[Bug]: PrivatelinkEndpointServiceServerless is recreated again in CDKTF when it's alerady provisioned

[andylim0221]

Is there an existing issue for this?

• [X] I have searched the existing issues

Provider Version

v1.15.0

Terraform Version

v1.7.0

Terraform Edition

Terraform Cloud

Current Behavior

At first, I deployed PrivatelinkEndpoint and PrivatelinkEndpointServiceServerless via CDKTF. Then, I apply some changes in other resources other than PrivatelinkEndpointServiceServerless. When I ran CDKTF deploy, it yields the following error:

Error: error adding MongoDB Serverless PrivateLink Endpoint Connection(65e78dc712946a729ac815a9): PATCH https://cloud.mongodb.com/api/atlas/v1.0/groups/<GROUP_ID>/privateEndpoint/serverless/instance/<COMPANY>/endpoint/65e78dc712946a729ac815a9: 400 (request "TENANT_PRIVATE_ENDPOINT_PROVIDER_UPDATE_INVALID") The private endpoint can not be updated in its current state AVAILABLE. │ │ with mongodbatlas_privatelink_endpoint_service_serverless.serverless (serverless), │ on cdk.tf.json line 341, in resource.mongodbatlas_privatelink_endpoint_service_serverless.serverless (serverless): │ 341: } │

It seems like CDKTF does not catch that the PrivatelinkEndpointSeviceServerless is already created.

Terraform configuration to reproduce the issue

# Setup VPC PrivateLink
pl_endpoint_serverless = PrivatelinkEndpointServerless(
    self,
    "ple-serverless",
    project_id=Token().as_string(project.id),
    provider_name="AWS",
    instance_name=Token().as_string(db_cluster.name),
)

# Security Group for Private Endpoint
security_group = SecurityGroup(
    self,
    "sg",
    name=get_service_id(cluster_id=cluster_id, service="sg"),
    description="Security Group for Private Endpont",
    vpc_id=Token().as_string(vpc.vpc_id_output),
    ingress_with_source_security_group_id=[
        {
            "rule": "all-tcp",
            "source_security_group_id": Token().as_string(
                eks.node_security_group_id_output
            ),
        }
    ],
)

vpc_endpoint = VpcEndpoint(
    self,
    "endpoint",
    service_name=Token().as_string(
        pl_endpoint_serverless.endpoint_service_name
    ),
    vpc_id=Token().as_string(vpc.vpc_id_output),
    vpc_endpoint_type="Interface",
    subnet_ids=Token().as_list(vpc.private_subnets_output)
    if private_subnet_enabled
    else Token().as_list(vpc.public_subnets_output),
    security_group_ids=[
        Token().as_string(
            security_group.security_group_id_output
        )
    ],
)

pl_endpoint_service_serverless = (
    PrivatelinkEndpointServiceServerless(
        self,
        "serverless",
        provider_name="AWS",
        project_id=Token().as_string(project.id),
        endpoint_id=Token().as_string(
            pl_endpoint_serverless.endpoint_id
        ),
        cloud_provider_endpoint_id=Token().as_string(
            vpc_endpoint.id
        ),
        instance_name=Token().as_string(db_cluster.name),
    )
)

Steps To Reproduce

1. Run TF apply
2. Update SG
3. Run TF apply again

Logs

` Error: error adding MongoDB Serverless PrivateLink Endpoint Connection(65e78dc712946a729ac815a9): PATCH https://cloud.mongodb.com/api/atlas/v1.0/groups/<GROUP_ID>/privateEndpoint/serverless/instance/<COMPANY>/endpoint/65e78dc712946a729ac815a9: 400 (request "TENANT_PRIVATE_ENDPOINT_PROVIDER_UPDATE_INVALID") The private endpoint can not be updated in its current state AVAILABLE.
                         │ 
                         │   with mongodbatlas_privatelink_endpoint_service_serverless.serverless  (serverless),
                         │   on cdk.tf.json line 341, in resource.mongodbatlas_privatelink_endpoint_service_serverless.serverless (serverless):
                         │  341:       }
                         │ `

