terraform-provider-launchdarkly icon indicating copy to clipboard operation
terraform-provider-launchdarkly copied to clipboard
verified publisher icon launchdarkly

launchdarkly_team_role_mapping Team not found error

Open joe-hutchinson-cko opened this issue 2 years ago • 7 comments

Appears like the newly implemented launchdarkly_team_role_mapping resource can sometimes error when referencing a team that is being created as part of the same Terraform apply operation.

The provider should handle team not found type errors with retries.

joe-hutchinson-cko avatar Aug 29 '23 13:08 joe-hutchinson-cko

Hey @joe-hutchinson-cko, can you share what your config looks like (specifically the team_key)? I ask because it sounds like you may need to take advantage of the depends_on meta-argument. Depending on how your module is structured, Terraform might not be able to identify that the team_role_mapping resource has a dependency on another resource.

In general we try to avoid retrying 404s because they are a good indication that the underlying resource has been deleted. However, if things are still not working after using a depends_on then we may need to consider adding a few retries.

ldhenry avatar Aug 29 '23 16:08 ldhenry

Hey Henry, sorry should have added some code to this to start with.

resource "okta_group" "writers" {
  name        = "App.LaunchDarkly.${local.name}.writers"
  description = "LaunchDarkly project team ${local.name}"
}

resource "launchdarkly_custom_role" "writers" {
  key         = "${local.name}-writers-role"
  name        = "${local.name} Writers Role"
  description = "Role for ${local.name} project created by Terraform"

  policy_statements {
    effect    = "allow"
    resources = ["proj/${var.project_key}:env/*:flag/*"]
    actions = [
      "applyApprovalRequest",
      "attachReleasePipeline",
      "cloneFlag",
      "copyFlagConfigFrom",
      "copyFlagConfigTo",
      "createApprovalRequest",
      "createFlag",
      "createFlagLink",
      "createTriggers",
      "deleteApprovalRequest",
      "deleteFlag",
      "deleteFlagLink",
      "deleteTriggers",
      "detachReleasePipeline",
      "manageFlagFollowers",
      "updateApprovalRequest",
      "updateAttachedGoals",
      "updateClientSideFlagAvailability",
      "updateDescription",
      "updateExpiringRules",
      "updateExpiringTargets",
      "updateFallthrough",
      "updateFeatureWorkflows",
      "updateFlagCodeReferences",
      "updateFlagCustomProperties",
      "updateFlagDefaultVariations",
      "updateFlagLink",
      "updateFlagRuleDescription",
      "updateFlagSalt",
      "updateFlagVariations",
      "updateGlobalArchived",
      "updateIncludeInSnippet",
      "updateMaintainer",
      "updateName",
      "updateOffVariation",
      "updateOn",
      "updatePrerequisites",
      "updateReleasePhaseCompleted",
      "updateRules",
      "updateScheduledChanges",
      "updateTags",
      "updateTargets",
      "updateTemporary",
      "updateTriggers"
    ]
  }

  policy_statements {
    effect    = "allow"
    resources = ["proj/*"]
    actions   = ["viewProject"]
  }
}

resource "launchdarkly_team_role_mapping" "writers" {
  team_key         = lower(okta_group.writers.name)
  custom_role_keys = [launchdarkly_custom_role.writers.key]
}

The above is all in all defined in a single module, as I'm referencing outputs of each resource in creation of the next would allow TF in infer the correct order of creation. Happy to try adding depends_on but I'm thinking this is unlikely to resolve this one.

joe-hutchinson-cko avatar Aug 30 '23 15:08 joe-hutchinson-cko

Thanks for sharing. Given that you are using the output from the okta_group resource it sounds like the issue is a propagation delay between when the Okta group gets created and when the LaunchDarkly team gets created. I agree that depends_on likely won't solve the issue in this case and I'll work on getting a fix in place.

Just to confirm, are you seeing these only during the creation of a new team or are they also happening when updating an existing team?

ldhenry avatar Aug 30 '23 15:08 ldhenry

So far just when creating a new team. It appears to be happening consistently.

joe-hutchinson-cko avatar Sep 18 '23 15:09 joe-hutchinson-cko

Hi Henry, Made any progress?

Bit more detail this is definitely occurring when you Terraform the team at the same time as trying to link it to the role. Error received is:

Unable to create the team/role mapping because the team
 <team name> does not exist.

I can put an arbitrary delay in creating the role mapping but it's a bit of a hack, better solution is for LD API or provider to handle this gracefully.

joe-hutchinson-cko avatar Sep 21 '23 16:09 joe-hutchinson-cko

Hey @joe-hutchinson-cko,

We're pretty heads down on new feature work but I'll try to get someone to pick it up next week. Sorry for the the delay on this.

Thanks, Henry

ldhenry avatar Sep 21 '23 16:09 ldhenry

Hey @joe-hutchinson-cko,

We just released v2.15.2 of the Terraform provider. This release includes 404 retries for the launchdarkly_team_role_mapping resource. Currently there is hard coded maximum of 12 retries which should buy you about 20s from when the team is created via Okta and when it appears in LaunchDarkly. If that is not enough we can look into making the max retry count configurable.

Cheers, Henry

ldhenry avatar Sep 26 '23 17:09 ldhenry