search

mongodb / terraform-provider-mongodbatlas

Terraform MongoDB Atlas Provider: Deploy, update, and manage MongoDB Atlas infrastructure as code through HashiCorp Terraform
https://registry.terraform.io/providers/mongodb/mongodbatlas
Mozilla Public License 2.0
244 stars 172 forks source link

Provider not destroying API keys #1261

Closed ToneVDB closed 1 year ago

ToneVDB commented 1 year ago

Terraform CLI and Terraform MongoDB Atlas Provider Version

Terraform v1.4.5
on linux_amd64
+ provider registry.terraform.io/gavinbunney/kubectl v1.14.0
+ provider registry.terraform.io/hashicorp/aws v4.67.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.3.2
+ provider registry.terraform.io/hashicorp/helm v2.9.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.20.0
+ provider registry.terraform.io/hashicorp/local v2.4.0
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.5.1
+ provider registry.terraform.io/hashicorp/template v2.2.0
+ provider registry.terraform.io/hashicorp/time v0.9.1
+ provider registry.terraform.io/hashicorp/tls v4.0.4
+ provider registry.terraform.io/mongodb/mongodbatlas v1.8.0
+ provider registry.terraform.io/terraform-aws-modules/http v2.4.1

Terraform Configuration File

Create a mongodbatlas_api_key resource as follows

resource "mongodbatlas_api_key" "test" {
  description   = "key-name"
  org_id        = "<ORG_ID>"
  role_names = ["ORG_READ_ONLY"]
  }
}

Steps to Reproduce

  1. terraform init
  2. terraform apply
  3. terraform destroy

Expected Behavior

Terraform Creates the API key at step 2 Terraform removes the API key at step 3

Actual Behavior

The API key remains after step 3 without getting destroyed - this can be checked via the UI under access manager.

github-actions[bot] commented 1 year ago

Thanks for opening this issue. The ticket INTMDB-889 was created for internal tracking.

martinstibbe commented 1 year ago

@ToneVDB I tried this using v1.8.0 and latest version it created org api key and then when I do a TF destroy it removes the key and it no longer displays on UI in my test case (using either version). Can you test using latest version of provider and perhaps enable TF_LOG=TRACE so we could see some additional detail feel free to obfuscate any org_id's keys etc in log file

ToneVDB commented 1 year ago

Ok so I messed up describing the bug - please see the details below. I'm sorry for the confusion.

The resource causing the problem is actually mongodbatlas_project_api_key not mongodbatlas_api_key. The issue happens upon running an apply with the resource no longer defined. Terraform sees that the key is no longer there - says that it will destroy it - compleets successfully - but the key remains in the mongodb atlas UI.

The config:

resource "mongodbatlas_project_api_key" "test" {
  description = "test-key"
  project_id  = mongodbatlas_project.project.id
  role_names  = ["GROUP_OWNER"]
}

The output upon the 2nd apply without the resource defined


Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # module.data-platform.module.mongodb.mongodbatlas_project_api_key.test will be destroyed
  # (because mongodbatlas_project_api_key.test is not in configuration)
  - resource "mongodbatlas_project_api_key" "test" {
      - api_key_id  = "<REDACTED>" -> null
      - description = "test-key" -> null
      - id          = "<REDACTED>" -> null
      - private_key = (sensitive value) -> null
      - project_id  = "<REDACTED>" -> null
      - public_key  = "<REDACTED>" -> null
      - role_names  = [
          - "GROUP_OWNER",
        ] -> null
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.data-platform.module.mongodb.mongodbatlas_project_api_key.test: Destroying... [id=<REDACTED>]
module.data-platform.module.mongodb.mongodbatlas_project_api_key.test: Destruction complete after 1s
Releasing state lock. This may take a few moments...

Apply complete! Resources: 0 added, 0 changed, 1 destroyed.

