Closed tkallenberg-tw closed 1 year ago
This sounds like a race condition. What Im noticing is both app_role_attachment calls are asking for the newly created app at the same time (so both think there are no role_ids except the one its about to attach). I also see AWS having similar issues with aws_iam_role_policy_attachment so this is a widespread thing for Terraform it seems. A workaround for this would be to apply the attachments in order
resource onelogin_app_role_attachments first {
app_id = 1234
role_id = 44444
}
resource onelogin_app_role_attachments second {
app_id = 4321
role_id = 5555
depends_on = [onelogin_app_role_attachments.test]
}
If you want I can also expose the role_ids field on the app object and you can directly add roles there if you're not a fan of the attachments way.
You may want to consider using the roles_resource for defining app/role relationships.
Hi @dcaponi
I thought the same about race condition. We will have a look at the solutions. However the depending is difficult since we use terraform for_each to iterate over the role_ids and apply them very dynamically. Using the roles_resource is likewise difficult since we do not manage this role in terraform so far but manually through the UI.
Could there be any other solutions on the provider side to mitigate the issue?
New version of the SDK released
Hi
When we use the onelogin_app_role_attachment we get random creation errors like the error below. If we execute it again one second later it works without a problem.
If necessary we can also run a terraform apply with DEBUG and provide you the output.