Terraform Core Version
1.13.5
citrixadc Provider Version
1.45.0
Operating system
Mac OS
Affected Resource(s)
Resource citrixadc_appfwprofile_csrftag_binding
My Terraform code:
_resource "citrixadc_appfwprofile" "this" {
name = "testme"
type = ["HTML"]
csrftagaction = ["log", "stats", "learn", "block"]
}
resource "citrixadc_appfwprofile_csrftag_binding" "postbox1" {
name = citrixadc_appfwprofile.this.name
csrftag = "i?^http://$"
csrfformactionurl = "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox1$"
comment = "postbox1"
state = "ENABLED"
}
resource "citrixadc_appfwprofile_csrftag_binding" "postbox2" {
name = citrixadc_appfwprofile.this.name
csrftag = "i?^http://$"
csrfformactionurl = "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox2$"
comment = "postbox2"
state = "ENABLED"
}_
Nitro Output after first apply:
HTTP/1.0 200 OK
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
connection: Keep-Alive
content-encoding: gzip
content-length: 379
content-type: application/json; charset=utf-8
date: Thu, 29 Jan 2026 09:24:26 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
feature-policy: camera 'none'; microphone 'none'; geolocation 'none'
keep-alive: timeout=15, max=98
pragma: no-cache
referrer-policy: no-referrer
server: Apache
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
{
"errorcode": 0,
"message": "Done",
"severity": "NONE",
"appfwprofile_csrftag_binding": [
{
"name": "testme",
"csrftag": "i?^http://$",
"csrfformactionurl": "i?^https://(fbt\-){
0,
1
}sese\.hansemerkur\.de/postbox2$",
"state": "ENABLED",
"comment": "postbox2",
"stateflag": "536870926",
"isautodeployed": "NOTAUTODEPLOYED",
"alertonly": "OFF",
"resourceid": "16e31981aaa6bb11acaf0dea499cc7b5941de38e5b2b8c70b5919e4138191811"
},
{
"name": "testme",
"csrftag": "i?^http://$",
"csrfformactionurl": "i?^https://(fbt\-){
0,
1
}sese\.hansemerkur\.de/postbox1$",
"state": "ENABLED",
"comment": "postbox1",
"stateflag": "536870926",
"isautodeployed": "NOTAUTODEPLOYED",
"alertonly": "OFF",
"resourceid": "f35d57d838e43815e940591577dbdcb3694fcba87f7a9a297ca7dbeadcab43e1"
}
]
}
Terraform output after first apply:
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to citrixadc_appfwprofile_csrftag_binding.postbox1, provider "provider["registry.terraform.io/citrix/citrixadc"]" produced an unexpected
│ new value: Root object was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to citrixadc_appfwprofile_csrftag_binding.postbox2, provider "provider["registry.terraform.io/citrix/citrixadc"]" produced an unexpected
│ new value: Root object was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
Terraform plan after first "failed" apply:
_Terraform will perform the following actions:
citrixadc_appfwprofile_csrftag_binding.postbox1 will be created
- resource "citrixadc_appfwprofile_csrftag_binding" "postbox1" {
- alertonly = (known after apply)
- comment = "postbox1"
- csrfformactionurl = "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox1$"
- csrftag = "i?^http://$"
- id = (known after apply)
- isautodeployed = (known after apply)
- name = "testme"
- resourceid = (known after apply)
- ruletype = (known after apply)
- state = "ENABLED"
}
citrixadc_appfwprofile_csrftag_binding.postbox2 will be created
- resource "citrixadc_appfwprofile_csrftag_binding" "postbox2" {
- alertonly = (known after apply)
- comment = "postbox2"
- csrfformactionurl = "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox2$"
- csrftag = "i?^http://$"
- id = (known after apply)
- isautodeployed = (known after apply)
- name = "testme"
- resourceid = (known after apply)
- ruletype = (known after apply)
- state = "ENABLED"
}
Plan: 2 to add, 0 to change, 0 to destroy._
Terraform apply after first "failed" apply:
citrixadc_appfwprofile_csrftag_binding.postbox1: Creating...
citrixadc_appfwprofile_csrftag_binding.postbox2: Creating...
