`lifecycle.action_trigger` executes actions before resource creation/update is completed

[jeremmfr]

Terraform Version

Terraform v1.14.0
on darwin_arm64
+ provider registry.terraform.io/hashicorp/local v2.6.1

Terraform Configuration Files

resource "local_file" "foo" {
  content  = "foo!bar"
  filename = "/tmp/foo.bar"

  lifecycle {
    action_trigger {
      events  = [after_create, after_update]
      actions = [action.local_command.bar]
    }
  }
}

action "local_command" "bar" {
  config {
    command   = "cat"
    arguments = ["/tmp/foo.bar"]
  }
}

Debug Output

https://gist.github.com/jeremmfr/87c348af5c77d22e5e10c8133d99e821

Expected Behavior

When using lifecycle.action_trigger with after_create or after_update events, the triggered action should execute after the resource has been fully created/updated and its side effects (like file creation) are completed.

In the example above, the local_command action should run after the file /tmp/foo.bar has been successfully written to disk, allowing the cat command to read its contents.

Actual Behavior

The action is triggered before the resource creation is completed. The local_command action fails because the file /tmp/foo.bar does not exist yet when the action attempts to read it.

This suggests that after_create and after_update events are firing before the resource's side effects are finalized, despite the "after_" prefix implying completion.

Steps to Reproduce

1. Create a Terraform configuration with the above code
2. terraform init
3. terraform apply
4. Observe that the action fails with an error indicating the file does not exist

Additional Context

This timing issue affects the reliability of action_trigger when actions depend on the actual completion of resource operations, not just the API call completion.

References

None

Generative AI / LLM assisted development?

No

[crw]

Thanks for this report!

[fox-md]

Hi,

I am seeing the same behavior with below setup.
After_update action seems to be triggered before the actual resource gets created/updated.

2025-11-23T13:22:52.164+0200 [INFO] provider.terraform-provider-aws_v6.22.1_x5: Starting CloudFront cache invalidation action: timeout=15m0s distribution_id=ABDCEF1234567 tf_action_type=aws_cloudfront_create_invalidation tf_req_id=bc9bf29f-f4cd-1732-e98a-cb51d2a6ba34 tf_rpc=InvokeAction @caller=github.com/hashicorp/terraform-provider-aws/internal/service/cloudfront/create_invalidation_action.go:146 @module=aws caller_reference=terraform-20251123112252164600000001 paths=[/*] tf_mux_provider="*proto5server.Server" tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp="2025-11-23T13:22:52.164+0200"
Action action.aws_cloudfront_create_invalidation.invalidate (triggered by aws_s3_object.index): Starting cache invalidation for CloudFront distribution ABDCEF1234567...
2025-11-23T13:22:52.176+0200 [WARN] Provider "registry.terraform.io/hashicorp/aws" produced an invalid plan for aws_s3_object.index, but we are tolerating it because it is using the legacy plugin SDK.
aws_s3_object.index: Modifying... [id=test-bucket/index.html]
2025-11-23T13:22:52.179+0200 [INFO] Starting apply for aws_s3_object.index

Terraform config

resource "aws_s3_object" "index" {
  bucket = "test-bucket"
  key    = "index.html"
  content = file("index.html")

  lifecycle {
    action_trigger {
      events  = [after_update]
      actions = [action.aws_cloudfront_create_invalidation.invalidate]
    }
  }
}

action "aws_cloudfront_create_invalidation" "invalidate" {
  config {
    distribution_id = "ABDCEF1234567"
    paths           = ["/*"]
  }
}

Full log

TF_LOG=INFO terraform apply
2025-11-23T13:22:19.486+0200 [INFO]  Terraform version: 1.14.0
2025-11-23T13:22:19.487+0200 [INFO]  Go runtime version: go1.25.4
2025-11-23T13:22:19.487+0200 [INFO]  CLI args: []string{"terraform", "apply"}
2025-11-23T13:22:19.489+0200 [INFO]  CLI command args: []string{"apply"}
2025-11-23T13:22:22.493+0200 [ERROR] Checkpoint error: Get "https://checkpoint-api.hashicorp.com/v1/check/terraform?arch=amd64&os=linux&signature=ffb5d3a1-e864-9ee8-00d2-47484871f9ad&version=1.14.0": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
2025-11-23T13:22:23.779+0200 [INFO]  backend/local: starting Apply operation
2025-11-23T13:22:23.798+0200 [INFO]  provider: configuring client automatic mTLS
2025-11-23T13:22:24.365+0200 [INFO]  provider.terraform-provider-aws_v6.22.1_x5: configuring server automatic mTLS: timestamp="2025-11-23T13:22:24.364+0200"
2025-11-23T13:22:26.928+0200 [INFO]  provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/hashicorp/aws/6.22.1/linux_amd64/terraform-provider-aws_v6.22.1_x5 id=2557
2025-11-23T13:22:26.931+0200 [INFO]  provider: configuring client automatic mTLS
2025-11-23T13:22:27.244+0200 [INFO]  provider.terraform-provider-aws_v6.22.1_x5: configuring server automatic mTLS: timestamp="2025-11-23T13:22:27.243+0200"
2025-11-23T13:22:27.335+0200 [INFO]  provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/hashicorp/aws/6.22.1/linux_amd64/terraform-provider-aws_v6.22.1_x5 id=2572
2025-11-23T13:22:27.336+0200 [INFO]  backend/local: apply calling Plan
2025-11-23T13:22:27.339+0200 [INFO]  provider: configuring client automatic mTLS
2025-11-23T13:22:27.707+0200 [INFO]  provider.terraform-provider-aws_v6.22.1_x5: configuring server automatic mTLS: timestamp="2025-11-23T13:22:27.706+0200"
2025-11-23T13:22:27.939+0200 [INFO]  provider.terraform-provider-aws_v6.22.1_x5: Retrieved credentials: tf_aws.credentials_source="SharedConfigCredentials: /home/alex/.aws/credentials" tf_req_id=953559c3-ec4f-1da2-90ce-e281421e4bdb tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.68/logging/tf_logger.go:39 @module=aws.aws-base tf_mux_provider="*schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp="2025-11-23T13:22:27.938+0200"
2025-11-23T13:22:33.405+0200 [INFO]  provider.terraform-provider-aws_v6.22.1_x5: Retrieved caller identity from STS: @module=aws.aws-base tf_mux_provider="*schema.GRPCProviderServer" tf_req_id=953559c3-ec4f-1da2-90ce-e281421e4bdb @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.68/logging/tf_logger.go:39 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ConfigureProvider timestamp="2025-11-23T13:22:33.405+0200"
aws_s3_object.index: Refreshing state... [id=test-bucket/index.html]
2025-11-23T13:22:38.734+0200 [WARN]  Provider "registry.terraform.io/hashicorp/aws" produced an invalid plan for aws_s3_object.index, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .content_disposition: planned value cty.StringVal("") for a non-computed attribute
      - .content_encoding: planned value cty.StringVal("") for a non-computed attribute
      - .force_destroy: planned value cty.False for a non-computed attribute
      - .cache_control: planned value cty.StringVal("") for a non-computed attribute
      - .object_lock_mode: planned value cty.StringVal("") for a non-computed attribute
      - .object_lock_retain_until_date: planned value cty.StringVal("") for a non-computed attribute
      - .tags: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
      - .metadata: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
      - .website_redirect: planned value cty.StringVal("") for a non-computed attribute
      - .content_language: planned value cty.StringVal("") for a non-computed attribute
      - .object_lock_legal_hold_status: planned value cty.StringVal("") for a non-computed attribute
2025-11-23T13:22:38.776+0200 [INFO]  provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/hashicorp/aws/6.22.1/linux_amd64/terraform-provider-aws_v6.22.1_x5 id=2583

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_s3_object.index will be updated in-place
  ~ resource "aws_s3_object" "index" {
      ~ content                       = <<-EOT
            1
            2
          + 3
        EOT
        id                            = "test-bucket/index.html"
        tags                          = {}
      + version_id                    = (known after apply)
        # (25 unchanged attributes hidden)
    }

    # Actions to be invoked after this change in order:
    action "aws_cloudfront_create_invalidation" "invalidate" {
        config {
            distribution_id = "ABDCEF1234567"
            paths           = [
                "/*",
            ]
        }
    }


Plan: 0 to add, 1 to change, 0 to destroy. Actions: 1 to invoke.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

2025-11-23T13:22:46.012+0200 [INFO]  backend/local: apply calling Apply
2025-11-23T13:22:46.015+0200 [INFO]  provider: configuring client automatic mTLS
2025-11-23T13:22:46.544+0200 [INFO]  provider.terraform-provider-aws_v6.22.1_x5: configuring server automatic mTLS: timestamp="2025-11-23T13:22:46.542+0200"
2025-11-23T13:22:46.790+0200 [INFO]  provider.terraform-provider-aws_v6.22.1_x5: Retrieved credentials: tf_rpc=ConfigureProvider @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.68/logging/tf_logger.go:39 tf_provider_addr=registry.terraform.io/hashicorp/aws @module=aws.aws-base tf_aws.credentials_source="SharedConfigCredentials: /home/alex/.aws/credentials" tf_mux_provider="*schema.GRPCProviderServer" tf_req_id=55f75619-43ee-1938-303a-37b8d4eb90df timestamp="2025-11-23T13:22:46.789+0200"
2025-11-23T13:22:52.141+0200 [INFO]  provider.terraform-provider-aws_v6.22.1_x5: Retrieved caller identity from STS: @caller=github.com/hashicorp/aws-sdk-go-base/v2@v2.0.0-beta.68/logging/tf_logger.go:39 tf_mux_provider="*schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/aws @module=aws.aws-base tf_req_id=55f75619-43ee-1938-303a-37b8d4eb90df tf_rpc=ConfigureProvider timestamp="2025-11-23T13:22:52.141+0200"
Action started: action.aws_cloudfront_create_invalidation.invalidate (triggered by aws_s3_object.index)
2025-11-23T13:22:52.164+0200 [INFO]  provider.terraform-provider-aws_v6.22.1_x5: Starting CloudFront cache invalidation action: timeout=15m0s distribution_id=ABDCEF1234567 tf_action_type=aws_cloudfront_create_invalidation tf_req_id=bc9bf29f-f4cd-1732-e98a-cb51d2a6ba34 tf_rpc=InvokeAction @caller=github.com/hashicorp/terraform-provider-aws/internal/service/cloudfront/create_invalidation_action.go:146 @module=aws caller_reference=terraform-20251123112252164600000001 paths=[/*] tf_mux_provider="*proto5server.Server" tf_provider_addr=registry.terraform.io/hashicorp/aws timestamp="2025-11-23T13:22:52.164+0200"
Action action.aws_cloudfront_create_invalidation.invalidate (triggered by aws_s3_object.index): Starting cache invalidation for CloudFront distribution ABDCEF1234567...
2025-11-23T13:22:52.176+0200 [WARN]  Provider "registry.terraform.io/hashicorp/aws" produced an invalid plan for aws_s3_object.index, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .content_language: planned value cty.StringVal("") for a non-computed attribute
      - .object_lock_legal_hold_status: planned value cty.StringVal("") for a non-computed attribute
      - .content_disposition: planned value cty.StringVal("") for a non-computed attribute
      - .content_encoding: planned value cty.StringVal("") for a non-computed attribute
      - .force_destroy: planned value cty.False for a non-computed attribute
      - .cache_control: planned value cty.StringVal("") for a non-computed attribute
      - .object_lock_mode: planned value cty.StringVal("") for a non-computed attribute
      - .object_lock_retain_until_date: planned value cty.StringVal("") for a non-computed attribute
      - .tags: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
      - .metadata: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
      - .website_redirect: planned value cty.StringVal("") for a non-computed attribute
aws_s3_object.index: Modifying... [id=test-bucket/index.html]
2025-11-23T13:22:52.179+0200 [INFO]  Starting apply for aws_s3_object.index
2025-11-23T13:22:57.555+0200 [WARN]  Provider "provider[\"registry.terraform.io/hashicorp/aws\"]" produced an unexpected new value for aws_s3_object.index, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .etag: was cty.StringVal("6ddb4095eb719e2a9f0a3f95677d24e0"), but now cty.StringVal("c0710d6b4f15dfa88f600b0e6b624077")
aws_s3_object.index: Modifications complete after 6s [id=test-bucket/index.html]
Action action.aws_cloudfront_create_invalidation.invalidate (triggered by aws_s3_object.index): Creating invalidation request for 1 path(s)...
Action action.aws_cloudfront_create_invalidation.invalidate (triggered by aws_s3_object.index): Invalidation I9BVEL2LYTE0XHMCEI975XF9ZG created, waiting for completion...
Action action.aws_cloudfront_create_invalidation.invalidate (triggered by aws_s3_object.index): Invalidation I9BVEL2LYTE0XHMCEI975XF9ZG is currently 'InProgress', continuing to wait for completion...

Action action.aws_cloudfront_create_invalidation.invalidate (triggered by aws_s3_object.index): Invalidation I9BVEL2LYTE0XHMCEI975XF9ZG is currently 'InProgress', continuing to wait for completion...
2025-11-23T13:24:45.073+0200 [INFO]  provider.terraform-provider-aws_v6.22.1_x5: CloudFront invalidate cache action completed successfully: @module=aws distribution_id=ABDCEF1234567 tf_mux_provider="*proto5server.Server" tf_provider_addr=registry.terraform.io/hashicorp/aws @caller=github.com/hashicorp/terraform-provider-aws/internal/service/cloudfront/create_invalidation_action.go:273 invalidation_id=I9BVEL2LYTE0XHMCEI975XF9ZG paths=[/*] tf_action_type=aws_cloudfront_create_invalidation tf_req_id=bc9bf29f-f4cd-1732-e98a-cb51d2a6ba34 tf_rpc=InvokeAction timestamp="2025-11-23T13:24:45.073+0200"
Action action.aws_cloudfront_create_invalidation.invalidate (triggered by aws_s3_object.index): CloudFront cache invalidation I9BVEL2LYTE0XHMCEI975XF9ZG completed successfully for distribution ABDCEF1234567
Action complete: action.aws_cloudfront_create_invalidation.invalidate (triggered by aws_s3_object.index)
2025-11-23T13:24:45.118+0200 [INFO]  provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/hashicorp/aws/6.22.1/linux_amd64/terraform-provider-aws_v6.22.1_x5 id=2596

Apply complete! Resources: 0 added, 1 changed, 0 destroyed. Actions: 1 invoked.

HTH

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.