### Terraform Version ```shell Terraform v1.14.3 on windows_amd64 ``` ### Terraform Configuration Files ```terraform data "cloudinit_config" "init_config" { gzip = true base64_encode = true part { content_type = "text/cloud-config" content = yamlencode({ preserve_hostname : false hostname : "${var.local_dns_name}-ec2" create_hostname_file : true prefer_fqdn_over_hostname : false package_update : true package_upgrade : true packages = ["python3-venv", "jq", "dos2unix"] }) } } resource "aws_instance" "service-ec2-instance" { ami = data.aws_ami.ec2_image.id iam_instance_profile = aws_iam_instance_profile.service-profile.id user_data_base64 = sensitive(data.cloudinit_config.init_config.rendered) user_data_replace_on_change = true associate_public_ip_address = false key_name = var.dependency_ssh_key_ec2_user instance_type = "t3a.xlarge" vpc_security_group_ids = [var.dependency_sg_ec2_id] subnet_id = data.aws_subnets.local_availability_zone_a.ids[0] monitoring = false root_block_device { volume_size = 30 volume_type = "gp3" } depends_on = [ data.cloudinit_config.init_config ] } ``` ### Debug Output Doesn't work as expected with those EC2 settings ```terraform user_data_base64 = sensitive(data.cloudinit_config.init_config.rendered) user_data_replace_on_change = true ``` Log: ``` 10:49:02.663 STDOUT [.] terraform: # aws_instance.service-ec2-instance will be updated in-place 10:49:02.663 STDOUT [.] terraform: ~ resource "aws_instance" "service-ec2-instance" { 10:49:02.663 STDOUT [.] terraform: id = "i-xxx" 10:49:02.664 STDOUT [.] terraform: # Warning: this attribute value will be marked as sensitive and will not 10:49:02.664 STDOUT [.] terraform: # display in UI output after applying this change. 10:49:02.664 STDOUT [.] terraform: ~ user_data_base64 = (sensitive value) ``` Works as expected with those EC2 settings: ```terraform user_data = sensitive(data.cloudinit_config.init_config.rendered) user_data_replace_on_change = true ``` Log: ``` 11:27:20.217 STDOUT [.] terraform: # aws_instance.service-ec2-instance must be replaced 11:27:20.217 STDOUT [.] terraform: -/+ resource "aws_instance" "service-ec2-instance" { 11:27:20.217 STDOUT [.] terraform: ~ arn = "arn:aws:ec2:xxx" -> (known after apply) 11:27:20.222 STDOUT [.] terraform: ~ user_data = (sensitive value) # forces replacement 11:27:20.222 STDOUT [.] terraform: + user_data_base64 = (known after apply) ``` ### Expected Behavior The EC2 instance will be replaced, when the cloudinit config changes ### Actual Behavior The EC2 instance is updated-in-place and I'm receiving a lot of 'Provider produced inconsistent final plan' errors: ``` Error: Provider produced inconsistent final plan │ │ When expanding the plan for aws_instance.service-ec2-instance to include │ new values learned so far during apply, provider │ "registry.terraform.io/hashicorp/aws" produced an invalid new value for │ .ipv6_addresses: was known, but now unknown. │ │ This is a bug in the provider, which should be reported in the provider's │ own issue tracker. Error: Provider produced inconsistent final plan │ │ When expanding the plan for aws_instance.service-ec2-instance to include │ new values learned so far during apply, provider │ "registry.terraform.io/hashicorp/aws" produced an invalid new value for │ .root_block_device[0].encrypted: was known, but now unknown. │ │ This is a bug in the provider, which should be reported in the provider's │ own issue tracker. ``` ### Steps to Reproduce 1. `terraform init` 2. `terraform apply` ### Additional Context _No response_ ### References _No response_ ### Generative AI / LLM assisted development? _No response_