Various data source Error: Provider produced inconsistent final plan on aws_ecs_task_definition change.

[artem-ein]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

MacOS:

terraform -v
Terraform v1.1.2
on darwin_amd64

Linux:

terraform -v
Terraform v1.1.2
on linux_amd64

Affected Resource(s)

• aws_cloudfront_cache_policy
• aws_cloudfront_origin_request_policy
• aws_cloudfront_response_headers_policy
• aws_iam_policy_document
• aws_ecs_task_definition (???)

Terraform Configuration Files

data "aws_cloudfront_cache_policy" "cache_optimized" {
    name = "Managed-CachingOptimized"
}

data "aws_cloudfront_origin_request_policy" "all_viewer" {
    name = "Managed-AllViewer"
}

data "aws_cloudfront_response_headers_policy" "SimpleCORS" {
    name = "Managed-SimpleCORS"
}

data "aws_iam_policy_document" "s3_permit_cloudfront" {
  statement {
    effect = "Allow"
    principals {
      type        = "AWS"
      identifiers = [aws_cloudfront_origin_access_identity.s3_origin_identity.iam_arn]
    }

    actions = [
      "s3:GetObject"
    ]

    resources = [
      "${aws_s3_bucket.static_bucket.arn}/*",
    ]
  }
}

resource "aws_s3_bucket" "static_bucket" {
  bucket = local.s3bucket_name
  acl    = "private"

  tags = {
    Name = local.s3bucket_name
  }
}

Debug Output

https://gist.github.com/artem-ein/8751ac446eafc85967520e8a225eaa52

Panic Output

╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for module.cloudfront[0].aws_cloudfront_distribution.cf_distribution to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/aws" produced an invalid new value for .default_cache_behavior[0].cache_policy_id: was null, but now
│ cty.StringVal("658327ea-f89d-4fab-a63d-7e88639e58f6").
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for module.cloudfront[0].aws_cloudfront_distribution.cf_distribution to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/aws" produced an invalid new value for .default_cache_behavior[0].origin_request_policy_id: was null, but now
│ cty.StringVal("216adef6-5c7f-47e4-b989-5492eafa07d3").
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for module.cloudfront[0].aws_cloudfront_distribution.cf_distribution to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/aws" produced an invalid new value for .ordered_cache_behavior[0].cache_policy_id: was null, but now
│ cty.StringVal("658327ea-f89d-4fab-a63d-7e88639e58f6").
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵

Expected Behavior

Actual Behavior

Steps to Reproduce

1. Create resources including aws_ecs_task_definition.
2. Make aws_ecs_task_definition changed.
3. terraform plan

1. terraform apply

Important Factoids

References

• #0000

[mprimeaux]

We are running into a similar issue but when dealing with setting policy within EKS.

This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│
│ When expanding the plan for module.core-infrastructure.module.aws_vpc_cni_role.aws_iam_policy.service_account["dev-1-pay-play-vpc-cni@kube-system"] to include new values learned
│ so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .policy: was cty.StringVal("{\n    \"Version\": \"2012-10-17\",\n
│ \"Statement\": [\n    {\n        \"Effect\": \"Allow\",\n        \"Action\": [\n          \"ec2:AssignPrivateIpAddresses\",\n          \"ec2:AttachNetworkInterface\",\n
│ \"ec2:CreateNetworkInterface\",\n          \"ec2:DeleteNetworkInterface\",\n          \"ec2:DescribeInstances\",\n          \"ec2:DescribeInstanceTypes\",\n
│ \"ec2:DescribeTags\",\n          \"ec2:DescribeNetworkInterfaces\",\n          \"ec2:DetachNetworkInterface\",\n          \"ec2:ModifyNetworkInterfaceAttribute\",\n
│ \"ec2:UnassignPrivateIpAddresses\"\n        ],\n        \"Resource\": \"*\"\n      },\n      {\n         \"Effect\": \"Allow\",\n         \"Action\": [\n
│ \"ec2:CreateTags\"\n          ],\n          \"Resource\": [\"arn:aws:ec2:*:*:network-interface/*\"]\n      }\n    ]\n}"), but now
│ cty.StringVal("{\"Statement\":[{\"Action\":[\"ec2:AssignPrivateIpAddresses\",\"ec2:AttachNetworkInterface\",\"ec2:CreateNetworkInterface\",\"ec2:DeleteNetworkInterface\",\"ec2:DescribeInstances\",\"ec2:DescribeInstanceTypes\",\"ec2:DescribeTags\",\"ec2:DescribeNetworkInterfaces\",\"ec2:DetachNetworkInterface\",\"ec2:ModifyNetworkInterfaceAttribute\",\"ec2:UnassignPrivateIpAddresses\"],\"Effect\":\"Allow\",\"Resource\":\"*\"},{\"Action\":[\"ec2:CreateTags\"],\"Effect\":\"Allow\",\"Resource\":[\"arn:aws:ec2:*:*:network-interface/*\"]}],\"Version\":\"2012-10-17\"}").
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

I have seen a few other similar issues but it doesn't appear there has been much traction on resolution. We are reading from a policy file so perhaps this is due to the formatting of the policy when being read. I'll try to dig around a bit.

[ajf-firstup]

More similar bugs: #20659, #24359, and #26743.

[julian-alarcon]

Also, really similar to #22467