search

onelogin / terraform-provider-onelogin

GNU General Public License v3.0
27 stars 19 forks source link

onelogin_app_role_attachments sporadically fails #30

Closed tkallenberg-tw closed 1 year ago

tkallenberg-tw commented 3 years ago

Hi

When we use the onelogin_app_role_attachment we get random creation errors like the error below. If we execute it again one second later it works without a problem.

module.onelogin_roles.module.onelogin_app["390865"].onelogin_app_role_attachments.app_role["xxx"]: Creating...
module.onelogin_roles.module.onelogin_app["390864"].onelogin_app_role_attachments.app_role["xxx"]: Creating...
module.onelogin_roles.module.onelogin_app["390864"].onelogin_app_role_attachments.app_role["yyy"]: Creating...
module.onelogin_roles.module.onelogin_app["390866"].onelogin_app_role_attachments.app_role["yyy"]: Creating...
module.onelogin_roles.module.onelogin_app["390866"].onelogin_app_role_attachments.app_role["yyy"]: Creating...
module.onelogin_roles.module.onelogin_app["390865"].onelogin_app_role_attachments.app_role["yyy"]: Creating...
module.onelogin_roles.module.onelogin_app["390865"].onelogin_app_role_attachments.app_role["yyy"]: Creation complete after 1s [id=aaaa]
module.onelogin_roles.module.onelogin_app["390866"].onelogin_app_role_attachments.app_role["xxx"]: Creation complete after 1s [id=bbb]
module.onelogin_roles.module.onelogin_app["390864"].onelogin_app_role_attachments.app_role["xxx"]: Creation complete after 2s [id=ccc]

Error: App 1234 does not have role 44444
  on ../../modules/onelogin_role_attachment/role_attachment.tf line 1, in resource "onelogin_app_role_attachments" "app_role":
   1: resource "onelogin_app_role_attachments" "app_role" {

Error: App 4321 does not have role 44444
  on ../../modules/onelogin_role_attachment/role_attachment.tf line 1, in resource "onelogin_app_role_attachments" "app_role":

   1: resource "onelogin_app_role_attachments" "app_role" {

Error: App 6789 does not have role 5555
  on ../../modules/onelogin_role_attachment/role_attachment.tf line 1, in resource "onelogin_app_role_attachments" "app_role":

   1: resource "onelogin_app_role_attachments" "app_role" {

If necessary we can also run a terraform apply with DEBUG and provide you the output.

dcaponi commented 3 years ago

This sounds like a race condition. What Im noticing is both app_role_attachment calls are asking for the newly created app at the same time (so both think there are no role_ids except the one its about to attach). I also see AWS having similar issues with aws_iam_role_policy_attachment so this is a widespread thing for Terraform it seems. A workaround for this would be to apply the attachments in order

resource onelogin_app_role_attachments first {
    app_id = 1234
    role_id = 44444
}

resource onelogin_app_role_attachments second {
    app_id = 4321
    role_id = 5555
    depends_on = [onelogin_app_role_attachments.test]
}

If you want I can also expose the role_ids field on the app object and you can directly add roles there if you're not a fan of the attachments way.

You may want to consider using the roles_resource for defining app/role relationships.

tkallenberg-tw commented 3 years ago

Hi @dcaponi

I thought the same about race condition. We will have a look at the solutions. However the depending is difficult since we use terraform for_each to iterate over the role_ids and apply them very dynamically. Using the roles_resource is likewise difficult since we do not manage this role in terraform so far but manually through the UI.

Could there be any other solutions on the provider side to mitigate the issue?

Jmfwolf commented 1 year ago

New version of the SDK released