The screenshot of the UI after the "successfull" 2nd apply

image

martinstibbe commented 1 year ago

@ToneVDB I tried using v1.8.0 applied .. commented out applied .. destroyed and org level key remained hen upgraded TF provider to v1.10.0 and ran same scenario and org key got removed on second apply so this issue was fixed in recent release please try latest version of provider to validate

ToneVDB commented 1 year ago

Hi,

I upgraded to v1.10.0 but the issue remains. Please find the abriviated Terraform trace output below (orignal trace of the project is 150Mb) :

2023-06-29T07:47:21.892+0200 [TRACE] DiffTransformer: found Delete change for module.data-platform.module.mongodb.mongodbatlas_project_api_key.test
2023-06-29T07:47:21.892+0200 [TRACE] DiffTransformer: module.data-platform.module.mongodb.mongodbatlas_project_api_key.test will be represented for destruction by module.data-platform.module.mongodb.mongodbatlas_project_api_key.test (destroy)
2023-06-29T07:47:27.706+0200 [TRACE] vertex "provider[\"registry.terraform.io/mongodb/mongodbatlas\"]": visit complete
2023-06-29T07:47:27.706+0200 [TRACE] vertex "module.data-platform.module.mongodb.mongodbatlas_project_api_key.test (destroy)": starting visit (*terraform.NodeDestroyResourceInstance)
2023-06-29T07:47:27.707+0200 [TRACE] readDiff: Read Delete change from plan for module.data-platform.module.mongodb.mongodbatlas_project_api_key.test
2023-06-29T07:47:27.707+0200 [TRACE] readResourceInstanceState: reading state for module.data-platform.module.mongodb.mongodbatlas_project_api_key.test
2023-06-29T07:47:27.706+0200 [TRACE] provider.terraform-provider-mongodbatlas_v1.10.0: Calling downstream: @module=sdk.helper_schema tf_provider_addr=provider tf_req_id=8370eb32-f845-7b90-6817-2a50462dade9 tf_rpc=Configure @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.26.1/helper/schema/grpc_provider.go:556 timestamp=2023-06-29T07:47:27.703+0200
2023-06-29T07:47:27.707+0200 [TRACE] provider.terraform-provider-mongodbatlas_v1.10.0: Called downstream: tf_provider_addr=provider tf_req_id=8370eb32-f845-7b90-6817-2a50462dade9 tf_rpc=Configure @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.26.1/helper/schema/grpc_provider.go:558 @module=sdk.helper_schema timestamp=2023-06-29T07:47:27.706+0200
2023-06-29T07:47:27.707+0200 [TRACE] provider.terraform-provider-mongodbatlas_v1.10.0: Received downstream response: @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/tf5serverlogging/downstream_request.go:37 diagnostic_warning_count=0 tf_provider_addr=provider tf_req_duration_ms=3 tf_req_id=8370eb32-f845-7b90-6817-2a50462dade9 @module=sdk.proto diagnostic_error_count=0 tf_proto_version=5.3 tf_rpc=Configure timestamp=2023-06-29T07:47:27.706+0200
2023-06-29T07:47:27.707+0200 [TRACE] provider.terraform-provider-mongodbatlas_v1.10.0: Served request: tf_proto_version=5.3 tf_provider_addr=provider tf_rpc=Configure @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/tf5server/server.go:567 tf_req_id=8370eb32-f845-7b90-6817-2a50462dade9 @module=sdk.proto timestamp=2023-06-29T07:47:27.706+0200
2023-06-29T07:47:27.707+0200 [TRACE] upgradeResourceState: schema version of module.data-platform.module.mongodb.mongodbatlas_project_api_key.test is still 0; calling provider "mongodbatlas" for any other minor fixups
2023-06-29T07:47:27.707+0200 [TRACE] GRPCProvider: UpgradeResourceState
2023-06-29T07:47:27.708+0200 [TRACE] provider.terraform-provider-mongodbatlas_v1.10.0: Received request: @module=sdk.proto tf_req_id=610e0b21-c622-7084-6ed5-81a13e232ebb tf_rpc=UpgradeResourceState @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/tf5server/server.go:708 tf_proto_version=5.3 tf_provider_addr=provider tf_resource_type=mongodbatlas_project_api_key timestamp=2023-06-29T07:47:27.708+0200
2023-06-29T07:47:27.708+0200 [TRACE] provider.terraform-provider-mongodbatlas_v1.10.0: Sending request downstream: tf_provider_addr=provider tf_rpc=UpgradeResourceState @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/tf5serverlogging/downstream_request.go:17 @module=sdk.proto tf_proto_version=5.3 tf_req_id=610e0b21-c622-7084-6ed5-81a13e232ebb tf_resource_type=mongodbatlas_project_api_key timestamp=2023-06-29T07:47:27.708+0200
2023-06-29T07:47:27.708+0200 [TRACE] provider.terraform-provider-mongodbatlas_v1.10.0: Upgrading JSON state: tf_rpc=UpgradeResourceState tf_req_id=610e0b21-c622-7084-6ed5-81a13e232ebb tf_resource_type=mongodbatlas_project_api_key @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.26.1/helper/schema/grpc_provider.go:323 @module=sdk.helper_schema tf_provider_addr=provider timestamp=2023-06-29T07:47:27.708+0200
2023-06-29T07:47:27.710+0200 [TRACE] provider.terraform-provider-mongodbatlas_v1.10.0: Received downstream response: diagnostic_warning_count=0 tf_proto_version=5.3 tf_resource_type=mongodbatlas_project_api_key tf_rpc=UpgradeResourceState @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/tf5serverlogging/downstream_request.go:37 diagnostic_error_count=0 tf_req_id=610e0b21-c622-7084-6ed5-81a13e232ebb @module=sdk.proto tf_provider_addr=provider tf_req_duration_ms=1 timestamp=2023-06-29T07:47:27.710+0200
2023-06-29T07:47:27.710+0200 [TRACE] provider.terraform-provider-mongodbatlas_v1.10.0: Served request: tf_req_id=610e0b21-c622-7084-6ed5-81a13e232ebb tf_rpc=UpgradeResourceState @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/tf5server/server.go:728 @module=sdk.proto tf_proto_version=5.3 tf_provider_addr=provider tf_resource_type=mongodbatlas_project_api_key timestamp=2023-06-29T07:47:27.710+0200
�[0m�[1mmodule.data-platform.module.mongodb.mongodbatlas_project_api_key.test: Destroying... [id=YXBpX2tleV9pZA==:NjQ5ZDE5NjA4MDg5Y2I0MDc0YWQxNTgx-cHJvamVjdF9pZA==:NjQ5OTMzOTY4NDBmNTYzZTc2ZDdlODY4]�[0m�[0m
2023-06-29T07:47:27.710+0200 [INFO]  Starting apply for module.data-platform.module.mongodb.mongodbatlas_project_api_key.test
2023-06-29T07:47:27.711+0200 [DEBUG] module.data-platform.module.mongodb.mongodbatlas_project_api_key.test: applying the planned Delete change
2023-06-29T07:47:27.711+0200 [TRACE] GRPCProvider: ApplyResourceChange
2023-06-29T07:47:27.711+0200 [TRACE] provider.terraform-provider-mongodbatlas_v1.10.0: Received request: @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/tf5server/server.go:805 tf_provider_addr=provider tf_req_id=9b2ac5bf-a5f9-1d3e-1cc3-34ee03f88a4b tf_rpc=ApplyResourceChange @module=sdk.proto tf_proto_version=5.3 tf_resource_type=mongodbatlas_project_api_key timestamp=2023-06-29T07:47:27.711+0200
2023-06-29T07:47:27.711+0200 [TRACE] provider.terraform-provider-mongodbatlas_v1.10.0: Sending request downstream: tf_proto_version=5.3 tf_req_id=9b2ac5bf-a5f9-1d3e-1cc3-34ee03f88a4b tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/tf5serverlogging/downstream_request.go:17 @module=sdk.proto tf_provider_addr=provider tf_resource_type=mongodbatlas_project_api_key timestamp=2023-06-29T07:47:27.711+0200
2023-06-29T07:47:27.711+0200 [TRACE] provider.terraform-provider-mongodbatlas_v1.10.0: Calling downstream: tf_req_id=9b2ac5bf-a5f9-1d3e-1cc3-34ee03f88a4b tf_resource_type=mongodbatlas_project_api_key tf_rpc=ApplyResourceChange @module=sdk.helper_schema tf_provider_addr=provider @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.26.1/helper/schema/resource.go:805 timestamp=2023-06-29T07:47:27.711+0200
2023-06-29T07:47:27.713+0200 [INFO]  provider.terraform-provider-mongodbatlas_v1.10.0: 2023/06/29 07:47:27 [DEBUG] MongoDB Atlas API Request Details:
---[ REQUEST ]---------------------------------------
GET /api/atlas/v1.0/groups/64993396840f563e76d7e868/apiKeys HTTP/1.1
Host: cloud.mongodb.com
User-Agent: terraform-provider-mongodbatlas/1.10.0 go-mongodbatlas/0.29.0 (linux;amd64)
Accept: application/json
Accept-Encoding: gzip

