Open programmerq opened 2 years ago
Additionally, when trying to import and then apply this change when terraform does the delete and recreate, I would occasionally see where terraform reports that it successfully deleted the old role, and then immediate fails to create one with the same name because it already exists. I was able to make this behavior happen slightly more frequently when I increased the latency between the teleport auth server and my etcd backend (tc qdisc add dev eth0 root netem delay 4000ms
in my pod with my single etcd node in my test lab. The higher latency seemed to make it more likely to run into the race condition.)
I wasn't able to make this same behavior fail in a case where an existing resource is renamed and therefore must be created, so it seems more likely that it is related to this delete/recreate mechanism that is present when recreating an imported resource that has had this type of incomplete resource import.
Another customer hitting this issue with applications where application gets added on the teleport side but is not propagated to the state file and terraform believes the deploy failed, thus going through the same recreate process @programmerq described above.
@Aharic This should be fixed 9.0.2, can you retry and get back to us?
When importing a role to the terraform state, only the very bare minimum that can be imported actually makes it to the terraform.tfstate file. This means that after import,
terraform plan
believes it needs to recreate the role because it doesn't have a reference to the role name in the state file. Recreating the role doesn't always work because teleport can refuse to delete a role if a user exists that references it, which prevents terraform from completing altogether.Basically, the ask is for the
terraform import
for all of the resource types in this provider to import the associated metadata so the state file will accurately reflect the state of the imported resource.The following example is for a role, but
terraform import
should grab the remote state for any teleport resource that is imported:Considering the following existing role and terraform resource block:
Running
terraform import teleport_role.example example
results in the following tfstate json:The
.resources.instances[0].attributes.metadata
value is simply an empty list. This means thatterraform plan
indicates that terraform must recreate the remote resource because it believes it's going from no name to a name:This is incorrect and unnecessary. If I manually edit the
terraform.tfstate
to include at least themetadata.name="example"
in the existing role, thenterraform plan
is able to properly recognize that it doesn't need to delete and then recreate the role, but instead only need to update it in place:terraform.tfstate manually updated:
Terraform still isn't aware of the other existing attributes on the existing resource, but it at least doesn't have the idea that it must recreate the role. The desirable behavior would be for all the remote values that can be grabbed to be included.
gz#3726
gz#4946
gz#5013