Merge pull request hashicorp#45201 from hashicorp/b-tag-policy-interceptor

Provider: Fix required tag validation regressions

Author: jar-b

.changelog/45201.txt

@@ -0,0 +1,6 @@
+```release-note:bug
+provider: Fix early return logic in the required tag validation interceptor. This addresses a performance regression introduced in [v6.22.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#6220-november-20-2025).
+```
+```release-note:bug
+provider: Fix crash in required tag validation interceptor when tag values are unknown. This addresses a regression introduced in [v6.22.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#6220-november-20-2025).
+```

internal/provider/framework/tags_interceptor.go

@@ -278,6 +278,15 @@ func (r resourceValidateRequiredTagsInterceptor) modifyPlan(ctx context.Context,
 		return
 	}
 
+	policy := c.TagPolicyConfig(ctx)
+	if policy == nil {
+		return
+	}
+	reqTags, ok := policy.RequiredTags[typeName]
+	if !ok {
+		return
+	}
+
 	switch request, _, when := opts.request, opts.response, opts.when; when {
 	case Before:
 		// If the entire plan is null, the resource is planned for destruction.
@@ -292,6 +301,10 @@ func (r resourceValidateRequiredTagsInterceptor) modifyPlan(ctx context.Context,
 			return
 		}
 
+		if !planTags.IsWhollyKnown() {
+			return
+		}
+
 		allPlanTags := c.DefaultTagsConfig(ctx).MergeTags(tftags.New(ctx, planTags))
 		allStateTags := c.DefaultTagsConfig(ctx).MergeTags(tftags.New(ctx, stateTags))
 
@@ -302,16 +315,6 @@ func (r resourceValidateRequiredTagsInterceptor) modifyPlan(ctx context.Context,
 			return
 		}
 
-		policy := c.TagPolicyConfig(ctx)
-		if policy == nil {
-			return
-		}
-
-		reqTags, ok := policy.RequiredTags[typeName]
-		if !ok {
-			return
-		}
-
 		if allPlanTags.ContainsAllKeys(reqTags) {
 			return
 		}

internal/provider/framework/tags_interceptor_test.go

@@ -91,12 +91,42 @@ func Test_resourceValidateRequiredTagsInterceptor(t *testing.T) {
 		},
 	}
 
+	// Null tags
 	attrs := map[string]tftypes.Value{
 		"name": tftypes.NewValue(tftypes.String, "test"),
 		"tags": tftypes.NewValue(tftypes.Map{ElementType: tftypes.String}, nil),
 	}
 	rawVal := tftypes.NewValue(resourceSchema.Type().TerraformType(ctx), attrs)
 