-----------------------------------------------------: timestamp=2023-06-29T07:47:27.713+0200
2023-06-29T07:47:27.725+0200 [TRACE] provider.terraform-provider-aws_v4.67.0_x5: Served request: @caller=github.com/hashicorp/terraform-plugin-go@v0.15.0/tfprotov5/tf5server/server.go:510 tf_proto_version=5.3 @module=sdk.proto tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=30e971fc-d660-eaf4-ece3-28c96835213f tf_rpc=GetProviderSchema timestamp=2023-06-29T07:47:27.725+0200
2023-06-29T07:47:27.828+0200 [TRACE] GRPCProvider: ValidateProviderConfig

-----------------------------------------------------: timestamp=2023-06-29T07:47:28.176+0200
2023-06-29T07:47:28.177+0200 [INFO]  provider.terraform-provider-mongodbatlas_v1.10.0: 2023/06/29 07:47:28 [DEBUG] MongoDB Atlas API Request Details:
---[ REQUEST ]---------------------------------------
DELETE /api/atlas/v1.0/groups/64993396840f563e76d7e868/apiKeys/649d19608089cb4074ad1581 HTTP/1.1
Host: cloud.mongodb.com
User-Agent: terraform-provider-mongodbatlas/1.10.0 go-mongodbatlas/0.29.0 (linux;amd64)
Accept: application/json
Accept-Encoding: gzip

-----------------------------------------------------: timestamp=2023-06-29T07:47:28.177+0200
2023-06-29T07:47:28.472+0200 [INFO]  provider.terraform-provider-mongodbatlas_v1.10.0: 2023/06/29 07:47:28 [DEBUG] MongoDB Atlas API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 204 No Content
Content-Type: application/json
Date: Thu, 29 Jun 2023 05:47:28 GMT
Referrer-Policy: strict-origin-when-cross-origin
Server: mdbws
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-Content-Type-Options: nosniff
X-Envoy-Upstream-Service-Time: 98
X-Frame-Options: DENY
X-Mongodb-Service-Version: gitHash=bb50871216dff67544953556ea80e83ddadccf3b; versionString=v20230614
X-Permitted-Cross-Domain-Policies: none

-----------------------------------------------------: timestamp=2023-06-29T07:47:28.472+0200
2023-06-29T07:47:28.473+0200 [INFO]  provider.terraform-provider-mongodbatlas_v1.10.0: 2023/06/29 07:47:28 [DEBUG] MongoDB Atlas API Request Details:
---[ REQUEST ]---------------------------------------
DELETE /api/atlas/v1.0/orgs/<REDACTED>/apiKeys/649d19608089cb4074ad1581 HTTP/1.1
Host: cloud.mongodb.com
User-Agent: terraform-provider-mongodbatlas/1.10.0 go-mongodbatlas/0.29.0 (linux;amd64)
Accept: application/json
Accept-Encoding: gzip

-----------------------------------------------------: timestamp=2023-06-29T07:47:28.472+0200
2023-06-29T07:47:28.696+0200 [INFO]  provider.terraform-provider-mongodbatlas_v1.10.0: 2023/06/29 07:47:28 [DEBUG] MongoDB Atlas API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 401 Unauthorized
Content-Length: 151
Content-Type: application/json
Date: Thu, 29 Jun 2023 05:47:28 GMT
Referrer-Policy: strict-origin-when-cross-origin
Server: mdbws
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-Content-Type-Options: nosniff
X-Envoy-Upstream-Service-Time: 25
X-Frame-Options: DENY
X-Mongodb-Service-Version: gitHash=bb50871216dff67544953556ea80e83ddadccf3b; versionString=v20230614
X-Permitted-Cross-Domain-Policies: none

