Terraform error: Provider produced inconsistent final plan when expanding the plan when use bamboo

I got an error when create iam policy for ec2 role via bamboo pipeline.

Error: Provider produced inconsistent final plan

When expanding the plan for aws_iam_policy.this[xx] to include
new values learned so far during apply, provider
"registry.terraform.io/hashicorp/aws" produced an invalid
new value for policy: was cty.StringVal(xx), but now
cty.StringVal(xx). This is a bug in the provider, which
should be reported in the provider's own issue tracker. 

It was good when ran terraform from local machine but the error occurred when deployed via bamboo pipeline.

Versions on my local machine: Terraform v1.2.5 AWS v4.29.0

I tried to specify the aws provider version=4.29.0 but got another error:
“Provider requirements cannot be satisfied by locked dependencies”.

Could you please help advise how to fix the errors?

Hi @bls,

As the error message mentions, this seems to be a bug in the provider rather than a bug in your own configuration: the hashicorp/aws provider should either be consistent about its value for policy or it should return its own custom error explaining why that’s not possible.

The fact that it works on your machine is interesting and might suggest that the bug was fixed in a newer version of the provider. I’m not sure why you didn’t see the “Provider requirements cannot be satisfied by locked dependencies” error on your local system, since I would expect the lock file (.terraform.lock.hcl) to be identical between your development machine and the real execution environment.

Whenever you change the version constraints in your modules in a way that invalidates Terraform’s original selections (as recorded in the lock file) you will need to explicitly ask Terraform to upgrade providers by running terraform init -upgrade.

That command will cause Terraform to discard any existing provider version selections and instead take the latest version of each provider that matches your configuration’s version constraints. It will update .terraform.lock.hcl to record its new decisions, and so you can review the proposed changes to that file to see what version is now selected and commit those changes to your version control system to make the new version be selected in your real execution environment, which should use the same dependency lock file and thus choose the same provider versions.