wallix / terraform-provider-wallix-bastion

Terraform provider for Wallix bastion
https://www.wallix.com/privileged-access-management/
Mozilla Public License 2.0
5 stars 2 forks source link

[ BUG ] - Terraform apply failed with error Wallix resource "already exists" for the newly creating resource #34

Open adminraj opened 2 months ago

adminraj commented 2 months ago

**Describe the bug**

  1. The Terraform Wallix provider version currently used is version 0.12.2. The Terraform version used is v1.8.4.

  2. The Terraform Apply stage failed with the error Wallix resource "already exists" even though the resource is being created for the first time. This issue occurs for 1 out of 10 TF Apply.

  3. We observed the TF Apply actually creating the resource in Wallix side (using Wallix API), but not updating the creation status in the Terraform State file and immediately failing with the error "Resource already exist" (during the same Terraform apply execution).

  4. The following Terraform PLAN and APPLY result may explain this issue more clearly. TF PLAN result:

    wallix-bastion_authorization.auth-rdp[0] will be created

    • resource "wallix-bastion_authorization" "auth-rdp" {
      • active_quorum = -1
      • authorization_name = "auth-gcp-XXXXX-YYY-ope-rdp"
      • authorize_sessions = true
      • id = (known after apply)
      • inactive_quorum = -1
      • is_recorded = true
      • subprotocols = [
        • "RDP",
        • "RDP_CLIPBOARD_DOWN",
        • "RDP_CLIPBOARD_FILE",
        • "RDP_CLIPBOARD_UP", ]
      • target_group = "gcp-XXXXX-YYY-ope-rdp"
      • user_group = "gcp-XXXXX-YYY-ope-rdp" }

    TF Apply result: Error: authorization_name auth-gcp-XXXXX-YYY-ope-rdp already exists │ │ with wallix-bastion_authorization.auth-rdp[0], │ on tbr.tf line 691, in resource "wallix-bastion_authorization" "auth-rdp": │ 691: resource "wallix-bastion_authorization" "auth-rdp" {

  5. Note: This issue occurs for different Wallix Terraform resource block and not always for same type of Wallix resource.

  6. Currently, we are performing Terraform Import whenever we get this issue to update the Terraform State file.

Expected behavior During Terraform Apply for the new Wallix resource creation, the Wallix resource creation and the Terraform State update must be completed successfully without getting the error resource "already exists".

Desktop (please complete the following information):

bsimonWallix commented 2 months ago

Is this issue Happening while passing a list of Authorization that what changed in it's order ? Have you tried to use modules to handle lists ?

adminraj commented 2 months ago

Thanks for the response. This issue happens randomly in different Wallix TF resource block and not always in same resource block. Please review the below details and let me know if you need further details to analysis this issue.

The Authentication is performed using Wallix token in the provider block as mentioned below. provider "wallix-bastion" { alias = "wallixb" ip = var.wallix_api_host
token = var.wallix_token api_version = "v3.3" }

We are not using modules and currently using Wallix TF resource blocks directly. The Wallix resource blocks are configured in the following order with depends_on (where ever applicable to perform the execution in the order, just for safer side) and "provider" parameter explicitly mentioned in all resource block.

  1. wallix-bastion_usergroup
  2. wallix-bastion_ldapmapping (This block has depends_on = [wallix-bastion_usergroup.xxxxx])
  3. wallix-bastion_device (This block has depends_on = [google_compute_instance.xxxxx] to ensure the VM is created before device configuration in wallix side).
  4. wallix-bastion_device_localdomain (This block has depends_on = [google_compute_instance.xxxxx])
  5. wallix-bastion_device_service (This block has depends_on = [wallix-bastion_device_localdomain.xxxx])
  6. wallix-bastion_device_localdomain_account (This block has depends_on = [wallix-bastion_device_service.xxxx])
  7. wallix-bastion_device_localdomain_account_credential (This block has depends_on = [wallix-bastion_device_service.xxxx])
  8. wallix-bastion_targetgroup (This block has depends_on = [wallix-bastion_device_localdomain_account.xxxx]
  9. wallix-bastion_authorization (This block has depends_on = [wallix-bastion_usergroup.xxxx, wallix-bastion_targetgroup.xxxx]`

FYI - As mentioned earlier, our Wallix Server is still v8 and we are migrating to v9/v10 shortly.

bsimonWallix commented 2 months ago

For migration, you may want to migrate to v12 directly. Really good improvements. If you have to choose between v9 or v10, latest handle much better api call.

I can see a lot of declarative depends_on, I add a lot of issues using them in the past with beahaviour like you present.

Try to use modules instead and proper dependencies resources.

You may also want to test to generate a dependency graph to visualize change. I imagine you may have value that change it's order in the list and lead to this.

Without the code it's going to be very difficult to investigate.

adminraj commented 2 months ago

Thanks for your feedback and suggestion.

Do we have any official Terraform Wallix Module? or you are advising us to create the Wallix TF modules? Please confirm.

I will share our existing Terraform Wallix code for your analysis and feedback asap.

bsimonWallix commented 2 months ago

We don't have modules yet.

You should create them depending on your needs.

You can share your code here if nothing sensible in it. If you are unsure, provide it by creating a support ticket on our support portal.

Best regards,

adminraj commented 2 months ago

Thanks for your response. I will share our code after removing the sensible items. I will check the possibility of sharing the code through support portal. Will keep you update.

adminraj commented 1 month ago

Hello @bsimon-wallix - Sorry for the delay. Is it possible to share our code privately to you for your review and feedback? Please advise.

bsimonWallix commented 3 weeks ago

Yes it is possible. Sorry for the delay, I was on leave. You can create a support request on our support portal and ask it to be forwarded to bsimon.