503 while trying to create a Service Account

[andrea-migliaccio]

Hi, after successfully provisioned several other resoruces (control plan groups, control plane, cp membership and key vaults) I moved to Service Account but I'm getting this weird error while trying to provision a System Account defined as follow:

resource "konnect_system_account" "dev-cicd-system-account" { name = "DEV CI/CD System Account" description = "CI/CD System Account for DEV" konnect_managed = false }

Is something I made wrong in the above 4 lines or is the resource provisioner failing for other reasons?

2024-06-10T19:10:06.617+0200 [INFO]  backend/local: apply calling Apply
2024-06-10T19:10:06.622+0200 [INFO]  provider: configuring client automatic mTLS
2024-06-10T19:10:06.629+0200 [INFO]  provider.terraform-provider-konnect_v0.2.5: configuring server automatic mTLS: timestamp="2024-06-10T19:10:06.629+0200"
konnect_system_account.dev-cicd-system-account: Creating...
2024-06-10T19:10:06.648+0200 [INFO]  Starting apply for konnect_system_account.dev-cicd-system-account
2024-06-10T19:10:06.753+0200 [ERROR] provider.terraform-provider-konnect_v0.2.5: Response contains error diagnostic: @module=sdk.proto tf_proto_version=6.4 tf_provider_addr=registry.terraform.io/kong/konnect tf_resource_type=konnect_system_account diagnostic_severity=ERROR diagnostic_summary="failure to invoke API" tf_req_id=ab33f399-c4e0-3739-9ae9-1d141fdc8482 tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.22.1/tfprotov6/internal/diag/diagnostics.go:58
  diagnostic_detail=
  | unknown status code returned: Status 503
  | {
  |   "message":"name resolution failed",
  |   "request_id":"9fc0005283eb8e738a627f7632196907"
  | }
   timestamp="2024-06-10T19:10:06.753+0200"
2024-06-10T19:10:06.761+0200 [ERROR] vertex "konnect_system_account.dev-cicd-system-account" error: failure to invoke API
╷
│ Error: failure to invoke API
│
│   with konnect_system_account.dev-cicd-system-account,
│   on system-account.tf line 1, in resource "konnect_system_account" "dev-cicd-system-account":
│    1: resource "konnect_system_account" "dev-cicd-system-account" {
│
│ unknown status code returned: Status 503
│ {
│   "message":"name resolution failed",
│   "request_id":"9fc0005283eb8e738a627f7632196907"

│ }

[mheap]

I've just run a test for this resource and it all worked fine.

Source: https://github.com/Kong/terraform-provider-konnect/blob/main/tests/e2e/system-accounts.tf#L1-L5

Logs: https://github.com/Kong/terraform-provider-konnect/actions/runs/9515917745/job/26231140491#step:5:270

The name resolution failed error indicates that it's a DNS/connectivity issue on your end. Is it still happening?

[andrea-migliaccio]

It still fails with the same 503. It's just this resource so far... I'll make further tests and provide more info next Monday

[andrea-migliaccio]

I'm provisioning several resources now (control plane, control plane groups, control plane group membership, vault, open telemetry plugin, file-log plugin). But every time I try to provision the Service Account resource I get that "name resolution failed".

I tried to set the TF_LOG variable to TRACE but no details of the API call are logged. I've also took a look at the provider source code but I could find any debug print about the API urls. BTW, it should be using the "server_url" variable of the provider config, just like any other resource. I really can't figure out what's may be wrong..

[mheap]

This is very strange. Let me try and dig in

[mheap]

@andrea-migliaccio Are you using the US, EU or AU region for Konnect?

[andrea-migliaccio]

@andrea-migliaccio Are you using the US, EU or AU region for Konnect?

EU Region in my case.

[mheap]

Thank you - I've managed to reproduce. I'll have a fix up for this today

[andrea-migliaccio]

I confirm that the issues is now solved! Thanks @mheap !

Now I just need to setup a proper pat-token renewal process, since we can't just update the expiration date of the PAT-token once we have created them.

The only way I've figured out so far is to rename the TF konnect_system_account_access_token resource once in a while... That should cause the deletion of the old resource and the creation of a new one with a new token (then I'd save it into an azure key vault for being used by the ci/cd processes afterwards)