╷
│ Error: [ERROR] nitro-go: Failed to update resource of type appfwprofile_csrftag_binding, err=failed: 409 Conflict ({ "errorcode": 273, "message": "Resource already exists", "severity": "ERROR" })
│
│ with citrixadc_appfwprofile_csrftag_binding.postbox1,
│ on main.tf line 7, in resource "citrixadc_appfwprofile_csrftag_binding" "postbox1":
│ 7: resource "citrixadc_appfwprofile_csrftag_binding" "postbox1" {
│
╵
╷
│ Error: [ERROR] nitro-go: Failed to update resource of type appfwprofile_csrftag_binding, err=failed: 409 Conflict ({ "errorcode": 273, "message": "Resource already exists", "severity": "ERROR" })
│
│ with citrixadc_appfwprofile_csrftag_binding.postbox2,
│ on main.tf line 15, in resource "citrixadc_appfwprofile_csrftag_binding" "postbox2":
│ 15: resource "citrixadc_appfwprofile_csrftag_binding" "postbox2" {
│
╵
Issue:
- comparison between TF and Infrastructure is not done using all attributes of a citrixadc_appfwprofile_csrftag_binding. And therefor terraform is producing error ""Resource already exist". Please include all attributes above for comparison.
Equivalent NetScaler CLI Command
bind appfw profile testme -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -CSRFTag "i?^http://$" "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox1$" -comment postbox1 -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -RuleType ALLOW
bind appfw profile testme -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -CSRFTag "i?^http://$" "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox2$" -comment postbox2 -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -RuleType ALLOW
Expected Behavior
Expected is:
- Terraform will create two csrftag relaxation rules.
- Changing the params using terraform has to reflect the changes in infrastructure
- Terraform destroy will remove the resources from infrastructure
Actual Behavior
After first apply the relaxations are created in the infrastructure, but with "... Error: Provider produced inconsistent result after apply ...".
Second apply is producing:
│ Error: [ERROR] nitro-go: Failed to update resource of type appfwprofile_csrftag_binding, err=failed: 409 Conflict ({ "errorcode": 273, "message": "Resource already exists", "severity": "ERROR" })
Every apply after second apply will also not work with same
Relevant Error/Panic Output Snippet
Terraform Configuration Files
main.tf.txt
Steps to Reproduce
first Terraform apply: "... This is a bug in the provider, which should be reported in the provider's own issue tracker. ..."
second++ Terraform apply: "... │ Error: [ERROR] nitro-go: Failed to update resource of type appfwprofile_csrftag_binding, err=failed: 409 Conflict ({ "errorcode": 273, "message": "Resource already exists", "severity": "ERROR" }) ..."
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Terraform Core Version
1.13.5
citrixadc Provider Version
1.45.0
Operating system
Mac OS
Affected Resource(s)
Resource citrixadc_appfwprofile_csrftag_binding
My Terraform code:
_resource "citrixadc_appfwprofile" "this" {
name = "testme"
type = ["HTML"]
csrftagaction = ["log", "stats", "learn", "block"]
}
resource "citrixadc_appfwprofile_csrftag_binding" "postbox1" {
name = citrixadc_appfwprofile.this.name
csrftag = "i?^http://$"
csrfformactionurl = "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox1$"
comment = "postbox1"
state = "ENABLED"
}
resource "citrixadc_appfwprofile_csrftag_binding" "postbox2" {
name = citrixadc_appfwprofile.this.name
csrftag = "i?^http://$"
csrfformactionurl = "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox2$"
comment = "postbox2"
state = "ENABLED"
}_
Nitro Output after first apply:
HTTP/1.0 200 OK
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
connection: Keep-Alive
content-encoding: gzip
content-length: 379
content-type: application/json; charset=utf-8
date: Thu, 29 Jan 2026 09:24:26 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
feature-policy: camera 'none'; microphone 'none'; geolocation 'none'
keep-alive: timeout=15, max=98
pragma: no-cache
referrer-policy: no-referrer
server: Apache
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
{
"errorcode": 0,
"message": "Done",
"severity": "NONE",
"appfwprofile_csrftag_binding": [
{
"name": "testme",
"csrftag": "i?^http://$",
"csrfformactionurl": "i?^https://(fbt\-){
0,
1
}sese\.hansemerkur\.de/postbox2$",
"state": "ENABLED",
"comment": "postbox2",
"stateflag": "536870926",
"isautodeployed": "NOTAUTODEPLOYED",
"alertonly": "OFF",
"resourceid": "16e31981aaa6bb11acaf0dea499cc7b5941de38e5b2b8c70b5919e4138191811"
},
{
"name": "testme",
"csrftag": "i?^http://$",
"csrfformactionurl": "i?^https://(fbt\-){
0,
1
}sese\.hansemerkur\.de/postbox1$",
"state": "ENABLED",
"comment": "postbox1",
"stateflag": "536870926",
"isautodeployed": "NOTAUTODEPLOYED",
"alertonly": "OFF",
"resourceid": "f35d57d838e43815e940591577dbdcb3694fcba87f7a9a297ca7dbeadcab43e1"
}
]
}
Terraform output after first apply:
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to citrixadc_appfwprofile_csrftag_binding.postbox1, provider "provider["registry.terraform.io/citrix/citrixadc"]" produced an unexpected
│ new value: Root object was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to citrixadc_appfwprofile_csrftag_binding.postbox2, provider "provider["registry.terraform.io/citrix/citrixadc"]" produced an unexpected
│ new value: Root object was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
Terraform plan after first "failed" apply:
_Terraform will perform the following actions:
citrixadc_appfwprofile_csrftag_binding.postbox1 will be created
}
citrixadc_appfwprofile_csrftag_binding.postbox2 will be created
}
Plan: 2 to add, 0 to change, 0 to destroy._
Terraform apply after first "failed" apply:
citrixadc_appfwprofile_csrftag_binding.postbox1: Creating...
citrixadc_appfwprofile_csrftag_binding.postbox2: Creating...
╷
│ Error: [ERROR] nitro-go: Failed to update resource of type appfwprofile_csrftag_binding, err=failed: 409 Conflict ({ "errorcode": 273, "message": "Resource already exists", "severity": "ERROR" })
│
│ with citrixadc_appfwprofile_csrftag_binding.postbox1,
│ on main.tf line 7, in resource "citrixadc_appfwprofile_csrftag_binding" "postbox1":
│ 7: resource "citrixadc_appfwprofile_csrftag_binding" "postbox1" {
│
╵
╷
│ Error: [ERROR] nitro-go: Failed to update resource of type appfwprofile_csrftag_binding, err=failed: 409 Conflict ({ "errorcode": 273, "message": "Resource already exists", "severity": "ERROR" })
│
│ with citrixadc_appfwprofile_csrftag_binding.postbox2,
│ on main.tf line 15, in resource "citrixadc_appfwprofile_csrftag_binding" "postbox2":
│ 15: resource "citrixadc_appfwprofile_csrftag_binding" "postbox2" {
│
╵
Issue:
Equivalent NetScaler CLI Command
bind appfw profile testme -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -CSRFTag "i?^http://$" "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox1$" -comment postbox1 -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -RuleType ALLOW
bind appfw profile testme -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -CSRFTag "i?^http://$" "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox2$" -comment postbox2 -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -RuleType ALLOW
Expected Behavior
Expected is:
Actual Behavior
After first apply the relaxations are created in the infrastructure, but with "... Error: Provider produced inconsistent result after apply ...".
Second apply is producing:
│ Error: [ERROR] nitro-go: Failed to update resource of type appfwprofile_csrftag_binding, err=failed: 409 Conflict ({ "errorcode": 273, "message": "Resource already exists", "severity": "ERROR" })
Every apply after second apply will also not work with same
Relevant Error/Panic Output Snippet
Terraform Configuration Files
main.tf.txt
Steps to Reproduce
first Terraform apply: "... This is a bug in the provider, which should be reported in the provider's own issue tracker. ..."
second++ Terraform apply: "... │ Error: [ERROR] nitro-go: Failed to update resource of type appfwprofile_csrftag_binding, err=failed: 409 Conflict ({ "errorcode": 273, "message": "Resource already exists", "severity": "ERROR" }) ..."
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response