{
 "detail": "Current user is not authorized to perform this action.",
 "error": 401,
 "errorCode": "USER_UNAUTHORIZED",
 "parameters": [],
 "reason": "Unauthorized"
}
-----------------------------------------------------: timestamp=2023-06-29T07:47:28.696+0200
2023-06-29T07:47:28.697+0200 [INFO]  provider.terraform-provider-mongodbatlas_v1.10.0: 2023/06/29 07:47:28 [WARN] unable to delete Key (649d19608089cb4074ad1581): DELETE https://cloud.mongodb.com/api/atlas/v1.0/orgs/<REDACTED>/apiKeys/649d19608089cb4074ad1581: 401 (request "USER_UNAUTHORIZED") Current user is not authorized to perform this action.: timestamp=2023-06-29T07:47:28.697+0200
2023-06-29T07:47:28.697+0200 [TRACE] provider.terraform-provider-mongodbatlas_v1.10.0: Called downstream: @caller=github.com/hashicorp/terraform-plugin-sdk/v2@v2.26.1/helper/schema/resource.go:807 @module=sdk.helper_schema tf_req_id=9b2ac5bf-a5f9-1d3e-1cc3-34ee03f88a4b tf_rpc=ApplyResourceChange tf_provider_addr=provider tf_resource_type=mongodbatlas_project_api_key timestamp=2023-06-29T07:47:28.697+0200
2023-06-29T07:47:28.697+0200 [TRACE] provider.terraform-provider-mongodbatlas_v1.10.0: Received downstream response: @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/tf5serverlogging/downstream_request.go:37 @module=sdk.proto tf_proto_version=5.3 tf_provider_addr=provider tf_req_duration_ms=985 tf_req_id=9b2ac5bf-a5f9-1d3e-1cc3-34ee03f88a4b tf_resource_type=mongodbatlas_project_api_key tf_rpc=ApplyResourceChange diagnostic_error_count=0 diagnostic_warning_count=0 timestamp=2023-06-29T07:47:28.697+0200
2023-06-29T07:47:28.698+0200 [TRACE] provider.terraform-provider-mongodbatlas_v1.10.0: Served request: tf_proto_version=5.3 tf_req_id=9b2ac5bf-a5f9-1d3e-1cc3-34ee03f88a4b tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/tf5server/server.go:831 @module=sdk.proto tf_provider_addr=provider tf_resource_type=mongodbatlas_project_api_key timestamp=2023-06-29T07:47:28.697+0200
2023-06-29T07:47:29.080+0200 [INFO]  provider.terraform-provider-helm_v2.10.1_x5: configuring server automatic mTLS: timestamp=2023-06-29T07:47:29.080+0200
2023-06-29T07:47:29.103+0200 [DEBUG] provider.terraform-provider-helm_v2.10.1_x5: plugin address: address=/tmp/plugin153176073 network=unix timestamp=2023-06-29T07:47:29.103+0200
2023-06-29T07:47:29.103+0200 [DEBUG] provider: using plugin: version=5
2023-06-29T07:47:29.121+0200 [TRACE] BuiltinEvalContext: Initialized "module.data-platform.module.eks.provider[\"registry.terraform.io/hashicorp/helm\"]" provider for module.data-platform.module.eks.provider["registry.terraform.io/hashicorp/helm"]
2023-06-29T07:47:29.122+0200 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for module.data-platform.module.mongodb.mongodbatlas_project_api_key.test
2023-06-29T07:47:29.122+0200 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for module.data-platform.module.mongodb.mongodbatlas_project_api_key.test
2023-06-29T07:47:29.122+0200 [TRACE] provider.stdio: waiting for stdio data
�[0m�[1mmodule.data-platform.module.mongodb.mongodbatlas_project_api_key.test: Destruction complete after 1s�[0m
2023-06-29T07:47:29.122+0200 [TRACE] NodeApplyableProvider: configuring module.data-platform.module.eks.provider["registry.terraform.io/hashicorp/helm"]
2023-06-29T07:47:29.123+0200 [TRACE] vertex "module.data-platform.module.mongodb.mongodbatlas_project_api_key.test (destroy)": visit complete
2023-06-29T07:47:29.123+0200 [TRACE] vertex "provider[\"registry.terraform.io/mongodb/mongodbatlas\"] (close)": starting visit (*terraform.graphNodeCloseProvider)
2023-06-29T07:47:29.125+0200 [DEBUG] created provider logger: level=trace

Please let me know if you need more or other details.

martinstibbe commented 1 year ago

@ToneVDB Actually error I see in log shows a permission issue the terraform provider during delete does an unassign of key from projects and then call DELETE API to remove key looks like you have a permission issue based on error returned from Atlas API
DELETE /api/atlas/v1.0/orgs//apiKeys/649d19608089cb4074ad1581 HTTP/1.1 201 Error coming back here ...

"detail": "Current user is not authorized to perform this action.",
 "error": 401,
 "errorCode": "USER_UNAUTHORIZED",
 "parameters": [],
 "reason": "Unauthorized"
ToneVDB commented 1 year ago

@martinstibbe That is correct, but shouldn't terraform then return destroy failed? Without the trace people could not assume the resource still exists, right?

I feel like right now it is returning a "fake"result?

andreaangiolillo commented 1 year ago

Hello,

We released v1.10.2 with the fix to this bug.

Thanks