awscc_mediaconnect_flow_output creates an srt-listener resource successfully, but saves it as "tainted", limiting further changes.

[jbieberly-xumo]

I have an issue with awscc_mediaconnect_flow_output. The resource gets created successfully, but because of the error, future actions performed on the resource are impossible. It is complaining that AWS doesn't return a value for vpc_interface_attachment, even though that value is optional and I don't need it:

After the apply operation, the provider still indicated an unknown value
│ for
│ awscc_mediaconnect_flow_output.example.vpc_interface_attachment.
│ All values must be known after apply, so this is always a bug in the
│ provider and should be reported in the provider's own repository.
│ Terraform will still save the other known object values in the state.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• The resources and data sources in this provider are generated from the CloudFormation schema, so they can only support the actions that the underlying schema supports. For this reason submitted bugs should be limited to defects in the generation and runtime code of the provider. Customizing behavior of the resource, or noting a gap in behavior are not valid bugs and should be submitted as enhancements to AWS via the CloudFormation Open Coverage Roadmap.

Terraform CLI and Terraform AWS Cloud Control Provider Version

Terraform v1.10.5
on darwin_arm64

• provider registry.terraform.io/hashicorp/awscc v1.26.0

Affected Resource(s)

• awscc_mediaconnect_flow_output

Terraform Configuration Files

resource "awscc_mediaconnect_flow_output" "example" {
  flow_arn = "arn:aws:mediaconnect:us-east-1:12345678912:flow:1-abcdefg:example"
  name     = "srt-listener-output"
  protocol = "srt-listener"
  port     = 8888
  cidr_allow_list = ["0.0.0.0/0"]
  description = "SRT Listener Output"
  min_latency = 200
}

Debug Output

2025-01-22T15:17:54.328-0700 [DEBUG] ReferenceTransformer: "awscc_mediaconnect_flow_output.example" references: []
awscc_mediaconnect_flow_output.example: Refreshing state... [id=arn:aws:mediaconnect:us-east-1:12345678912:output:1-ClEPXFZUA11UVg5T-4e45cd624000:srt-listener-output]
2025-01-22T15:17:54.404-0700 [DEBUG] provider.terraform-provider-awscc_v1.26.0_x5: Request.State.Raw: @module=awscc cfn_type=AWS::MediaConnect::FlowOutput tf_provider_addr=registry.terraform.io/hashicorp/awscc tf_req_id=1dff682b-3913-6dfd-5e4a-761ff4d449df tf_resource_type=awscc_mediaconnect_flow_output tf_rpc=ReadResource @caller=github.com/hashicorp/terraform-provider-awscc/internal/generic/resource.go:442 value="tftypes.Object["cidr_allow_list":tftypes.List[tftypes.String], "description":tftypes.String, "destination":tftypes.String, "encryption":tftypes.Object["algorithm":tftypes.String, "key_type":tftypes.String, "role_arn":tftypes.String, "secret_arn":tftypes.String], "flow_arn":tftypes.String, "id":tftypes.String, "max_latency":tftypes.Number, "media_stream_output_configurations":tftypes.List[tftypes.Object["destination_configurations":tftypes.List[tftypes.Object["destination_ip":tftypes.String, "destination_port":tftypes.Number, "interface":tftypes.Object["name":tftypes.String]]], "encoding_name":tftypes.String, "encoding_parameters":tftypes.Object["compression_factor":tftypes.Number, "encoder_profile":tftypes.String], "media_stream_name":tftypes.String]], "min_latency":tftypes.Number, "name":tftypes.String, "output_arn":tftypes.String, "output_status":tftypes.String, "port":tftypes.Number, "protocol":tftypes.String, "remote_id":tftypes.String, "smoothing_latency":tftypes.Number, "stream_id":tftypes.String, "vpc_interface_attachment":tftypes.Object["vpc_interface_name":tftypes.String]]<"cidr_allow_list":tftypes.List[tftypes.String]<tftypes.String<"0.0.0.0/0">>, "description":tftypes.String<"SRT Listener Output">, "destination":tftypes.String, "encryption":tftypes.Object["algorithm":tftypes.String, "key_type":tftypes.String, "role_arn":tftypes.String, "secret_arn":tftypes.String], "flow_arn":tftypes.String<"arn:aws:mediaconnect:us-east-1:12345678912:flow:1-ClEPXFZUA11UVg5T-4e45cd624000:example">, "id":tftypes.String<"arn:aws:mediaconnect:us-east-1:12345678912:output:1-ClEPXFZUA11UVg5T-4e45cd624000:srt-listener-output">, "max_latency":tftypes.Number, "media_stream_output_configurations":tftypes.List[tftypes.Object["destination_configurations":tftypes.List[tftypes.Object["destination_ip":tftypes.String, "destination_port":tftypes.Number, "interface":tftypes.Object["name":tftypes.String]]], "encoding_name":tftypes.String, "encoding_parameters":tftypes.Object["compression_factor":tftypes.Number, "encoder_profile":tftypes.String], "media_stream_name":tftypes.String]], "min_latency":tftypes.Number<"200">, "name":tftypes.String<"srt-listener-output">, "output_arn":tftypes.String, "output_status":tftypes.String, "port":tftypes.Number<"8888">, "protocol":tftypes.String<"srt-listener">, "remote_id":tftypes.String, "smoothing_latency":tftypes.Number, "stream_id":tftypes.String, "vpc_interface_attachment":tftypes.Object["vpc_interface_name":tftypes.String]>" timestamp=2025-01-22T15:17:54.404-0700

Panic Output

After the apply operation, the provider still indicated an unknown value
│ for
│ awscc_mediaconnect_flow_output.example.vpc_interface_attachment.
│ All values must be known after apply, so this is always a bug in the
│ provider and should be reported in the provider's own repository.
│ Terraform will still save the other known object values in the state.

Expected Behavior

Terraform should have ignored the null value for vpc_interface_attachment because it is not required for this type of output.

Actual Behavior

The resource was successfully created, but it was stored in a "tainted" state, so that no further action could be performed on the resource.

Steps to Reproduce

1. Create a mediaconnect-flow, a terroform created resource or manually created one doesn't matter.
2. Create a main.tf file with the code pasted above
3. Perform terraform apply
4. Wait several minutes for it to timeout and generate the error.
5. Observe that the resource is created successfully, but the Terraform state is "tainted".

Important Factoids

none

References

• #0000

[quixoticmonk]

Thank you for opening the issue @jbieberly-xumo . Can you provide a snippet of the state file that is generated ? ( remove any sensitive values). I am guessing the value for vpc_attachment is null in there.

And , can you run the following commands against the resource created ?

aws cloudcontrol get-resource --type-name AWS::MediaConnect::FlowOutput --identifier <id_from_state>

[jbieberly-xumo]

Thanks for looking into this. You are correct that the vpc_attachment_interface is null, I can see that with debug output. However, the command you posted above doesn't work either, possibly my identifier is wrong, I was using the ARN of the FlowOutput, this is what it returns:
An error occurred (HandlerInternalFailureException) when calling the GetResource operation (reached max retries: 2): AWS::MediaConnect::FlowOutput Handler returned status FAILED: Unable to marshall request to JSON: Parameter 'flowArn' must not be null (HandlerErrorCode: InternalFailure, RequestToken: xxxxxx)

[quixoticmonk]

Thank you, I can reproduce this on my end as well. Let me open an service ticket on this and review the behavior here.