internal/provider: fix required tag validation crash

Previously the validate required tags interceptor would crash when the planned value for the `tags` attribute included unknown tag values. Validation now skips when planned values are not wholly known.

Without the patch:

```console
% go test -count=1 ./internal/provider/framework/... -run Test_resourceValidateRequiredTagsInterceptor
--- FAIL: Test_resourceValidateRequiredTagsInterceptor (0.00s)
    --- FAIL: Test_resourceValidateRequiredTagsInterceptor/create,_unknown_tag_values (0.00s)
--- FAIL: Test_resourceValidateRequiredTagsInterceptor (0.00s)
    --- FAIL: Test_resourceValidateRequiredTagsInterceptor/update,_unknown_tag_values (0.00s)
panic: Value Conversion Error

        An unexpected error was encountered trying to build a value. This is always an error in the provider. Please report the following to the provider developer:

        Received unknown value, however the target type cannot handle unknown values. Use the corresponding `types` package type or a custom type that handles unknown values.

        Path: ["foo"]
        Target Type: *string
        Suggested Type: basetypes.StringValue
        ["foo"] [recovered]
        panic: Value Conversion Error

        An unexpected error was encountered trying to build a value. This is always an error in the provider. Please report the following to the provider developer:

        Received unknown value, however the target type cannot handle unknown values. Use the corresponding `types` package type or a custom type that handles unknown values.

        Path: ["foo"]
        Target Type: *string
        Suggested Type: basetypes.StringValue
        ["foo"]

goroutine 28 [running]:
testing.tRunner.func1.2({0x101701aa0, 0x14001282150})
        /Users/jaredbaker/sdk/go1.24.10/src/testing/testing.go:1734 +0x1ac
testing.tRunner.func1()
        /Users/jaredbaker/sdk/go1.24.10/src/testing/testing.go:1737 +0x334
panic({0x101701aa0?, 0x14001282150?})
        /Users/jaredbaker/sdk/go1.24.10/src/runtime/panic.go:792 +0x124
github.com/hashicorp/terraform-provider-aws/internal/errs.Must[...](...)
        /Users/jaredbaker/development/_worktrees/b-tag-policy-interceptor/internal/errs/must.go:13
github.com/hashicorp/terraform-provider-aws/internal/errs/fwdiag.Must[...]({0x0?, 0x0}, {0x14001280920, 0x1016b17a0?, 0x1400009a298?})
        /Users/jaredbaker/development/_worktrees/b-tag-policy-interceptor/internal/errs/fwdiag/must.go:17 +0x58
github.com/hashicorp/terraform-provider-aws/internal/framework/flex.must(...)
        /Users/jaredbaker/development/_worktrees/b-tag-policy-interceptor/internal/framework/flex/errs.go:13
github.com/hashicorp/terraform-provider-aws/internal/framework/flex.ExpandFrameworkStringMap({0x1017c9e08, 0x140011020c0}, {0x1017cea10, 0x1400138c1c0})
        /Users/jaredbaker/development/_worktrees/b-tag-policy-interceptor/internal/framework/flex/map.go:17 +0x94
github.com/hashicorp/terraform-provider-aws/internal/tags.New({0x1017c9e08, 0x140011020c0}, {0x101795120?, 0x1400110dd68})
        /Users/jaredbaker/development/_worktrees/b-tag-policy-interceptor/internal/tags/key_value_tags.go:650 +0x2fc
github.com/hashicorp/terraform-provider-aws/internal/provider/framework.resourceValidateRequiredTagsInterceptor.modifyPlan({}, {0x1017c9e08, 0x140011020c0}, {{0x1017cfb58, 0x14000aec160}, 0x140000fc700, 0x14001049580, 0x1})
        /Users/jaredbaker/development/_worktrees/b-tag-policy-interceptor/internal/provider/framework/tags_interceptor.go:308 +0x4d8
github.com/hashicorp/terraform-provider-aws/internal/provider/framework.Test_resourceValidateRequiredTagsInterceptor.func2(0x14000003c00)
        /Users/jaredbaker/development/_worktrees/b-tag-policy-interceptor/internal/provider/framework/tags_interceptor_test.go:404 +0x16c
testing.tRunner(0x14000003c00, 0x14001063570)
        /Users/jaredbaker/sdk/go1.24.10/src/testing/testing.go:1792 +0xe4
created by testing.(*T).Run in goroutine 24
        /Users/jaredbaker/sdk/go1.24.10/src/testing/testing.go:1851 +0x374
FAIL    github.com/hashicorp/terraform-provider-aws/internal/provider/framework 0.850s
```

```console
% TF_ACC_REQUIRED_TAG_KEY=Owner make t K=iot T=TestAccIoTBillingGroup_requiredTags && TF_ACC_REQUIRED_TAG_KEY=Owner make t K=logs T=TestAccLogsLogGroup_requiredTags
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 b-tag-policy-interceptor 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/iot/... -v -count 1 -parallel 20 -run='TestAccIoTBillingGroup_requiredTags'  -timeout 360m -vet=off
2025/11/21 11:54:39 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/21 11:54:39 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccIoTBillingGroup_requiredTags_defaultTags (19.31s)
--- PASS: TestAccIoTBillingGroup_requiredTags (19.33s)
--- PASS: TestAccIoTBillingGroup_requiredTags_disabled (34.01s)
--- PASS: TestAccIoTBillingGroup_requiredTags_warning (37.18s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/iot        43.681s
make: Verifying source code with gofmt...
==> Checking that code complies with gofmt requirements...
make: Running acceptance tests on branch: 🌿 b-tag-policy-interceptor 🌿...
TF_ACC=1 go1.24.10 test ./internal/service/logs/... -v -count 1 -parallel 20 -run='TestAccLogsLogGroup_requiredTags'  -timeout 360m -vet=off
2025/11/21 11:55:37 Creating Terraform AWS Provider (SDKv2-style)...
2025/11/21 11:55:37 Initializing Terraform AWS Provider (SDKv2-style)...

--- PASS: TestAccLogsLogGroup_requiredTags (19.59s)
--- PASS: TestAccLogsLogGroup_requiredTags_defaultTags (19.67s)
--- PASS: TestAccLogsLogGroup_requiredTags_disabled (35.34s)
--- PASS: TestAccLogsLogGroup_requiredTags_warning (38.32s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/logs       44.717s
```