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[github-actions[bot]]

Thanks for opening this issue! Please make sure you've followed our guidelines when opening the issue. In short, to help us reproduce the issue we need:

• Terraform configuration file used to reproduce the issue
• Terraform log files from the run where the issue occurred
• Terraform Atlas provider version used to reproduce the issue
• Terraform version used to reproduce the issue
• Confirmation if Terraform OSS, Terraform Cloud, or Terraform Enterprise deployment

The ticket CLOUDP-237302 was created for internal tracking.

[github-actions[bot]]

This issue has gone 7 days without any activity and meets the project’s definition of "stale". This will be auto-closed if there is no new activity over the next 7 days. If the issue is still relevant and active, you can simply comment with a "bump" to keep it open, or add the label "not_stale". Thanks for keeping our repository healthy!

[andylim0221]

up

[lantoli]

thanks @andylim0221 for opening the issue.

can you confirm that the issue only happens if you update the SG? If the SG is not changed and you apply again I suppose no changes happen and you don't get any error, is that correct?

"It seems like CDKTF does not catch that the PrivatelinkEndpointSeviceServerless is already created." -> I think that it is catching it as a PATCH is being used to update the existing resource (it would a POST if it would be trying to create the private link).

As SG is a dependency, when it is changed, an update is triggered for the private link, and it is failing because it is not in an expected state.

[andylim0221]

Hi @lantoli,

No. This issue happens even I'm not updating the SG. In my case, I have an EKS cluster, connected to MongoDB Atlas Serverless via PrivateLink. For example, when I removed a new node group into the EKS cluster, Terraform will try to patch the PrivateLink Endpoint Service Serverless:

Error: error adding MongoDB Serverless PrivateLink Endpoint Connection(65e78dc712946a729ac815a9): PATCH https://cloud.mongodb.com/api/atlas/v1.0/groups/65e78d0f12946a729ac7e7ca/privateEndpoint/serverless/instance/<ORG_NAME>/endpoint/65e78dc712946a729ac815a9: 400 (request "TENANT_PRIVATE_ENDPOINT_PROVIDER_UPDATE_INVALID") The private endpoint can not be updated in its current state AVAILABLE.
with mongodbatlas_privatelink_endpoint_service_serverless.aihero-studio-dev-ples-serverless
on cdk.tf.json line 315, in resource.mongodbatlas_privatelink_endpoint_service_serverless.<ORG_NAME>-ples-serverless:
      }

[lantoli]

so if you run it twice when the PL is created without any change it will fail the second time? or it fails only when there is some change between the runs?

[andylim0221]

At first run, the PL is created successfully, along with other resources. Then, make some changes on the resources other than PL and SG. Then kick off Terraform Apply, now it fails and the error shows. And for the subsequent Terraform Apply, the same error keeps showing.

[lantoli]

could you try to make a first run, and then do a second run without any change? thx

[andylim0221]

The first run:

second run without making any changes:

[github-actions[bot]]

This issue has gone 7 days without any activity and meets the project’s definition of "stale". This will be auto-closed if there is no new activity over the next 7 days. If the issue is still relevant and active, you can simply comment with a "bump" to keep it open, or add the label "not_stale". Thanks for keeping our repository healthy!

[andylim0221]

bump

[oarbusi]

Thanks @andylim0221 for the information provided. We have found the underlying reason of the issue. We will keep you posted when we have a fix

[oarbusi]

@andylim0221 as a workaround while we work on a fix, you can set a value in the comment attribute of your PrivatelinkEndpointServiceServerless configuration. With this, the second tf apply should not have any issues.

[up-lander]

Hello everyone! We're currently trying to add a private link and have encountered the same error as well. I suspect it originates from the same source