
│ "value":cty.StringVal("testmyaccount.hawaiiwaterservice.com")})}),
│ "custom_origin_config":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"http_port":cty.NumberIntVal(80),
│ "https_port":cty.NumberIntVal(443),
│ "origin_keepalive_timeout":cty.NumberIntVal(5),
│ "origin_protocol_policy":cty.StringVal("https-only"),
│ "origin_read_timeout":cty.NumberIntVal(60),
│ "origin_ssl_protocols":cty.SetVal([]cty.Value{cty.StringVal("TLSv1"),
│ cty.StringVal("TLSv1.1"), cty.StringVal("TLSv1.2")})})}),
│ "domain_name":cty.StringVal("api.beaconama-uat.net"),
│ "origin_id":cty.StringVal("api"), "origin_path":cty.NullVal(cty.String),
│ "origin_shield":cty.ListValEmpty(cty.Object(map[string]cty.Type{"enabled":cty.Bool,
│ "origin_shield_region":cty.String})),
│ "s3_origin_config":cty.ListValEmpty(cty.Object(map[string]cty.Type{"origin_access_identity":cty.String}))})
│ does not correlate with any element in actual.
│
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

The section from the cloudfront distribution, which seems to trigger it:

  // doc-system
  origin {
    origin_id   = "s3-bmi-${var.aws_env}-docsystem"
    domain_name = aws_s3_bucket.docsystem.bucket_regional_domain_name

    s3_origin_config {
      origin_access_identity = aws_cloudfront_origin_access_identity.doc-service.cloudfront_access_identity_path
    }
  }

and in another place:

// Origin Identity for DocService
resource "aws_cloudfront_origin_access_identity" "doc-service" {
  comment = "${var.aws_env} doc-service origin"
}

I was in the process of upgrading the inline website configurations for our buckets to aws_s3_bucket_website_configuration when the issue first surfaced.

Every 2nd "apply" will run into the issue.

I'm using terraform v1.1.7 with aws provider v3.75.1.