Author: jar-b

.changelog/45201.txt

@@ -1,3 +1,6 @@
 ```release-note:bug
 provider: Fix early return logic in the required tag validation interceptor. This addresses a performance regression introduced in [v6.22.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#6220-november-20-2025).
 ```
+```release-note:bug
+provider: Fix crash in required tag validation interceptor when tag values are unknown. This addresses a regression introduced in [v6.22.0](https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#6220-november-20-2025).
+```

internal/provider/framework/tags_interceptor.go

@@ -301,6 +301,10 @@ func (r resourceValidateRequiredTagsInterceptor) modifyPlan(ctx context.Context,
 			return
 		}
 
+		if !planTags.IsWhollyKnown() {
+			return
+		}
+
 		allPlanTags := c.DefaultTagsConfig(ctx).MergeTags(tftags.New(ctx, planTags))
 		allStateTags := c.DefaultTagsConfig(ctx).MergeTags(tftags.New(ctx, stateTags))
 

internal/provider/framework/tags_interceptor_test.go

@@ -91,12 +91,42 @@ func Test_resourceValidateRequiredTagsInterceptor(t *testing.T) {
 		},
 	}
 
+	// Null tags
 	attrs := map[string]tftypes.Value{
 		"name": tftypes.NewValue(tftypes.String, "test"),
 		"tags": tftypes.NewValue(tftypes.Map{ElementType: tftypes.String}, nil),
 	}
 	rawVal := tftypes.NewValue(resourceSchema.Type().TerraformType(ctx), attrs)
 
