Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Race condition when creating kms key alias leads to 'Resource x does not have attribute y for variable' #6560

Closed
AndreuPlata opened this issue Nov 22, 2018 · 4 comments · Fixed by #7907
Closed

Race condition when creating kms key alias leads to 'Resource x does not have attribute y for variable' #6560

AndreuPlata opened this issue Nov 22, 2018 · 4 comments · Fixed by #7907
Labels
bug Addresses a defect in current functionality. service/kms Issues and PRs that pertain to the kms service.
Milestone
v2.2.0

Comments

@AndreuPlata
Copy link

AndreuPlata commented Nov 22, 2018
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

  • 0.11.3

Aws Provider Version

  • 1.40.0

Affected Resource(s)

  • aws_kms_alias

Debug Output

Expected Behaviour

Terraform should have waited for the kms alias to be created

Actual Behaviour

  • Terraform sent a request to create the alias
  • it immediately after sent a get aliases request to find the created kms alias
  • it did not find it (potential aws delay/eventual consistency)
  • removed the alias from the state file which broke all future references to this resource

Steps to Reproduce

This is hard to reproduce as it is not consistently happening. We believe there is a race condition between terraform requesting the list of aliases and aws confirming alias creation

  • Create a kms key and alias
  • Have an output referencing that alias.name and alias.arn
  • Use that output in a different resource
@bflad bflad added the service/kms Issues and PRs that pertain to the kms service. label Nov 25, 2018
@bflad bflad added the bug Addresses a defect in current functionality. label Mar 13, 2019
bflad added a commit that referenced this issue Mar 13, 2019
@bflad
resource/aws_kms_alias: Prevent state removal of resource immediately…
07f75b2 
… after creation due to eventual consistency

References:
* #7891
* #6560
* #7873
* hashicorp/terraform#17220

The KMS service has eventual consistency considerations and the `aws_kms_alias` resource immediately tries to read the KMS alias after creation, which may not find the KMS alias. When not able to find the KMS alias, the resource logic returns an empty API object instead of an error. Since a `nil` check was already performed on the error, the error will always be `nil`. Invoking `return resource.RetryableError(nil)`  is equivalent to `return nil`. The resource during its Read performs an error check first which will skip because its `nil`, then assumes the resource has been deleted outside Terraform and triggers recreation.

Here when we cannot find a KMS alias after allowing some time for eventual consistency, we return a resource not found error and ensure we handle any timeouts due to automatic AWS Go SDK retries.

Output from acceptance testing:

```
--- PASS: TestAccAWSKmsAlias_no_name (37.63s)
--- PASS: TestAccAWSKmsAlias_name_prefix (37.80s)
--- PASS: TestAccAWSKmsAlias_multiple (38.38s)
--- PASS: TestAccAWSKmsAlias_importBasic (40.13s)
--- PASS: TestAccAWSKmsAlias_ArnDiffSuppress (43.61s)
--- PASS: TestAccAWSKmsAlias_basic (46.76s)
```
@bflad bflad mentioned this issue Mar 13, 2019
Merged
@bflad
Copy link
Contributor

bflad commented Mar 13, 2019

Fix submitted: #7907

nywilken pushed a commit that referenced this issue Mar 14, 2019
@bflad @nywilken
resource/aws_kms_alias: Prevent state removal of resource immediately…
a4bc72d 
… after creation due to eventual consistency (#7907)

References:
* #7891
* #6560
* #7873
* hashicorp/terraform#17220

The KMS service has eventual consistency considerations and the `aws_kms_alias` resource immediately tries to read the KMS alias after creation, which may not find the KMS alias. When not able to find the KMS alias, the resource logic returns an empty API object instead of an error. Since a `nil` check was already performed on the error, the error will always be `nil`. Invoking `return resource.RetryableError(nil)`  is equivalent to `return nil`. The resource during its Read performs an error check first which will skip because its `nil`, then assumes the resource has been deleted outside Terraform and triggers recreation.

Here when we cannot find a KMS alias after allowing some time for eventual consistency, we return a resource not found error and ensure we handle any timeouts due to automatic AWS Go SDK retries.

Output from acceptance testing:

```
--- PASS: TestAccAWSKmsAlias_no_name (37.63s)
--- PASS: TestAccAWSKmsAlias_name_prefix (37.80s)
--- PASS: TestAccAWSKmsAlias_multiple (38.38s)
--- PASS: TestAccAWSKmsAlias_importBasic (40.13s)
--- PASS: TestAccAWSKmsAlias_ArnDiffSuppress (43.61s)
--- PASS: TestAccAWSKmsAlias_basic (46.76s)
```
@nywilken
Copy link
Contributor

The fix has been merged and will release with version 2.2.0 of the Terraform AWS Provider, likely later today.

@bflad bflad added this to the v2.2.0 milestone Mar 15, 2019
@bflad
Copy link
Contributor

bflad commented Mar 15, 2019

This has been released in version 2.2.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@ghost
Copy link

ghost commented Mar 31, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 31, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/kms Issues and PRs that pertain to the kms service.
Projects
None yet
Milestone
v2.2.0
3 participants
@bflad @nywilken @AndreuPlata