PR #1892 (TBD-A32 fix for shared-zone collision) introduced an HCL
"Inconsistent conditional result types" error at infra/hetzner/main.tf
line 468. Every fresh prov failed at tofu plan in 23s, e.g. A127 t29
attempt (deployment 4afd9ebceea92547) at 2026-05-19 01:08:41Z.
Root cause: `local.per_prov_listeners` was defined as
local.parent_domains_includes_sovereign_fqdn ? [] : [HTTPS_obj, HTTP_obj]
HCL/tofu cannot unify the conditional arms: the true arm is `tuple([])`
(length 0) and the false arm is `tuple([obj_with_tls, obj_without_tls])`
(length 2). Even moving the conditional to the consumer line in
`concat()` did not fix it — the same length-0 vs length-2 tuple
unification still fails.
Fix: emit `per_prov_listeners` unconditionally as the 2-element tuple,
then suppress it at the `concat()` consumer with a for-iteration filter
[for l in local.per_prov_listeners : l if !<collides>]
which always produces a list (length 0 or 2 — same element type), so HCL
never needs to unify two tuple types.
Validated locally with OpenTofu v1.8.5 against a minimal tfvars fixture:
- `tofu validate` → "Success! The configuration is valid."
- `tofu console` with sovereign_fqdn="t29.omani.works", parent="omani.works":
emits 4 listeners (parent https/http for *.omani.works + per-prov
https-t29-omani-works/http-t29-omani-works for *.t29.omani.works) —
matches PR #1892's intent.
- `tofu console` with sovereign_fqdn="omani.works" (collision):
emits 2 listeners (only parent https/http) — collision guard preserved.
No chart bump; this is a tofu-only change. Re-closes #1886 after #1892
re-opened it via the type-mismatch regression.
Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
20b502d790