+	// Partial required tags
+	attrsPartial := map[string]tftypes.Value{
+		"name": tftypes.NewValue(tftypes.String, "test"),
+		"tags": tftypes.NewValue(tftypes.Map{ElementType: tftypes.String}, map[string]tftypes.Value{
+			"bar": tftypes.NewValue(tftypes.String, nil),
+		}),
+	}
+	rawValPartial := tftypes.NewValue(resourceSchema.Type().TerraformType(ctx), attrsPartial)
+
+	// All required tags
+	attrsRequired := map[string]tftypes.Value{
+		"name": tftypes.NewValue(tftypes.String, "test"),
+		"tags": tftypes.NewValue(tftypes.Map{ElementType: tftypes.String}, map[string]tftypes.Value{
+			"foo": tftypes.NewValue(tftypes.String, nil),
+			"bar": tftypes.NewValue(tftypes.String, nil),
+		}),
+	}
+	rawValRequired := tftypes.NewValue(resourceSchema.Type().TerraformType(ctx), attrsRequired)
+
+	// Unknown tag values
+	attrsUnknown := map[string]tftypes.Value{
+		"name": tftypes.NewValue(tftypes.String, "test"),
+		"tags": tftypes.NewValue(tftypes.Map{ElementType: tftypes.String}, map[string]tftypes.Value{
+			"foo": tftypes.NewValue(tftypes.String, tftypes.UnknownValue),
+			"bar": tftypes.NewValue(tftypes.String, tftypes.UnknownValue),
+		}),
+	}
+	rawValUnknown := tftypes.NewValue(resourceSchema.Type().TerraformType(ctx), attrsUnknown)
+
 	tests := []struct {
 		name      string
 		opts      interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]
@@ -135,6 +165,93 @@ func Test_resourceValidateRequiredTagsInterceptor(t *testing.T) {
 			),
 			},
 		},
+		{
+			name: "create, partial tags",
+			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{
+				c: mockRequiredTagsClient{},
+				request: &resource.ModifyPlanRequest{
+					Config: tfsdk.Config{
+						Raw:    rawValPartial,
+						Schema: resourceSchema,
+					},
+					State: tfsdk.State{
+						Raw:    tftypes.NewValue(resourceSchema.Type().TerraformType(ctx), nil), // Raw state is null on creation
+						Schema: resourceSchema,
+					},
+					Plan: tfsdk.Plan{
+						Raw:    rawValPartial,
+						Schema: resourceSchema,
+					},
+				},
+				response: &resource.ModifyPlanResponse{
+					Plan: tfsdk.Plan{
+						Raw:    rawValPartial,
+						Schema: resourceSchema,
+					},
+				},
+				when: Before,
+			},
+			wantDiags: diag.Diagnostics{diag.NewAttributeErrorDiagnostic(
+				path.Root(names.AttrTags),
+				"Missing Required Tags",
+				"An organizational tag policy requires the following tags for aws_test: [foo]",
+			),
+			},
+		},
+		{
+			name: "create, required tags",
+			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{
+				c: mockRequiredTagsClient{},
+				request: &resource.ModifyPlanRequest{
+					Config: tfsdk.Config{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+					State: tfsdk.State{
+						Raw:    tftypes.NewValue(resourceSchema.Type().TerraformType(ctx), nil), // Raw state is null on creation
+						Schema: resourceSchema,
+					},
+					Plan: tfsdk.Plan{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+				},
+				response: &resource.ModifyPlanResponse{
+					Plan: tfsdk.Plan{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+				},
+				when: Before,
+			},
+		},
+		{
+			name: "create, unknown tag values",
+			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{
+				c: mockRequiredTagsClient{},
+				request: &resource.ModifyPlanRequest{
+					Config: tfsdk.Config{
+						Raw:    rawValUnknown,
+						Schema: resourceSchema,
+					},
+					State: tfsdk.State{
+						Raw:    tftypes.NewValue(resourceSchema.Type().TerraformType(ctx), nil), // Raw state is null on creation
+						Schema: resourceSchema,
+					},
+					Plan: tfsdk.Plan{
+						Raw:    rawValUnknown,
+						Schema: resourceSchema,
+					},
+				},
+				response: &resource.ModifyPlanResponse{
+					Plan: tfsdk.Plan{
+						Raw:    rawValUnknown,
+						Schema: resourceSchema,
+					},
+				},
+				when: Before,
+			},
+		},
 		{
 			name: "update, no tags change",
 			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{
@@ -162,6 +279,93 @@ func Test_resourceValidateRequiredTagsInterceptor(t *testing.T) {
 				when: Before,
 			},
 		},
+		{
+			name: "update, add required",
+			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{
+				c: mockRequiredTagsClient{},
+				request: &resource.ModifyPlanRequest{
+					Config: tfsdk.Config{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+					State: tfsdk.State{
+						Raw:    rawValPartial,
+						Schema: resourceSchema,
+					},
+					Plan: tfsdk.Plan{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+				},
+				response: &resource.ModifyPlanResponse{
+					Plan: tfsdk.Plan{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+				},
+				when: Before,
+			},
+		},
+		{
+			name: "update, remove required",
+			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{
+				c: mockRequiredTagsClient{},
+				request: &resource.ModifyPlanRequest{
+					Config: tfsdk.Config{
+						Raw:    rawValPartial,
+						Schema: resourceSchema,
+					},
+					State: tfsdk.State{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+					Plan: tfsdk.Plan{
+						Raw:    rawValPartial,
+						Schema: resourceSchema,
+					},
+				},
+				response: &resource.ModifyPlanResponse{
+					Plan: tfsdk.Plan{
+						Raw:    rawValRequired,
+						Schema: resourceSchema,
+					},
+				},
+				when: Before,
+			},
+			wantDiags: diag.Diagnostics{diag.NewAttributeErrorDiagnostic(
+				path.Root(names.AttrTags),
+				"Missing Required Tags",
+				"An organizational tag policy requires the following tags for aws_test: [foo]",
+			),
+			},
+		},
+		{
+			name: "update, unknown tag values",
+			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{
+				c: mockRequiredTagsClient{},
+				request: &resource.ModifyPlanRequest{
+					Config: tfsdk.Config{
+						Raw:    rawValUnknown,
+						Schema: resourceSchema,
+					},
+					State: tfsdk.State{
+						Raw:    rawValPartial,
+						Schema: resourceSchema,
+					},
+					Plan: tfsdk.Plan{
+						Raw:    rawValUnknown,
+						Schema: resourceSchema,
+					},
+				},
+				response: &resource.ModifyPlanResponse{
+					Plan: tfsdk.Plan{
+						Raw:    rawValUnknown,
+						Schema: resourceSchema,
+					},
+				},
+				when: Before,
+			},
+		},
 		{
 			name: "destroy",
 			opts: interceptorOptions[resource.ModifyPlanRequest, resource.ModifyPlanResponse]{

internal/provider/sdkv2/tags_interceptor.go

@@ -329,6 +329,10 @@ func validateRequiredTags() customizeDiffInterceptor {
 					return nil
 				}
 
+				if !d.GetRawPlan().GetAttr(names.AttrTags).IsWhollyKnown() {
+					return nil
+				}
+
 				cfgTags := tftags.New(ctx, d.Get(names.AttrTags).(map[string]any))
 				allTags := c.DefaultTagsConfig(ctx).MergeTags(cfgTags)
 				if allTags.ContainsAllKeys(reqTags) {