Provider produced inconsistent result after apply - aws_vpc_endpoint_route_table_association.s3_vpc_endpoint

[falgofrancis]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version 0.12.23 aws provider version 2.51.0

Affected Resource(s)

aws_vpc_endpoint_route_table_association.s3_vpc_endpoint

Terraform Configuration Files

resource "aws_route_table" "private_subnet_rtb" {
  count  = length(var.availability_zones) * var.flag
  vpc_id = aws_vpc.vpc[0].id
}

resource "aws_vpc_endpoint_route_table_association" "s3_vpc_endpoint" {
  vpc_endpoint_id = aws_vpc_endpoint.s3[0].id
  count           = length(var.availability_zones) * var.flag
  route_table_id  = element(aws_route_table.private_subnet_rtb.*.id, count.index)
}

resource "aws_vpc_endpoint" "s3" {
  count        = var.flag
  vpc_id       = aws_vpc.vpc[0].id
  service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
} 

Debug Output

Error: Provider produced inconsistent result after apply vpc.aws_vpc_endpoint_route_table_association.s3_vpc_endpoint[0], provider "registry.terraform.io/-/aws" produced an unexpected new value for was present, but now absent. This is a bug in the provider, which should be reported in the provider's own issue tracker..

Expected Behavior

Terraform apply should have been successful

Actual Behavior

Terraform apply fails

Steps to Reproduce

This does not happen all the time, running apply multiple times

[ewbankkit]

@ffran09 If you add count = var.flag to resource "aws_vpc_endpoint_route_table_association" "s3_vpc_endpoint" do you still get the problem?

[falgofrancis]

Yes, we still get the same error with the count variable.
I have updated the tf code, we are using var.flag in resource "aws_vpc_endpoint_route_table_association" "s3_vpc_endpoint" as well.

[tbugfinder]

I just run into this error message, too.
I'm using the terraform-registry module terraform-aws-vpc.

       Error: Provider produced inconsistent result after apply

       When applying changes to
       module.aws_vpc_test.aws_vpc_endpoint_route_table_association.private_s3[0],
       provider "registry.terraform.io/-/aws" produced an unexpected new value for
       was present, but now absent.

       This is a bug in the provider, which should be reported in the provider's own
       issue tracker.

Terraform v0.12.24

       Initializing provider plugins...
       - Checking for available provider plugins...
       - Downloading plugin for provider "null" (hashicorp/null) 2.1.2...
       - Downloading plugin for provider "template" (hashicorp/template) 2.1.2...
       - Downloading plugin for provider "aws" (hashicorp/aws) 2.54.0...
       - Downloading plugin for provider "random" (hashicorp/random) 2.2.1...
       - Downloading plugin for provider "local" (hashicorp/local) 1.4.0...

[ewbankkit]

Relevant:

• Clarify Terraform 0.12 Resource Missing Error Messaging terraform#20688

This is most likely an eventual consistency issue. The association is successfully created but when the provider then turns around and reads back the state, the AWS EC2 service can't find it.
The fix will be to add a retry loop in resourceAwsVpcEndpointRouteTableAssociationCreate.

[queglay]

I also see it with aws_network_interface_sg_attachment

3776 [23:29:14] Error: timeout - last error: ssh: rejected: connect failed (Connection timed out)
3777 [23:29:14] 
3778 [23:29:14] 
3779 [23:29:14] 
3780 [23:29:14] Error: Provider produced inconsistent result after apply
3781 [23:29:14] 
3782 [23:29:14] When applying changes to
3783 [23:29:14] module.softnas.aws_network_interface_sg_attachment.sg_attachment_vpn[0],
3784 [23:29:14] provider "registry.terraform.io/-/aws" produced an unexpected new value for
3785 [23:29:14] was present, but now absent.
3786 [23:29:14] 
3787 [23:29:14] This is a bug in the provider, which should be reported in the provider's own
3788 [23:29:14] issue tracker.

[spicysomtam]

I just suffered this; it seemed to have setup the route associations. I re-ran the apply and it needed to add the network associations which worked (even though they are already there). Then another plan showed all was good. So I guess the answer is just do another apply?

[tbugfinder]

Well, yes and no.
In most cases it applies changes in a single step. In few cases this error is raised....

[bashims]

Seeing this problem with Terraform v0.12.27 and AWS provider v2.70.0

This issue seems to be non-deterministic.

[drexler]

Same issue. Re-applying the plan does resolve it.

Terraform v0.12.24
provider.aws v3.1.0

[mwheeler-aicradle]

Same issue. Encountered with TF v0.12.28, and provider v3.11.0.

