From 6dfbadf7bcaed8281d7f8ba2bade1621016a3802 Mon Sep 17 00:00:00 2001
From: John Maguire <john.maguire@hashicorp.com>
Date: Fri, 19 Apr 2024 13:08:22 -0400
Subject: [PATCH] [NET-8412] Fix APIGW policy creation ordering for upgrade
 path (#3918)

* fix policy creation for upgrading

* Added changelog
---
 .changelog/3918.txt                       | 3 +++
 control-plane/api-gateway/cache/consul.go | 8 +++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 .changelog/3918.txt

diff --git a/.changelog/3918.txt b/.changelog/3918.txt
new file mode 100644
index 0000000000..dad22ff2db
--- /dev/null
+++ b/.changelog/3918.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+api-gateway: Fix order of initialization for creating ACL role/policy to avoid error logs in consul when upgrading between versions.
+```
diff --git a/control-plane/api-gateway/cache/consul.go b/control-plane/api-gateway/cache/consul.go
index 0b0d067df7..984f6db7b4 100644
--- a/control-plane/api-gateway/cache/consul.go
+++ b/control-plane/api-gateway/cache/consul.go
@@ -362,6 +362,9 @@ func (c *Cache) ensurePolicy(client *api.Client, gatewayName string) (string, er
 			if err != nil {
 				return "", err
 			}
+
+			// on an upgrade the cache will be empty so we need to write the policy to the cache
+			c.gatewayNameToPolicy[gatewayName] = existing
 			return existing.ID, nil
 		}
 
@@ -389,6 +392,8 @@ func (c *Cache) ensurePolicy(client *api.Client, gatewayName string) (string, er
 		return "", err
 	}
 
+	// update cache with existing policy
+	c.gatewayNameToPolicy[gatewayName] = existing
 	return existing.ID, nil
 }
 
@@ -429,7 +434,8 @@ func (c *Cache) ensureRole(client *api.Client, gatewayName string) (string, erro
 	}
 
 	if aclRole != nil {
-		return cachedRole.Name, nil
+		c.gatewayNameToRole[gatewayName] = aclRole
+		return aclRole.Name, nil
 	}
 
 	return createRole()