search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.42k stars 9.51k forks source link

Terraform openstack provider on openstack_images_image_v2 fails with 403 forbidden creating image via rbd on ceph backend #26712

Closed dmytro-rachkov closed 3 years ago

dmytro-rachkov commented 3 years ago

Hi!

I come across nasty issue with openstack_images_image_v2 being unable to import image via rbd towards ceph using properties stores = "rbd" key/value. The user has admin privileges on within project via admin role.

External ceph is working fine as well as glance service - the image is successfully uploaded via openstack client manually to the same project via same user. Important node: this also was surprisingly working 1 month ago with the same code (though different cluster) but provider version 1.30.0 and terraform 0.13.0 (not working any more both on upstream versions and old ones). Debugged heavily glance and found anything strange about it.

Thank you in advance for your ideas!

Terraform Version

Terraform v0.13.5
+ provider registry.terraform.io/hashicorp/aws v3.4.0
+ provider registry.terraform.io/terraform-providers/openstack v1.32.0

Terraform Configuration Files

main.tf

terraform {
  required_providers {
    openstack = {
      source  = "terraform-providers/openstack"
      version = "= 1.32.0"
    }
  }
  required_version = "= 0.13.5"
}

provider "openstack" {
  tenant_name = "myproject"
  auth_url    = "http://openstack.lab.local:5000/v3.0"
  region      = "RegionOne"
}

Variables

images = {
  "img_custom_centos82_base" = {
    "name"             = "img_custom_centos82_base"
    "region"           = "RegionOne"
    "web_download"     = true
    "container_format" = "bare"
    "disk_format"      = "qcow2"
    "image_source_url" = "http://webserver/img_custom_centos82_base.qcow2"
    "protected"        = false
    "visibility"       = "public"
    "tags"             = ["centos8", "prod", "custom"]
    "properties" = {
      "description"                   = "CentOS 8.2 custom"
      "stores"                         = "rbd"
    }
  }
}

Code itself

resource "openstack_images_image_v2" "images" {
  for_each         = var.images
  name             = each.value.name
  region           = each.value.region
  web_download     = each.value.web_download
  container_format = each.value.container_format
  disk_format      = each.value.disk_format
  image_source_url = each.value.image_source_url
  protected        = each.value.protected
  visibility       = each.value.visibility
  tags             = tolist(each.value.tags)
  properties = {
    description                      = each.value.properties.description
    stores                           = each.value.properties.stores
  }
}

