vmware / terraform-provider-avi

Terraform AVI Networks provider
https://registry.terraform.io/providers/vmware/avi/
Mozilla Public License 2.0
31 stars 32 forks source link

Resources should allow for configurable timeouts #605

Open jakauppila opened 3 months ago

jakauppila commented 3 months ago

Describe the bug

We are attempting to leverage the avi_sslkeyandcertificate resource to issue certificates via the Let's Encrypt with Infoblox control script and since that requires time to allow for DNS propagation before validation, we currently have a 60 second sleep injected into the script.

Due to this, when we attempt to create a certificate with that Certificate Management Profile, we're hitting the default API timeout so the POST is failing.

Reproduction steps

  1. Leverage a Certificate Management Profile that targets a control script that has a sleep over the default API timeout
  2. Attempt to create a certificate with that profile
data "avi_certificatemanagementprofile" "profile" {
  name = "LetsEncrypt-Infoblox"
}

resource "avi_sslkeyandcertificate" "foo" {
  name = "terraform-example-foo"
  type = "SSL_CERTIFICATE_TYPE_VIRTUALSERVICE"
  certificate {
    self_signed = false
    subject {
      common_name = "letsencryptautomationtest.contoso.com"
      organization = "MYORG"
      organization_unit = "OU"
      locality = "TOWN"
      state = "STATE"
      country = "US"
    }
  }
  key_params {
    algorithm = "SSL_KEY_ALGORITHM_RSA"
    rsa_params {
      key_size = "SSL_KEY_2048_BITS"
    }
  }
  certificate_management_profile_ref = data.avi_certificatemanagementprofile.profile.id
}
  1. The POST times out and it attempts to re-POST the API call
2024-08-06T23:27:28.873-0500 [INFO]  provider.terraform-provider-avi_v30.2.1.exe: 2024/08/06 23:27:28 [INFO] APICreateOrUpdate: Creating obj sslkeyandcertificate schema &{map[ca_certs:0xc0007a8c80 certificate:0xc0007ac3c0 certificate_base64:0xc0007ac500 certificate_management_profile_ref:0xc0007ac640 configpb_attributes:0xc0007ac8c0 created_by:0xc0007aca00 dynamic_params:0xc0007ad040 enable_ocsp_stapling:0xc0007ad180 enckey_base64:0xc0007ad2c0 enckey_name:0xc0007ad400 format:0xc0007ad540 hardwaresecuritymodulegroup_ref:0xc0007ad680 import_key_to_hsm:0xc0007ad7c0 is_federated:0xc0007ad900 key:0xc0007ada40 key_base64:0xc0007adb80 key_params:0xc0007b0500 key_passphrase:0xc0007b0640 markers:0xc0007b0b40 name:0xc0007b0c80 ocsp_config:0xc0007b1680 ocsp_error_status:0xc0007b17c0 ocsp_responder_url_list_from_certs:0xc0007b1a40 ocsp_response_info:0xc0007b2500 status:0xc0007b2640 tenant_ref:0xc0007b2780 type:0xc0007b28c0 uuid:0xc0007b2a00] <nil> 0xc0011731e0 0xc000c6e980 map[] 0xc000b9a5d0 {{{{} map[]}} <nil>} 0xc000091800 0xc000bac0c0 0xc000b91ba0 false {{{} 1} {0 0}} true false} data map[certificate:map[days_until_expire:365 expiry_status:SSL_CERTIFICATE_GOOD self_signed:false subject:map[common_name:letsencryptautomationtest.contoso.com country:US locality:TOWN organization:MYORG_unit:OU state:STATE]] certificate_base64:false certificate_management_profile_ref:certificatemanagementprofile-34187dbb-bc44-4386-9196-a3a9c01a7266 enable_ocsp_stapling:false format:SSL_PEM import_key_to_hsm:false is_federated:false key_base64:false key_params:map[algorithm:SSL_KEY_ALGORITHM_RSA rsa_params:map[exponent:65537 key_size:SSL_KEY_2048_BITS]] name:terraform-example-foo status:SSL_CERTIFICATE_FINISHED type:SSL_CERTIFICATE_TYPE_VIRTUALSERVICE]: timestamp=2024-08-06T23:27:28.873-0500
avi_sslkeyandcertificate.foo: Still creating... [10s elapsed]
avi_sslkeyandcertificate.foo: Still creating... [20s elapsed]
avi_sslkeyandcertificate.foo: Still creating... [30s elapsed]
avi_sslkeyandcertificate.foo: Still creating... [40s elapsed]
avi_sslkeyandcertificate.foo: Still creating... [50s elapsed]
avi_sslkeyandcertificate.foo: Still creating... [1m0s elapsed]
2024-08-06T23:28:29.421-0500 [WARN]  unexpected data: registry.terraform.io/vmware/avi:stderr="E0806 23:28:29.420993   40576 avisession.go:829] Client error for URI: api/sslkeyandcertificate. Error: Post \"https://fit-d-vmavlb-01.sentry.com/api/sslkeyandcertificate\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
2024-08-06T23:28:29.422-0500 [WARN]  unexpected data: registry.terraform.io/vmware/avi:stderr="E0806 23:28:29.420993   40576 avisession.go:832] Error while dumping request. Still retrying."
2024-08-06T23:28:29.422-0500 [WARN]  unexpected data: registry.terraform.io/vmware/avi:stderr="E0806 23:28:29.420993   40576 avisession.go:1173] http: ContentLength=787 with Body length 0"
avi_sslkeyandcertificate.foo: Still creating... [1m10s elapsed]
avi_sslkeyandcertificate.foo: Still creating... [1m20s elapsed]
Stopping operation...

Interrupt received.
Please wait for Terraform to exit or data loss may occur.
Gracefully shutting down...

Expected behavior

Unless there's a way for the provider to kick off the request to create the certificate asynchronously and then poll for completion, then the API timeouts should be able to be configurable per TF resource (with sensible defaults for each).

Additional context

I would note that all of the resource documentation lists a timeout block with values that are not respected (I'd assume a copy/paste from another provider)

https://github.com/vmware/terraform-provider-avi/blob/c0466352981468a776b762afa7fc446f8c949cf8/website/docs/r/avi_sslkeyandcertificate.html.markdown?plain=1#L59-L65

I did see that there is an undocumented provider configuration of avi_api_timeout to change the default timeout, but I wouldn't want to increase that unnecessarily for all requests, just the ones that I know are going to take longer.

https://github.com/vmware/terraform-provider-avi/blob/c0466352981468a776b762afa7fc446f8c949cf8/avi/provider.go#L342-L344

I'll just toss this here, I had added configurable timeouts to a resource in the AWS provider a couple years back:

https://github.com/hashicorp/terraform-provider-aws/pull/20560/files