Closed oponomarov-tu closed 5 months ago
I did some more digging and reverting PagerDuty provider to version ~> 2.16.0
(2.16.2) did the trick, it all works again.
Apparently, version 3.7.1 could create a brand new escalation policy, but subsequently failed to update any attribute on it (as simple as description). Looking at the trace logs and headers, I've noticed that the PUT
operation was missing some attributes in the content, it looks like:
{
"escalation_policy": {
"description": "Managed by Terraform",
"escalation_rules": [
...
],
"name": "xxx Escalation Policy",
"num_loops": 9,
"teams": null
}
}
Comparing it to the PagerDuty API docs, it probably should have "type": "escalation_policy"
which we're missing (this type
is there though when creating the escalation policy initially with Terraform, which most likely is why it works).
I ran into this as well, exactly as described above.
hey guys, encountered the same issue and found the root cause In my case we are on Profesional subscription (also same behaviour for Free)
It can be tested easily with PagerDuty API https://developer.pagerduty.com/api-reference/f9b1e15e70a0c-update-an-escalation-policy
Steps to reproduce and verify the root cause
terraform apply
PUT request to /escalation_policies/<SOMEID> with body <JSON_PAYLOAD>
"escalation_rule_assignment_strategy":{"type":"assign_to_everyone"}
(which is added as a default value while terraform refreshes the state)NOTE for Devs
While initial creation of the resource, the escalation_rule_assignment_strategy
is not sent to API endpoint since it's not specified in the terraform configuration.
But during the update operation, terraform syncs from the remote state grabbing the "default" value of escalation_rule_assignment_strategy
which is causing the issue. The strategy accepts two values, and my guess that server validation only check the presense of the property, not its value.
Either check should be updated on backend to allow the "default" value implicitly set by terraform while refresh or fix in terraform provider to avoid syncing this field if it omitted in the resource configuration in .tf file.
The root cause of this issue, seems to be related with the pagerduty plan that is used. The configuration for escalation_rule_assignment_strategy
seems to be just allowed for Business and Digital Operations plans, https://support.pagerduty.com/docs/round-robin-scheduling , so other user levels shouldn't be able to set this.
The tf provider is computing the escalation_rule_assignment_strategy
resource field without taking into account this limitation, so if the pagerduty user doesn't have permissions to se it, the pagerduty_escalation_policy
can't be updated with 403 Forbidden
.
The error may be fixed here, https://github.com/PagerDuty/terraform-provider-pagerduty/blob/v3.9.0/pagerduty/resource_pagerduty_escalation_policy.go#L173 . The pagerduty.GetEscalationPolicyOptions
should just include the escalation_rule_assignment_strategies
if the user is allowed to set it (due to field is gonna be added to the PUT request if the read api response is including it). I guess a specific ability should exist for this, so checking it using the client https://github.com/heimweh/go-pagerduty/blob/master/pagerduty/ability.go#L15, before define the pagerduty.GetEscalationPolicyOptions
should fix the issue.
I forget to mention, the last version that should work fine on this is the v3.2.2
@rawmind0 Mate, thank you for the version suggestion, at least I can continue my imports! It works.
@imjaroiswebdev this wasn't fixed unfortunatelly.
Hey folks! I'm working on an improvement for this, which will be released shortly.
Please upgrade to PagerDuty Terraform provider v3.11.2 or newer to stop facing this issue. Thanks for your patience and feedback.
I can confirm v3.11.2 resolved the issue. Thanks! ❤️
@imjaroiswebdev, actually, looks like it is not resolved. Still failing to modify the resource in-place:
module.pagerduty.pagerduty_escalation_policy.team_oncall_escalation_policy: Still modifying... [id=<redacted>, 20s elapsed]
module.pagerduty.pagerduty_escalation_policy.team_oncall_escalation_policy: Still modifying... [id=<redacted>, 30s elapsed]
module.pagerduty.pagerduty_escalation_policy.team_oncall_escalation_policy: Still modifying... [id=<redacted>, 40s elapsed]
...
.terraform.lock.hcl
:
provider "registry.terraform.io/pagerduty/pagerduty" {
version = "3.11.2"
...
Same here, it looks like the provider is working longer, but eventually it fails. SECURE
logging doesn't provide any other valuable insight other than the 403 Forbidden message.
Bumping this one, same here. 🙏
A new patch for handling malformed 403 errors, which are the culprit in this case, is about to be released shortly. Please stay tuned.
Please one more time, upgrade to PagerDuty TF provider v3.11.4 or newer, this should solve the issue.
Confirmed, it worked on our side! Thanks a lot! 🙇♂️
Confirmed to be working here as well, thank you!
Awesome! Thanks to you all for the feedback and your patience 👏🏽 🎉
We are experiencing
403 Forbidden
error when attempting to modify existingpagerduty_escalation_policy
's target.Terraform Version
Affected Resource(s)
pagerduty_escalation_policy
Terraform Configuration Files
Debug Output
Expected Behavior
I expected the escalation policy to update the target schedule.
Actual Behavior
The provider is timed out after 5m with
403 Forbidden
error:Steps to Reproduce
Just
terraform apply
.Important Factoids
We tried:
Re. (6), example snippet: