search

FlexibleEngineCloud / terraform-provider-flexibleengine

Terraform flexibleengine provider
https://www.terraform.io/docs/providers/flexibleengine/
Mozilla Public License 2.0
30 stars 53 forks source link

Timeout/retry for IAM roles and KMS keys provisioning #1120

Open bkondek opened 5 months ago

bkondek commented 5 months ago

Hello,

I faced an issue with wrong timeouts/retry handling for some resources. During first execution of "terraform apply" I receive errors with resources creation. When I run the same command with the same resources again, everything works fine. I detected such errors with IAM roles and KMS keys. Adding "--retry=5" to "terraform apply" command fixes this issue, but it should works without this flag.

Terraform Version

1.5.2

Affected Resource(s)

Please list the resources as a list, for example:

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "flexibleengine_identity_role_v3" "evs-global" {
  name        = "${var.name}-evs"
  description = "TF provisioned role"
  type        = "AX"
  policy = jsonencode({
    "Version" = "1.1",
    "Statement" : [
      {
        "Action" : [
          "iam:groups:getGroup",
          "iam:identityProviders:getOpenIDConnectConfig",
          "iam:identityProviders:getIdentityProvider",
          "iam:users:getUser",
          "iam:identityProviders:getMapping",
          "iam:quotas:listQuotasForProject",
          "iam:agencies:getAgency",
          "iam:identityProviders:getProtocol",
          "iam:roles:getRole",
          "iam:identityProviders:getIDPMetadata",
          "iam:quotas:listQuotas",
          "iam:tokens:assume",
          "iam:credentials:getCredential"
        ],
        "Effect" : "Allow"
      }
    ]
  })
}

resource "flexibleengine_kms_key_v1" "buckets_regional" {
  count           = var.encryption.enabled_for.buckets && var.provider_config.tenant_name != "eu-west-0" ? 1 : 0

  key_alias       = "${var.name}-buckets-regional"
  key_description = "Region-wide key for buckets for ${var.name}"
  pending_days    = "7"
  is_enabled      = true
  provider = flexibleengine.regional
}

Panic Output

Error creating FlexibleEngine Role: Action forbidden: [POST https://iam.eu-west-0.prod-cloud-ocb.orange-business.com/v3.0/OS-ROLE/roles], request_id: , error message: Request not authorized Error waiting for key (b5d9e6b2-d5b5-4711-b2ae-f1ca1512af21) to become ready: unexpected state '4', wanted target '2'. last error: %!s()

Expected Behavior

The mentioned resources are provisioned correctly without an additional "--retry" flag to "terraform apply" command.

Actual Behavior

The mentioned resources frequently are created during second or third execution of "terraform apply" command.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply