[Bug]: Provider produced inconsistent final plan -

[ChandranshuRao14]

Terraform Core Version

Terraform v1.2.9

AWS Provider Version

hashicorp/aws 4.0

Affected Resource(s)

• aws_security_group

Expected Behavior

terraform apply should work without issues

Actual Behavior

terraform apply produces an error

Relevant Error/Panic Output Snippet

Error: Provider produced inconsistent final plan

When expanding the plan for `aws_security_group.aws_sg` to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for `.tags_all`: new element "Name" has appeared.

This is a bug in the provider, which should be reported in the provider's own issue tracker.

Terraform Configuration Files

resource "aws_security_group" "aws_sg" {
  name                   = "eks-vpc-sg"
  description            = "Security Group to allow management of egress rules for EKS nodes"
  revoke_rules_on_delete = true
  vpc_id                 = var.vpc_id

  lifecycle {
    create_before_destroy = true
  }

  tags = {
    "karpenter.sh/discovery/${module.eks.cluster_id}" = module.eks.cluster_id
    Name                                              = "eks-vpc-sg"
  }
}

Steps to Reproduce

1. Configure aws_security_group resource
2. Set tags
3. Configure lifecycle block
4. Do no set default_tags block in the provider
5. Run terraform apply

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[jimsmith]

Yes I am seeing this as well across aws terraform resources when using default_tags

Resources:

• aws_cloudwatch_log_group
• aws_dynamodb_table
• aws_iam_policy
• aws_iam_role

$ terraform version
Terraform v1.3.0
on darwin_amd64
+ provider registry.terraform.io/hashicorp/archive v2.2.0
+ provider registry.terraform.io/hashicorp/aws v4.40.0
+ provider registry.terraform.io/hashicorp/random v3.3.2

my provider.tf

provider "aws" {
  region = "eu-west-2"
   default_tags {
    tags = module.aws_tags.tags
    }
}

Whilst tags are created the resources terraform exits out with:

│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for aws_cloudwatch_log_group.lambda_function_log_group to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .tags_all:
│ new element "BusinessUnit" has appeared.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵

│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for aws_iam_policy.lambda_exec_iam_policy to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .tags_all: new element
│ "TFWorkspace" has appeared.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.


│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for aws_dynamodb_table.benchmark_dynamodb_table to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .tags_all:
│ new element "TFWorkspace" has appeared.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for aws_iam_role.api_iam_role to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .tags_all: new element "BusinessUnit" has
│ appeared.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Update: After switching to 4.50.0 aws provider the same thing.
But interesting after terraform destroy(some other engineers just won't be able to do that though!)
then terrafrom apply afresh I did not get the above errors ?

[jimsmith]

Nope that still doesn't work on a subsequent terraform plan all the tags for all the resources wants to be updated/replacement and then destroy:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place
+/- create replacement and then destroy

Terraform will perform the following actions:

  # aws_acm_certificate.api will be updated in-place

then the original errors return but also now for additional aws resources :(

• aws_acm_certificate
• aws_api_gateway_api_key

[bucs-fan813]

I also experienced this issue after corrupting my local environment with ctrl-z during a terraform apply command. I'm new to terraform so i didn't do a proper recovery. Instead I deleted the tfstate files and .terraform directory. When I rebuilt the environment this error kept showing up. The work around was to run terraform apply twice and that would "fix" the issue. I was able to completely fix the issue by running terraform destry and then manually deleting any tags that were still in use in the aws console (https://us-east-1.console.amazonaws-us.com/ec2/home?region=us-east-1#Tags:)