terraform-provider-grafana icon indicating copy to clipboard operation
terraform-provider-grafana copied to clipboard

Published 20 hours ago verified publisher icon grafana

Grafana_folder resource creation fails

Open entwouanne opened this issue 3 years ago • 5 comments

Terraform Version

  • Terraform: 1.2.1
  • Terraform Grafana Provider: 1.21.1

Affected Resource(s)

  • grafana_folder

Terraform Configuration Files

resource "grafana_folder" "chronos_web_folder" {
  title = "Chronos_web"
}

resource "grafana_folder" "data_folder" {
  title = "Data"
}

resource "grafana_folder" "common_folder" {
  title = "Common"
}

Debug Output

First apply:

│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to grafana_folder.common_folder, provider "provider[\"registry.terraform.io/grafana/grafana\"]" produced an unexpected
│ new value: Root resource was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

The second apply:

grafana_team.team["admin"]: Modifications complete after 0s [id=6]
╷
│ Error: status: 409, body: {"message":"a folder or dashboard in the general folder with the same name already exists"}
│ 
│   with grafana_folder.chronos_web_folder,
│   on grafana_folder.tf line 1, in resource "grafana_folder" "chronos_web_folder":
│    1: resource "grafana_folder" "chronos_web_folder" {
│ 
╵
╷
│ Error: status: 409, body: {"message":"a folder or dashboard in the general folder with the same name already exists"}
│ 
│   with grafana_folder.data_folder,
│   on grafana_folder.tf line 5, in resource "grafana_folder" "data_folder":
│    5: resource "grafana_folder" "data_folder" {
│ 
╵
╷
│ Error: status: 409, body: {"message":"a folder or dashboard in the general folder with the same name already exists"}
│ 
│   with grafana_folder.common_folder,
│   on grafana_folder.tf line 9, in resource "grafana_folder" "common_folder":
│    9: resource "grafana_folder" "common_folder" {
│

Panic Output

If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the crash.log.

Actual Behavior

The folders are created but we have this error

Steps to Reproduce

  1. terraform apply

entwouanne avatar Jun 14 '22 13:06 entwouanne

Hi @entwouanne, thanks for reporting this. I couldn't reproduce it locally, so I wanted to ask if you could upload the output of executing the apply command with logs enabled:

env TF_LOG=true terraform apply | tee output.log

Then upload the output.log file. Thanks!

inkel avatar Jun 14 '22 13:06 inkel

output.log There is not the apply of the grafana_folder_permission resource

entwouanne avatar Jun 15 '22 07:06 entwouanne

This issue is also present when using provider v1.24.0 and Terraform v1.2.2. It also appeared to us that the resulting folders were only viewable for admin, which was unexpected. We are on Grafana v9.0.0.

ddemierre avatar Jun 15 '22 15:06 ddemierre

Also seeing this (the same first apply and second apply errors). Version information: Grafana v9.0.2 Grafana Terraform Provider v1.24.0 Terraform v1.0.11

I checked and this happens when providing a folder uid and not providing a folder uid. I did some digging and found this similar issue that @julienduchesne fixed awhile back https://github.com/grafana/terraform-provider-grafana/issues/463. Here is a debug level output with some information stripped from it and it mentions the folder not existing. However, if I go to https://thehost/api/search?type=dash-folder I get this output which shows the folder referenced in the terraform trace is present in the API response. I noticed a similar response on https://thehost/api/folders.

Does Grafana do any sort of caching at the db or api level?

kenanwarren avatar Jul 07 '22 22:07 kenanwarren

Did some more digging this morning. If I try to create a dashboard with my current api token (editor level) it fails with status: 403, body: {"message":"Access denied to this dashboard"}. If I go and look at the console the dashboard is created but can only be viewed by admins. I verified if I bump my token to admin terraform completes successfully but the dashboard defaults to only be viewable by admins.

So my current workaround is bump my token privileges and add the following terraform to either my folders or dashboards respectively:

resource "grafana_folder_permission" "perms" {
  folder_uid = grafana_folder.test_folder.uid
  permissions {
    role       = "Editor"
    permission = "View"
  }

  permissions {
    role       = "Viewer"
    permission = "View"
  }
}

resource "grafana_dashboard_permission" "perms" {
  dashboard_id = grafana_dashboard.test_dashboard.dashboard_id

  permissions {
    role       = "Viewer"
    permission = "View"
  }

  permissions {
    role       = "Editor"
    permission = "View"
  }
}

The editor level api token issue seems like a bug, but permissions wise maybe the defaults changed?

kenanwarren avatar Jul 08 '22 14:07 kenanwarren

Hi! I've created a fix that I think should resolve this problem: https://github.com/grafana/grafana/pull/59101

It will be released with Grafana 9.3.0 and Grafana 9.2.7.

Let me know if it doesn't fix the issue for you and I'll take another look at this.

Some background on the problem:

My theory is that this issue is caused by permission caching on Grafana's side. When a new resource (ie, a folder or a team) is created, Grafana automatically sets up a bunch of permissions to access this resource. However, permissions are cached, so if a request to read the new resource is sent right after resource creation, the cached permissions will be used and the new permissions will be ignored.

The fix clears permission cache for resource creator, so their updated permissions will be used for their next request.

IevaVasiljeva avatar Nov 24 '22 17:11 IevaVasiljeva