+	// Partial required tags
+	attrsPartial := map[string]tftypes.Value{
+		"name": tftypes.NewValue(tftypes.String, "test"),
+		"tags": tftypes.NewValue(tftypes.Map{ElementType: tftypes.String}, map[string]tftypes.Value{
+			"bar": tftypes.NewValue(tftypes.String, nil),
+		}),
+	}
+	rawValPartial := tftypes.NewValue(resourceSchema.Type().TerraformType(ctx), attrsPartial)
+
+	// All required tags
+	attrsRequired := map[string]tftypes.Value{
+		"name": tftypes.NewValue(tftypes.String, "test"),
+		"tags": tftypes.NewValue(tftypes.Map{ElementType: tftypes.String}, map[string]tftypes.Value{
+			"foo": tftypes.NewValue(tftypes.String, nil),
+			"bar": tftypes.NewValue(tftypes.String, nil),
+		}),
+	}
+	rawValRequired := tftypes.NewValue(resourceSchema.Type().TerraformType(ctx), attrsRequired)
+
+	// Unknown tag values
+	attrsUnknown := map[string]tftypes.Value{
+		"name": tftypes.NewValue(tftypes.String, "test"),
+		"tags": tftypes.NewValue(tftypes.Map{ElementType: tftypes.String}, map[string]tftypes.Value{
+			"foo": tftypes.NewValue(tftypes.String, tftypes.UnknownValue),
+			"bar": tftypes.NewValue(tftypes.String, tftypes.UnknownValue),
+		}),
+	}
+	rawValUnknown := tftypes.NewValue(resourceSchema.Type().TerraformType(ctx), attrsUnknown)
+
 	tests := []struct {
 		name      string
 		opts      interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]
@@ -135,6 +165,93 @@ func Test_resourceValidateRequiredTagsInterceptor(t *testing.T) {
 			),
 			},
 		},
+		{
+			name: "create, partial tags",
+			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{
+				c: mockRequiredTagsClient{},
+				request: &resource.ModifyPlanRequest{
+					Config: tfsdk.Config{
+						Raw:    rawValPartial,
+						Schema: resourceSchema,
+					},
+					State: tfsdk.State{
+						Raw:    tftypes.NewValue(resourceSchema.Type().TerraformType(ctx), nil), // Raw state is null on creation
+						Schema: resourceSchema,
+					},
+					Plan: tfsdk.Plan{
+						Raw:    rawValPartial,
+						Schema: resourceSchema,
+					},
+				},
+				response: &resource.ModifyPlanResponse{
+					Plan: tfsdk.Plan{
+						Raw:    rawValPartial,
+						Schema: resourceSchema,
+					},
+				},
+				when: Before,
+			},
+			wantDiags: diag.Diagnostics{diag.NewAttributeErrorDiagnostic(
+				path.Root(names.AttrTags),
+				"Missing Required Tags",
+				"An organizational tag policy requires the following tags for aws_test: [foo]",
+			),
+			},
+		},
+		{
+			name: "create, required tags",
+			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{
+				c: mockRequiredTagsClient{},
+				request: &resource.ModifyPlanRequest{
+					Config: tfsdk.Config{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+					State: tfsdk.State{
+						Raw:    tftypes.NewValue(resourceSchema.Type().TerraformType(ctx), nil), // Raw state is null on creation
+						Schema: resourceSchema,
+					},
+					Plan: tfsdk.Plan{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+				},
+				response: &resource.ModifyPlanResponse{
+					Plan: tfsdk.Plan{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+				},
+				when: Before,
+			},
+		},
+		{
+			name: "create, unknown tag values",
+			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{
+				c: mockRequiredTagsClient{},
+				request: &resource.ModifyPlanRequest{
+					Config: tfsdk.Config{
+						Raw:    rawValUnknown,
+						Schema: resourceSchema,
+					},
+					State: tfsdk.State{
+						Raw:    tftypes.NewValue(resourceSchema.Type().TerraformType(ctx), nil), // Raw state is null on creation
+						Schema: resourceSchema,
+					},
+					Plan: tfsdk.Plan{
+						Raw:    rawValUnknown,
+						Schema: resourceSchema,
+					},
+				},
+				response: &resource.ModifyPlanResponse{
+					Plan: tfsdk.Plan{
+						Raw:    rawValUnknown,
+						Schema: resourceSchema,
+					},
+				},
+				when: Before,
+			},
+		},
 		{
 			name: "update, no tags change",
 			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{
@@ -162,6 +279,93 @@ func Test_resourceValidateRequiredTagsInterceptor(t *testing.T) {
 				when: Before,
 			},
 		},
+		{
+			name: "update, add required",
+			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{
+				c: mockRequiredTagsClient{},
+				request: &resource.ModifyPlanRequest{
+					Config: tfsdk.Config{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+					State: tfsdk.State{
+						Raw:    rawValPartial,
+						Schema: resourceSchema,
+					},
+					Plan: tfsdk.Plan{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+				},
+				response: &resource.ModifyPlanResponse{
+					Plan: tfsdk.Plan{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+				},
+				when: Before,
+			},
+		},
+		{
+			name: "update, remove required",
+			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{
+				c: mockRequiredTagsClient{},
+				request: &resource.ModifyPlanRequest{
+					Config: tfsdk.Config{
+						Raw:    rawValPartial,
+						Schema: resourceSchema,
+					},
+					State: tfsdk.State{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+					Plan: tfsdk.Plan{
+						Raw:    rawValPartial,
+						Schema: resourceSchema,
+					},
+				},
+				response: &resource.ModifyPlanResponse{
+					Plan: tfsdk.Plan{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+				},
+				when: Before,
+			},
+			wantDiags: diag.Diagnostics{diag.NewAttributeErrorDiagnostic(
+				path.Root(names.AttrTags),
+				"Missing Required Tags",
+				"An organizational tag policy requires the following tags for aws_test: [foo]",
+			),
+			},
+		},
+		{
+			name: "update, unknown tag values",
+			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{
+				c: mockRequiredTagsClient{},
+				request: &resource.ModifyPlanRequest{
+					Config: tfsdk.Config{
+						Raw:    rawValUnknown,
+						Schema: resourceSchema,
+					},
+					State: tfsdk.State{
+						Raw:    rawValPartial,
+						Schema: resourceSchema,
+					},
+					Plan: tfsdk.Plan{
+						Raw:    rawValUnknown,
+						Schema: resourceSchema,
+					},
+				},
+				response: &resource.ModifyPlanResponse{
+					Plan: tfsdk.Plan{
+						Raw:    rawValUnknown,
+						Schema: resourceSchema,
+					},
+				},
+				when: Before,
+			},
+		},
 		{
 			name: "destroy",
 			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{

internal/provider/sdkv2/tags_interceptor.go

@@ -309,6 +309,15 @@ func validateRequiredTags() customizeDiffInterceptor {
 			return nil
 		}
 
+		policy := c.TagPolicyConfig(ctx)
+		if policy == nil {
+			return nil
+		}
+		reqTags, ok := policy.RequiredTags[typeName]
+		if !ok {
+			return nil
+		}
+
 		switch d, when, why := opts.d, opts.when, opts.why; when {
 		case Before:
 			switch why {
@@ -320,13 +329,7 @@ func validateRequiredTags() customizeDiffInterceptor {
 					return nil
 				}
 
-				policy := c.TagPolicyConfig(ctx)
-				if policy == nil {
-					return nil
-				}
-
-				reqTags, ok := policy.RequiredTags[typeName]
-				if !ok {
+				if !d.GetRawPlan().GetAttr(names.AttrTags).IsWhollyKnown() {
 					return nil
 				}