[Openstack] Terraform generates keystone token for every resource instead of reusing the token

[kamaltherocky]

Terraform Openstack provider generates keystone token for each operation rather than reusing the generated token. This has an effect on the environments where there is a rate limiting applied for the token generation.

[jtopjian]

Hi there,

Can you confirm if setting OS_AUTH_TOKEN resolves this issue? It looks like that environment variable isn't documented, but was added 7fe29ef.

[jtopjian]

hrm, actually, that commit might have been in error -- I'm pretty sure api_key and OS_AUTH_TOKEN are two different things.

I did a quick test and it looks like tokens are being reused, but not for the entire session. For example, here's the list of tokens used to run this test:

2015/12/23 03:23:41 [DEBUG] Network OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:23:41 [DEBUG] Network OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:23:41 [DEBUG] Compute OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:23:43 [DEBUG] Compute OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:23:50 [DEBUG] Network OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:23:50 [DEBUG] Network OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:23:50 [DEBUG] Network OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:23:50 [DEBUG] Compute OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:23:50 [DEBUG] Compute OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:23:59 [DEBUG] Network OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:24:10 [DEBUG] Compute OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:24:10 [DEBUG] Compute OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:24:14 [DEBUG] Network OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:24:23 [DEBUG] Network OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:24:23 [DEBUG] Network OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:24:32 [DEBUG] Network OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:24:32 [DEBUG] Network OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:24:32 [DEBUG] Network OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:24:32 [DEBUG] Compute OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:24:32 [DEBUG] Compute OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:24:33 [DEBUG] Compute OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:24:34 [DEBUG] Network OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:24:34 [DEBUG] Network OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:24:34 [DEBUG] Network OpenStack Token: 18800d8df8064cf59507dd23fc6823ee
2015/12/23 03:24:35 [DEBUG] Network OpenStack Token: aa66887b9b9b4480a5658c26552289ab
2015/12/23 03:24:35 [DEBUG] Network OpenStack Token: aa66887b9b9b4480a5658c26552289ab
2015/12/23 03:24:35 [DEBUG] Compute OpenStack Token: aa66887b9b9b4480a5658c26552289ab
2015/12/23 03:24:35 [DEBUG] Network OpenStack Token: aa66887b9b9b4480a5658c26552289ab
2015/12/23 03:24:35 [DEBUG] Compute OpenStack Token: aa66887b9b9b4480a5658c26552289ab
2015/12/23 03:24:35 [DEBUG] Compute OpenStack Token: aa66887b9b9b4480a5658c26552289ab
2015/12/23 03:24:39 [DEBUG] Network OpenStack Token: aa66887b9b9b4480a5658c26552289ab
2015/12/23 03:24:39 [DEBUG] Network OpenStack Token: aa66887b9b9b4480a5658c26552289ab
2015/12/23 03:24:40 [DEBUG] Network OpenStack Token: 1c8d965063324d36847c103735614979
2015/12/23 03:24:40 [DEBUG] Compute OpenStack Token: 1c8d965063324d36847c103735614979
2015/12/23 03:24:40 [DEBUG] Network OpenStack Token: 1c8d965063324d36847c103735614979
2015/12/23 03:24:41 [DEBUG] Compute OpenStack Token: 1c8d965063324d36847c103735614979
2015/12/23 03:24:41 [DEBUG] Network OpenStack Token: 1c8d965063324d36847c103735614979
2015/12/23 03:24:41 [DEBUG] Compute OpenStack Token: 1c8d965063324d36847c103735614979
2015/12/23 03:24:44 [DEBUG] Network OpenStack Token: 1c8d965063324d36847c103735614979
2015/12/23 03:24:44 [DEBUG] Network OpenStack Token: 1c8d965063324d36847c103735614979
2015/12/23 03:24:44 [DEBUG] Network OpenStack Token: 1e418ac701064100ba69c4a9950dba57
2015/12/23 03:24:56 [DEBUG] Network OpenStack Token: 1e418ac701064100ba69c4a9950dba57
2015/12/23 03:25:08 [DEBUG] Compute OpenStack Token: 1e418ac701064100ba69c4a9950dba57
2015/12/23 03:25:08 [DEBUG] Network OpenStack Token: 1e418ac701064100ba69c4a9950dba57
2015/12/23 03:25:08 [DEBUG] Network OpenStack Token: 1e418ac701064100ba69c4a9950dba57
2015/12/23 03:25:08 [DEBUG] Compute OpenStack Token: 1e418ac701064100ba69c4a9950dba57
2015/12/23 03:25:22 [DEBUG] Network OpenStack Token: 1e418ac701064100ba69c4a9950dba57
2015/12/23 03:25:22 [DEBUG] Compute OpenStack Token: 1e418ac701064100ba69c4a9950dba57
2015/12/23 03:25:35 [DEBUG] Network OpenStack Token: 1e418ac701064100ba69c4a9950dba57

I'll see if I can figure out what is making the determination of reusing a token vs generating a new token.

[jtopjian]

@phinze I've hit my understanding of Terraform on this one.

I tested a simple configuration that creates a security group with no rules, I see that the ConfigureFunc for the OpenStack provider is being called 3 times on creation and 2 times on deletion.

Each time the function is called, Terraform is authenticating against the OpenStack environment. This, in turn, is creating a new token. As @kamaltherocky mentioned, he's running into a token limit issue.

When is ConfigureFunc being called throughout the Terraform workflow? Does it happen during each RPC call to the provider? From above, I was able to see 4 tokens generated. The tokens spanned resources, so there has to be some type of sharing going on.

My second question is if it's possible to persist data throughout the Terraform workflow? If the authentication information is able to be cached after the first call to ConfigureFunc, the returned token could then be re-used throughout the entire session.

(Side note: I've confirmed that Gophercloud is able to authenticate with a token rather than a username/password combination. The problem is that a new token is generated because token creation is the only time when the OpenStack catalog is returned. I can add this functionality into Terraform, but it's not really solving the issue of token limits, so I'll put that on the back burner.)

[jtopjian]

Again, sorry for the late reply.

I've done some more investigation and came up with similar results as before: a token will be created for an entire Terraform phase (such as plan, refresh, apply, destroy). There's no current way to authenticate during one phase and store that information for another phase.

And similarly, authenticating with a token in Gophercloud only generates a new scoped token for the session, so we're back to square one.

If there's a rate limit being applied to token generation, it might be too strict in this case.

Please let me know if something doesn't sound right or if I'm missing any piece of information to this, though.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.