[Bug]: Error: updating NetworkFirewall TLS Inspection Configuration

[FIAV1]

Terraform Core Version

1.8.3

AWS Provider Version

5.59.0

Affected Resource(s)

aws_networkfirewall_tls_inspection_configuration

Expected Behavior

I imported the resource like this: terraform import aws_networkfirewall_tls_inspection_configuration.netfw arn:aws:network-firewall:eu-central-1:012345678901:tls-configuration/example, I expect I can make modifications and publish them.

Actual Behavior

All good when executing terraform plan -out=tfplan but when executing terraform apply tfplan I get an error about the updateToken missing.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

terraform {
  required_version = "~> 1.8.0"

  backend "s3" {
    profile = "example"
    region  = "eu-west-1"
    bucket  = "example-terraform"
  }

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  profile = "example"
  region  = "eu-central-1"
}

Steps to Reproduce

Import an existing tls inspection configuration, make some modifications (e.g. to scope), then plan and apply

Debug Output

operation error Network Firewall: UpdateTLSInspectionConfiguration, https response error StatusCode: 400, RequestID: xxx, api error ValidationException: 2 validation errors detected: Value '' at 'updateToken' failed to satisfy constraint: Member must have length greater than or equal to 1; Value '' at 'updateToken' failed to satisfy constraint: Member must satisfy regular expression pattern: ^([0-9a-f]{8})-([0-9a-f]{4}-){3}([0-9a-f]{12})$

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[guanwee-loo]

Hi,
I faced the same issue- importing an existing TLS config and then applying any changes will throw the same http 400 error. I am using the following temporary workaround :

1. Perform the tf import as usual but use a local state file

2. Use the aws cli command to describe the imported TLS config (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/describe-tls-inspection-configuration.html). This is to obtain the update-token.
   e.g.
   aws network-firewall describe-tls-inspection-configuration --tls-inspection-configuration-name <your config name> --profile <your aws profile> --region <your region>

3. Take note of the "UpdateToken" from the above output and manually update the local state file with this token value (look for "update_token" : null in the state file).

4. Proceed to perform tf plan and apply and this should work without issue.

5. Perform tf state migration to your remote backend if required.

[FIAV1]

Hi, the workaround works fine, thanks!

EDIT: it actually worked fine until I tried to make an update, now the error tied to update_token is back again...

[guanwee-loo]

Hi, the workaround works fine, thanks!

EDIT: it actually worked fine until I tried to make an update, now the error tied to update_token is back again...

Strange, I am able to continue to update without any issue yet. Are you able to check whether the "update-token" is not null when you try to apply again? It should be replaced with the last update-token value after each apply.

BTW, I am using terraform v1.8.5 and AWS Provider v5.59.0

[FIAV1]

Hi, the workaround works fine, thanks!
EDIT: it actually worked fine until I tried to make an update, now the error tied to update_token is back again...

Strange, I am able to continue to update without any issue yet. Are you able to check whether the "update-token" is not null when you try to apply again? It should be replaced with the last update-token value after each apply.

BTW, I am using terraform v1.8.5 and AWS Provider v5.59.0

I tried again (AWS provider upgraded to v5.61.0 from 5.59.0 and terraform 1.8.3), this time worked fine; last time I had to manually change the updateToken value in the remote state directly (I had to download the tfstate file from S3, update the updateToken value and upload the tfstate file back to S3).

[guanwee-loo]

Hi, the workaround works fine, thanks!
EDIT: it actually worked fine until I tried to make an update, now the error tied to update_token is back again...

Strange, I am able to continue to update without any issue yet. Are you able to check whether the "update-token" is not null when you try to apply again? It should be replaced with the last update-token value after each apply.
BTW, I am using terraform v1.8.5 and AWS Provider v5.59.0

I tried again (AWS provider upgraded to v5.61.0 from 5.59.0 and terraform 1.8.3), this time worked fine; last time I had to manually change the updateToken value in the remote state directly (I had to download the tfstate file from S3, update the updateToken value and upload the tfstate file back to S3).

Good to know but I am confused. Did the latest v5.61.0 AWS provider fixed the TF import issue with the HTTP 400 error? The bug is still opened right?

[FIAV1]

Hi, the workaround works fine, thanks!
EDIT: it actually worked fine until I tried to make an update, now the error tied to update_token is back again...

Strange, I am able to continue to update without any issue yet. Are you able to check whether the "update-token" is not null when you try to apply again? It should be replaced with the last update-token value after each apply.
BTW, I am using terraform v1.8.5 and AWS Provider v5.59.0

I tried again (AWS provider upgraded to v5.61.0 from 5.59.0 and terraform 1.8.3), this time worked fine; last time I had to manually change the updateToken value in the remote state directly (I had to download the tfstate file from S3, update the updateToken value and upload the tfstate file back to S3).

Good to know but I am confused. Did the latest v5.61.0 AWS provider fixed the TF import issue with the HTTP 400 error? The bug is still opened right?

Sorry, I wasn't clear: I just wanted to point out I'm using the latest AWS provider version, but I didn't test if the problem was fixed with latest release

[corymhall]

It looks like the issue is in the Read function where the results of read are applied to the state. The UpdateToken is handled

terraform-provider-aws/internal/service/networkfirewall/tls_inspection_configuration.go

Lines 594 to 610 in 120f850

	func flattenDescribeTLSInspectionConfigurationOutput(ctx context.Context, data *tlsInspectionConfigurationResourceModel, apiObject *networkfirewall.DescribeTLSInspectionConfigurationOutput) diag.Diagnostics {
	var diags diag.Diagnostics
	d := fwflex.Flatten(ctx, apiObject.TLSInspectionConfigurationResponse, data)
	diags.Append(d...)
	if diags.HasError() {
	return diags
	}
	d = fwflex.Flatten(ctx, apiObject.TLSInspectionConfiguration, &data.TLSInspectionConfiguration)
	diags.Append(d...)
	if diags.HasError() {
	return diags
	}
	return diags
	}