[fractos]

Seeing this for TF v0.12.29 and provider 2.70.0. Generally seems to be the s3 or dynamoDB endpoints. Non-deterministic, probably happens 1 time in 20.

[lifelofranco]

Same issue with TF 0.13.5 and provider v3.12.0.

Error: Provider produced inconsistent result after apply

When applying changes to
module.vpc.aws_vpc_endpoint_route_table_association.public_dynamodb[0],
provider "registry.terraform.io/hashicorp/aws" produced an unexpected new
value: Root resource was present, but now absent.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

[atsalolikhin-spokeo]

We are on Terraform 0.13.3 and on hashicorp/aws v2.70.0.

Apply failed with

Error: Provider produced inconsistent result after apply

When applying changes to
module.my_module_name.aws_network_interface_sg_attachment.my_server[2],
provider "registry.terraform.io/hashicorp/aws" produced an unexpected new
value: Root resource was present, but now absent.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

The next apply failed with

Error: security group [id redacted] already attached to interface ID [id redacted]

  on [filename] line 22, in resource "aws_network_interface_sg_attachment" "my_server":
  22: resource "aws_network_interface_sg_attachment" "my_server" {

So did the one after it.

We had to manually detach the Security Group, then apply again. That resolved it.

[ewbankkit]

Given that this is happening for Gateway VPC endpoints it is likely best to use the same logic as used in aws_route and retry after creating the association to ensure it can be read back correctly.

[ewbankkit]

aws_vpc_endpoint_route_table_association issue addressed in #16200.
aws_network_interface_sg_attachment issue raised in #16201.

[dohoangkhiem]

Got it (though rarely, but causing serious issue when it happened) with aws_eip_association , is there any PR for that resource yet?
Also, any good scenario for re-produce?

[eistrati]

I was able to reproduce this issue with terraform vpc module and dynamodb gateway enabled:

module.vpc.aws_vpc_endpoint_route_table_association.private_dynamodb[0]: Creating...

Error: Provider produced inconsistent result after apply

When applying changes to
module.vpc.aws_vpc_endpoint_route_table_association.private_dynamodb[0],
provider "registry.terraform.io/hashicorp/aws" produced an unexpected new
value: Root resource was present, but now absent.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

My terraform configuration looks like this:

data "aws_region" "current" {}

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "2.70.0"

  name = var.resource["name"]
  cidr = lookup(var.cidr, data.aws_region.current.name, "")
  azs  = keys(lookup(var.azs, data.aws_region.current.name, {}))

  private_subnets = [
    for i in values(lookup(var.azs, data.aws_region.current.name, {})):
    cidrsubnet(lookup(var.cidr, data.aws_region.current.name, ""), var.resource["subcidr_newbits"], var.resource["subcidr_netnum_private"] + i)
  ]

  #public_subnets = [
  #  for i in values(lookup(var.azs, data.aws_region.current.name, {})):
  #  cidrsubnet(lookup(var.cidr, data.aws_region.current.name, ""), var.resource["subcidr_newbits"], var.resource["subcidr_netnum_public"] + i)
  #]

  manage_default_security_group  = true
  default_security_group_ingress = [{}]
  default_security_group_egress  = [{}]

  enable_dns_hostnames = true
  enable_dns_support   = true

  enable_s3_endpoint       = false
  enable_dynamodb_endpoint = true
}

variable "resource" {
  type    = map(string)
  default = {
    name                       = "devops"
    subcidr_newbits            = 3
    subcidr_netnum_private     = 0
    subcidr_netnum_public      = 10
  }
}

variable "cidr" {
  type    = map(string)
  default = {
    "us-east-1" = "10.8.64.0/21",
    "us-east-2" = "10.10.64.0/21"
  }
}

variable "azs" {
  type    = map(map(string))
  default = {
    "us-east-1" = {
      "us-east-1a" = 0
      "us-east-1b" = 1
      "us-east-1d" = 2
    },
    "us-east-2" = {
      "us-east-2b" = 0
      "us-east-2c" = 1
      "us-east-2d" = 2
    }
  }
}

For reference:

• Terraform v0.14.5
• Terraform AWS Provider v3.26.0
• Terraform VPC Module v2.70.0

[ewbankkit]

Proposal to consistently deal with read-after-create failing:

• Implement d.IsNewResource() Checks In Resource Read Functions #16796

[skeswani]

I was wondering if anyone was able to work around this issue by adding a null resource with a small 5-30 second sleep on it.
if its a read-after-create consistency issue, and if "eventually" means a few seconds , then this should be a simple workaround.

did anyone attempt to and/or succeed to resolve it in this manner?

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!