terraform-provider-scaleway icon indicating copy to clipboard operation
terraform-provider-scaleway copied to clipboard
verified publisher icon scaleway

Impossible to add scaleway_instance_placement_group in a project different from default

Open warielon opened this issue 4 years ago • 10 comments

Terraform Version

Terraform v0.14.8

  • provider registry.terraform.io/carlpett/sops v0.5.3
  • provider registry.terraform.io/hashicorp/kubernetes v1.13.3
  • provider registry.terraform.io/scaleway/scaleway v2.0.0

Affected Resource(s)

  • scaleway_instance_placement_group when project_id different from default

Terraform Configuration Files

resource "scaleway_instance_placement_group" "place-fr-par-2" {
  project_id = "xxxxx" // with project_id different from default
  name = "place-fr-par-2"
  zone = "fr-par-2"
}

Expected Behavior

terraform plan
Terraform will perform the following actions:
 # scaleway_instance_placement_group.place-fr-par-2 will be created
  + resource "scaleway_instance_placement_group" "place-fr-par-2" {
      + id               = (known after apply)
      + name             = "place-fr-par-2"
      + organization_id  = (known after apply)
      + policy_mode      = "optional"
      + policy_respected = (known after apply)
      + policy_type      = "max_availability"
      + project_id       = "bb1480d4-dc19-4258-9dec-e3ac994b6483"
      + zone             = "fr-par-2"
    }

Actual Behavior

Error: scaleway-sdk-go: http error 403 Forbidden: authorization required

Important Factoids

I contacted Scaleway assistance and they told me it appears to be a bug directly in the Terraform provider.

It is working in project default.

Thanks :)

warielon avatar Mar 31 '21 13:03 warielon

Hello 👋 do you use different credentials than from the default project?

Sh4d1 avatar Mar 31 '21 13:03 Sh4d1

Hello,

I used a different project_id. I have already been able to create ressources in this other project.

I have 2 providers for my 2 projects defined in my config.

provider "scaleway" {
  alias      = "apollon1"
  access_key = data.sops_file.secrets["scaleway"].data["access_key_project_apollon"]
  secret_key = data.sops_file.secrets["scaleway"].data["secret_key_project_apollon"]
  project_id = "XXX"
  zone            = "fr-par-1"
  region          = "fr-par"
}

# project default
  provider "scaleway" {
  alias      = "default"
  access_key = data.sops_file.secrets["scaleway"].data["access_key_project_default"]
  secret_key = data.sops_file.secrets["scaleway"].data["secret_key_project_default"]
  project_id = "YYY"
  region          = "fr-par"
  zone            = "fr-par-1"
}

Thanks

warielon avatar Mar 31 '21 14:03 warielon

I have already been able to create ressources in this other project.

Via Terraform I suppose?

Weird though 🤔 could you run it with TF_LOG=debug and check to catch the 403 call?

Sh4d1 avatar Mar 31 '21 14:03 Sh4d1

Yes via terraform of course. Here is the debug ! Thanks

bug_placement.txt

Terraform will perform the following actions:

2021/03/31 16:45:54 [DEBUG] command: asking for input: "Do you want to perform these actions?"
  # scaleway_instance_placement_group.place-fr-par-2 will be created
  + resource "scaleway_instance_placement_group" "place-fr-par-2" {
      + id               = (known after apply)
      + name             = "place-fr-par-2"
      + organization_id  = (known after apply)
      + policy_mode      = "optional"
      + policy_respected = (known after apply)
      + policy_type      = "max_availability"
      + project_id       = "bb1480d4-dc19-4258-9dec-e3ac994b6483"
      + zone             = "fr-par-2"
    }
....


2021-03-31T16:45:57.318+0200 [DEBUG] plugin.terraform-provider-kubernetes_v1.13.3_x4: 2021/03/31 16:45:57 [DEBUG] Enabling HTTP requests/responses tracing
2021-03-31T16:45:57.319+0200 [WARN]  plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-03-31T16:45:57.321+0200 [DEBUG] plugin: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/kubernetes/1.13.3/darwin_amd64/terraform-provider-kubernetes_v1.13.3_x4 pid=72139
2021-03-31T16:45:57.321+0200 [DEBUG] plugin: plugin exited
2021/03/31 16:45:57 [DEBUG] scaleway_instance_placement_group.place-fr-par-2: apply errored, but we're indicating that via the Error pointer rather than returning it: scaleway-sdk-go: http error 403 Forbidden: authorization required

Error: scaleway-sdk-go: http error 403 Forbidden: authorization required

  on kubernetes.tf line 46, in resource "scaleway_instance_placement_group" "place-fr-par-2":
  46: resource "scaleway_instance_placement_group" "place-fr-par-2" {


Releasing state lock. This may take a few moments...
2021-03-31T16:45:58.040+0200 [WARN]  plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-03-31T16:45:58.042+0200 [DEBUG] plugin: plugin process exited: path=.terraform/providers/registry.terraform.io/scaleway/scaleway/2.0.0/darwin_amd64/terraform-provider-scaleway_v2.0.0 pid=72136
2021-03-31T16:45:58.042+0200 [DEBUG] plugin: plugin exited

warielon avatar Mar 31 '21 14:03 warielon

Ah there is an issue with the debug logs, there should be the request body/response 🤔 anyway that's another issue 😓 (cc @remyleone )

Can you create a placement group in this project via the cli and the given credentials? I'll try to reproduce on my end

Sh4d1 avatar Mar 31 '21 15:03 Sh4d1

Hi, I think it is a scaleway issue. I have reproduced the problem using directly the scaleway API (and not through terraform)

I can create a placement-group for default project but I have Authorization required error for my project apollon

➜  deploy git:(dev) ✗ scw instance placement-group create project-id="xxxxxx-9194-40e1-9cb6-d1cedf4f4271" zone="fr-par-2" name="def-place-fr-par-2"
ID               2854c5fa-605c-461a-a283-3e298ca5a05c
Name             def-place-fr-par-2
Organization     17982f5c-9194-40e1-9cb6-d1cedf4f4271
Project          17982f5c-9194-40e1-9cb6-d1cedf4f4271
PolicyMode       optional
PolicyType       max_availability
PolicyRespected  true
Zone             fr-par-2
➜  deploy git:(dev) ✗ scw instance placement-group create project-id="xxxxxxxx-dc19-4258-9dec-e3ac994b6483" zone="fr-par-2" name="ap-place-fr-par-2"
Authorization required

warielon avatar Mar 31 '21 15:03 warielon

In this case you are using the same credentials right? The api keys are bound to a single project

Sh4d1 avatar Mar 31 '21 15:03 Sh4d1

Indeed I have been able to create the placement group with the command line tool given the good project_id ! So it is a terraform pb i guess.

warielon avatar Mar 31 '21 15:03 warielon

Weird I can't seem to reproduce. My guess it it's using the other key. Could you isolate a single provider and try to reproduce? 🤔

Sh4d1 avatar Mar 31 '21 16:03 Sh4d1

We face similar difficulties when creating bucket or instance. It's a more general problem concerning the alias in provider. This is described in the following issue #1337. As a workaround, we did a change that is available in the terraform registry: cryptobioz/scaleway Pointing to the new provider as follow, should solve your problem.

required_providers {
    scaleway = {
      source = "cryptobioz/scaleway"
      version = "2.2.1-profiles"
    }
  }

Xaving avatar Jun 21 '22 12:06 Xaving

Duplicate of #1337

Codelax avatar Aug 29 '22 09:08 Codelax

@Xaving could you open a PR with this change so that we can have a conversation about it?

remyleone avatar Aug 29 '22 09:08 remyleone