search

mongodb / terraform-provider-mongodbatlas

Terraform MongoDB Atlas Provider: Deploy, update, and manage MongoDB Atlas infrastructure as code through HashiCorp Terraform
https://registry.terraform.io/providers/mongodb/mongodbatlas
Mozilla Public License 2.0
242 stars 168 forks source link

Terraform plan fails if API key created by `mongodbatlas_api_key` resource is deleted outside of Terraform #1057

Closed itspngu closed 1 year ago

itspngu commented 1 year ago

Terraform CLI and Terraform MongoDB Atlas Provider Version

Terraform v1.3.7
on linux_amd64
+ provider registry.terraform.io/mongodb/mongodbatlas v1.8.0

Terraform Configuration File

terraform {
  required_version = ">=1.3"
  required_providers {
    mongodbatlas = {
      source  = "mongodb/mongodbatlas"
      version = "~>1.8"
    }
    time = {
      source  = "hashicorp/time"
      version = "~>0.9"
    }
  }
}

variable "name" {
  description = "The name of the MongoDB Atlas project to create"
  type        = string
}
variable "vault_egress_ip_cidr_ranges" {
  description = "The IP ranges in CIDR notation that Vault traffic originates from"
  type        = list(string)
}

data "mongodbatlas_roles_org_id" "this" {}

resource "time_rotating" "mongodbatlas_vault_creds" {
  rotation_days = 7
}
resource "mongodbatlas_api_key" "vault" {
  org_id = data.mongodbatlas_roles_org_id.this.org_id

  description = "vault-${var.name}-root-${time_rotating.mongodbatlas_vault_creds.unix}"
  role_names = [
    "ORG_OWNER",
  ]

  depends_on = [
    time_rotating.mongodbatlas_vault_creds,
  ]
}
resource "mongodbatlas_access_list_api_key" "vault" {
  for_each = toset(var.vault_egress_ip_cidr_ranges)

  org_id     = data.mongodbatlas_roles_org_id.this.org_id
  api_key_id = mongodbatlas_api_key.vault.api_key_id

  cidr_block = each.value

  depends_on = [
    mongodbatlas_api_key.vault
  ]
}

Steps to Reproduce

  1. terraform init
  2. terraform plan
  3. terraform apply
  4. Delete API key (e.g. via Atlas web UI)
  5. terraform plan
  6. Receive error

Expected Behavior

Terraform should create a new API key because the API key it created previously is no longer present.

Actual Behavior

Terraform fails completing the plan stage, forcing you to manually remove the resource from tfstate before planning again:

Error: error getting api key information: GET https://cloud.mongodb.com/api/atlas/v1.0/orgs/<redacted>/apiKeys/<redacted>: 400 (request "API_KEY_NOT_FOUND") No API key with ID <redacted> exists.

  with module.mongodb_atlas.mongodbatlas_api_key.vault,
  on ../../modules/mongodb-atlas-project/vault.tf line 26, in resource "mongodbatlas_api_key" "vault":
  26: resource "mongodbatlas_api_key" "vault" {

2023-02-09T16:59:33.521Z [ERROR]  Plan failed, see logs for details

This also applies to any instance of mongodbatlas_access_list_api_key referencing the missing key.

Debug Output

Crash Output

Additional Context

References

martinstibbe commented 1 year ago

@itspngu I will try to replicate your issue

martinstibbe commented 1 year ago

@itspngu I was able to duplicate issue both resources will fix in engineering ticket INTMDB-581

Zuhairahmed commented 1 year ago

just as an update @itspngu this issue has been picked up for v1.8.2 release which should be published in the next month or two.

Zuhairahmed commented 1 year ago

hi @itspngu v1.8.2 has been released! closing this issue, but feel free to re-open if you need anything else here: https://registry.terraform.io/providers/mongodb/mongodbatlas/latest