Debug Output

2020-10-26T09:55:59.915+0200 [DEBUG] plugin.terraform-provider-openstack_v1.32.0: 2020/10/26 09:55:59 [DEBUG] setting computed for "metadata" from ComputedKeys
2020-10-26T09:55:59.916+0200 [DEBUG] plugin.terraform-provider-openstack_v1.32.0: 2020/10/26 09:55:59 [DEBUG] Locking "auth"
2020-10-26T09:55:59.916+0200 [DEBUG] plugin.terraform-provider-openstack_v1.32.0: 2020/10/26 09:55:59 [DEBUG] Locked "auth"
2020-10-26T09:56:00.373+0200 [DEBUG] plugin.terraform-provider-openstack_v1.32.0: 2020/10/26 09:56:00 [DEBUG] Unlocking "auth"
2020-10-26T09:56:00.373+0200 [DEBUG] plugin.terraform-provider-openstack_v1.32.0: 2020/10/26 09:56:00 [DEBUG] Unlocked "auth"
2020-10-26T09:56:00.373+0200 [DEBUG] plugin.terraform-provider-openstack_v1.32.0: 2020/10/26 09:56:00 [DEBUG] OpenStack Region is: RegionOne
2020-10-26T09:56:00.373+0200 [DEBUG] plugin.terraform-provider-openstack_v1.32.0: 2020/10/26 09:56:00 [DEBUG] OpenStack Endpoint for image: http://192.168.1.254:9292/v2/
2020-10-26T09:56:00.373+0200 [DEBUG] plugin.terraform-provider-openstack_v1.32.0: 2020/10/26 09:56:00 [DEBUG] Create Options: &images.CreateOpts{Name:"img_custom_centos82_base", ID:"
", Visibility:(*images.ImageVisibility)(0xc0000ee330), Tags:[]string{"prod", "centos8", "custom"}, ContainerFormat:"bare", DiskFormat:"qcow2", MinDisk:0, MinRAM:0, Protected:(*bool)(
0xc00020e675), Properties:map[string]string{"description":"CentOS 8.2 custom 36gb disk: CentOS-7.8 custom BASE build from original netinstall.", "stores":"rbd"}}
2020/10/26 09:56:00 [DEBUG] openstack_images_image_v2.images["img_custom_centos82_base"]: apply errored, but we're indicating that via the Error pointer rather than returning it: Err
or creating Image: Request forbidden: [POST http://192.168.1.254:9292/v2/images], error message: {"message": "Attribute 'stores' is read-only.<br /><br />\n\n\n", "code": "403 Forbid
den", "title": "Forbidden"}
2020/10/26 09:56:00 [TRACE] eval: *terraform.EvalMaybeTainted
2020/10/26 09:56:00 [TRACE] EvalMaybeTainted: openstack_images_image_v2.images["img_custom_centos82_base"] encountered an error during creation, so it is now marked as tainted
2020/10/26 09:56:00 [TRACE] eval: *terraform.EvalWriteState
2020/10/26 09:56:00 [TRACE] EvalWriteState: removing state object for openstack_images_image_v2.images["img_custom_centos82_base"]
2020/10/26 09:56:00 [TRACE] eval: *terraform.EvalApplyProvisioners
2020/10/26 09:56:00 [TRACE] EvalApplyProvisioners: openstack_images_image_v2.images["img_custom_centos82_base"] has no state, so skipping provisioners
2020/10/26 09:56:00 [TRACE] eval: *terraform.EvalMaybeTainted
2020/10/26 09:56:00 [TRACE] EvalMaybeTainted: openstack_images_image_v2.images["img_custom_centos82_base"] encountered an error during creation, so it is now marked as tainted
2020/10/26 09:56:00 [TRACE] eval: *terraform.EvalWriteState
2020/10/26 09:56:00 [TRACE] EvalWriteState: removing state object for openstack_images_image_v2.images["img_custom_centos82_base"]
2020/10/26 09:56:00 [TRACE] eval: *terraform.EvalIf
2020/10/26 09:56:00 [TRACE] eval: *terraform.EvalIf
2020/10/26 09:56:00 [TRACE] eval: *terraform.EvalWriteDiff
2020/10/26 09:56:00 [TRACE] eval: *terraform.EvalApplyPost
2020/10/26 09:56:00 [ERROR] eval: *terraform.EvalApplyPost, err: Error creating Image: Request forbidden: [POST http://192.168.1.254:9292/v2/images], error message: {"message": "Attribute 'stores' is read-only.<br /><br />\n\n\n", "code": "403 Forbidden", "title": "Forbidden"}
2020/10/26 09:56:00 [ERROR] eval: *terraform.EvalSequence, err: Error creating Image: Request forbidden: [POST http://192.168.1.254:9292/v2/images], error message: {"message": "Attribute 'stores' is read-only.<br /><br />\n\n\n", "code": "403 Forbidden", "title": "Forbidden"}
2020/10/26 09:56:00 [TRACE] [walkApply] Exiting eval tree: openstack_images_image_v2.images["img_custom_centos82_base"]
2020/10/26 09:56:00 [TRACE] vertex "openstack_images_image_v2.images[\"img_custom_centos82_base\"]": visit complete
2020/10/26 09:56:00 [TRACE] dag/walk: upstream of "provider[\"registry.terraform.io/terraform-providers/openstack\"] (close)" errored, so skipping
2020/10/26 09:56:00 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2020/10/26 09:56:00 [TRACE] dag/walk: upstream of "root" errored, so skipping
2020/10/26 09:56:00 [TRACE] statemgr.Filesystem: not making a backup, because the new snapshot is identical to the old
2020/10/26 09:56:00 [TRACE] statemgr.Filesystem: no state changes since last snapshot
2020/10/26 09:56:00 [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate
2020/10/26 09:56:00 [TRACE] statemgr.Filesystem: removing lock metadata file .terraform.tfstate.lock.info
2020/10/26 09:56:00 [TRACE] statemgr.Filesystem: unlocking terraform.tfstate using fcntl flock
2020-10-26T09:56:00.464+0200 [WARN]  plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2020-10-26T09:56:00.466+0200 [DEBUG] plugin: plugin process exited: path=.terraform/plugins/registry.terraform.io/terraform-providers/openstack/1.32.0/linux_amd64/terraform-provider-openstack_v1.32.0 pid=15376
2020-10-26T09:56:00.466+0200 [DEBUG] plugin: plugin exited

Crash Output

Error: Error creating Image: Request forbidden: [POST http://192.168.1.254:9292/v2/images], error message: {"message": "Attribute 'stores' is read-only.<br /><br />\n\n\n", "code": "403 Forbidden", "title": "Forbidden"}

  on images.tf line 1, in resource "openstack_images_image_v2" "images":
   1: resource "openstack_images_image_v2" "images" {

Expected Behavior

Image being successfully imported without an error.

Actual Behavior

403 forbidden

Steps to Reproduce

  1. terraform init
  2. terraform apply
dmytro-rachkov commented 3 years ago

Issue moved to proper section of openstack provider https://github.com/terraform-provider-openstack/terraform-provider-openstack/issues/1091

ghost commented 3 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.