aws_servicecatalog_portfolio_share concurrency and throttling issues

sbutler commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.9
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v4.13.0

Affected Resource(s)

aws_servicecatalog_portfolio_share

Terraform Configuration Files

terraform {
    required_version = "~> 1.1"
    required_providers {
        aws = {
            source = "hashicorp/aws"
            version = "~> 4.13"
        }
    }
}

variable "ou_names" {
    type    = list(string)
    default = ["example1", "example2", "example3"]
}

data "aws_organizations_organization" "this" {}

resource "aws_organizations_organizational_unit" "example" {
    for_each = toset(var.ou_names)

    name      = each.key
    parent_id = data.aws_organizations_organization.this.roots[0].id
}

resource "aws_servicecatalog_portfolio" "example" {
    name          = "Portfolio Share Bug Report"
    description   = "Example for reporting a bug in portfolio shares."
    provider_name = "Me"
}

resource "aws_servicecatalog_portfolio_share" "example_ou" {
    for_each = toset(var.ou_names)

    portfolio_id = aws_servicecatalog_portfolio.example.id
    principal_id = aws_organizations_organizational_unit.example[each.key].arn
    type         = "ORGANIZATIONAL_UNIT"
}

Debug Output

https://gist.github.com/sbutler/a0c33af877aed4e5c9ac05d6658edeea

Expected Behavior

The portfolio should be shared to all the OU's.

Actual Behavior

One or more might be created, but some will get a ThrottlingException and not be shared.

Steps to Reproduce

terraform apply

Important Factoids

Although I could not find documentation, experimentation revealed:

AWS Service Catalog only supports creating a single portfolio share at a time.
The CreatePortfolioShare API call can succeed, but the later DescribePortfolioShareStatus call can return an error in the ShareDetail.ShareErrors[*].Error field. After adding some enhanced error logging I could see this was ThrottlingException in my example.

vaibhawamck commented 2 years ago

Please merge this, need it urgently. Thank you!

sl-miguelmichee commented 1 year ago

any news on this PR?

cacack commented 10 months ago

How about now? I believe our team is now getting bitten by this and I'd rather not have to revert our changes to manage Service Catalog Portfolio shares..

srgoni commented 1 month ago

I'm not sure if this is has the same root cause, but I'm getting the following error when doing multiple concurrent deassociations (for example when changing the elements of the for_each):

InvalidStateException: Cannot process more than one portfolio share action at the same time for account ####. Try again later.

Please consider this as well in a possible fix.

hashicorp / terraform-provider-aws