Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

defined tag namespace dependency problem #2264

Open
luckeyca opened this issue Jan 10, 2025 · 1 comment
Open

defined tag namespace dependency problem #2264

luckeyca opened this issue Jan 10, 2025 · 1 comment
Labels
bug

Comments

@luckeyca
Copy link

luckeyca commented Jan 10, 2025
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Terraform v1.8.5
on linux_amd64

  • provider registry.terraform.io/hashicorp/time v0.12.1
  • provider registry.terraform.io/oracle/oci v6.21.0

Affected Resource(s)

oci_identity_tag_namespace

Terraform Configuration Files

locals {
  defined_tag_keys = ["k1", "k2", "k3"]


  defined_tag_defaults = [
    {
      key       = "k1"
      namespace = "NS"
      value     = "v1"
    },
    {
      key       = "k2"
      namespace = "NS"
      value     = "v2"
    },
    {
      key       = "k3"
      namespace = "NS"
      value     = "v3"
    }
  ]
}


data "oci_identity_tenancy" "current" {
  tenancy_id = "ocid1.tenancy.oc1..aaaaaaaawxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

resource "oci_identity_tag_namespace" "this" {
  compartment_id = data.oci_identity_tenancy.current.id
  description    = "Test Namespace"
  name           = "NS"
  is_retired     = false
}

resource "oci_identity_tag" "these" {
  for_each         = toset(local.defined_tag_keys)
  description      = "Defined Tag Key Definition in NS Tag Namespace"
  name             = each.key
  tag_namespace_id = oci_identity_tag_namespace.this.id
  is_retired       = false
}

resource "oci_identity_tag_default" "these" {
  for_each          = { for tag in local.defined_tag_defaults: tag.key => tag.value }
  compartment_id    = data.oci_identity_tenancy.current.id
  tag_definition_id = oci_identity_tag.these[each.key].id
  value             = each.value
  is_required       = true
}

# resource "time_sleep" "defined_tags" {
  
#   depends_on = [
#     oci_identity_tag_namespace.this,
#     oci_identity_tag.these
#   ]

#   create_duration = "60s"
# }

 resource "oci_identity_compartment" "this" {
   compartment_id = data.oci_identity_tenancy.current.id
   name           = "testcmp"
   description    = "test compartment"
    enable_delete  = true

    defined_tags = { for tag in local.defined_tag_defaults : "${tag.namespace}.${tag.key}" => "${tag.value}" }

  # depends_on = [time_sleep.defined_tags]
    depends_on = [oci_identity_tag_namespace.this]
}

resource "oci_objectstorage_bucket" "this" {
    compartment_id = data.oci_identity_tenancy.current.id
    name = "lctestbucket"
    namespace = "dummynamespace"

    defined_tags = { for tag in local.defined_tag_defaults : "${tag.namespace}.${tag.key}" => "${tag.value}" }

  # depends_on = [time_sleep.defined_tags]
    depends_on = [oci_identity_tag_namespace.this]
}

Debug Output

=====================================================

oci_identity_tag_default.these["k1"]: Creation complete after 20s [id=ocid1.tagdefault.oc1..aaaaaaaaok66fmb2opaeyh23dmnkojfok5skixokl5p565itbqrknh7lpdzq]
oci_identity_tag_default.these["k2"]: Creation complete after 21s [id=ocid1.tagdefault.oc1..aaaaaaaatubbjsipu6edraklbwlytclpcmj43rcogu22ijatue6nlab3zh3q]
oci_identity_tag_default.these["k3"]: Creation complete after 21s [id=ocid1.tagdefault.oc1..aaaaaaaalpcu55tfknyodrulkq4dxjcpnwvi6mcxf4uye7rxg7bdkm6jupaq]
time_sleep.tag_namespace: Still creating... [30s elapsed]
time_sleep.tag_namespace: Still creating... [40s elapsed]
time_sleep.tag_namespace: Still creating... [50s elapsed]
time_sleep.tag_namespace: Creation complete after 1m0s [id=2025-01-09T21:29:47Z]
|
│ Error: 404-NotAuthorizedOrNotFound, Failed to validate tags: TagNamespace ns does not exists
│ Suggestion: Either the resource has been deleted or service Identity Compartment need policy to access this resource. Policy reference: https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/policyreference.htm
│ Documentation: https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_compartment
│ API Reference: https://docs.oracle.com/iaas/api/#/en/identity/20160918/Compartment/CreateCompartment
│ Request Target: POST https://identity.ca-toronto-1.oci.oraclecloud.com/20160918/compartments
│ Provider version: 6.21.0, released on 2024-12-22. This provider is 2 Update(s) behind to current.
│ Service: Identity Compartment
│ Operation Name: CreateCompartment
│ OPC request ID: 18710a84a63e5944bbb2e37daec12bf3/918814DF2FCE2A476AC810DA648A244B/F3B5046303C59EAEC6DFBF30CFCC47D9
│
│
│   with oci_identity_compartment.this,
│   on 1.tf line 63, in resource "oci_identity_compartment" "this":
│   63: resource "oci_identity_compartment" "this" {

Expected Behavior

As the code snippet above, right after creating defined tag namespace, defined tags and tag default values, creating any other resource using the just created defined tags should be fine.

Actual Behavior

As the code snippet above, right after creating the defined tag namespace, defined tags and tag default values, creating compartment and storage bucket failed if referencing the just created defined tags. 3 workaround tested as below.

  1. Immediately re-run the script without any delay. This WORKS.
  2. use time_sleep resource to create time delay(as from workaround 1, I thought it might be some delay). This DOES NOT work even after 60 seconds.
  3. add depends_on argument directly depends on the tag namespace resource. This WORKS as well.

So, the problem doesn't seem to be time delay, instead, it's some dependency check on tag namespace is not working properly. This affects any resource that uses defined tags. Also the workaround only being tested using direct resource, not sure if it works for modules if namespace creation and resource creation are in different modules.

Steps to Reproduce

  1. fill the necessary value, such as compartment ocid, storage namespace etc in the code snippet above.
  2. comment out the "depends_on = [oci_identity_tag_namespace.this]" line
  3. terraform apply

Important Factoids

References
@luckeyca luckeyca added the bug label Jan 10, 2025
@luckeyca
Copy link
Author

to add. it seems that this problem doesn't happen with modules. If I put the tag namespace creation in one module and resource creation(compartment, bucket etc) in another module, there is NO NEED to explicitly specify the dependency using the "depends_on" argument like in the code snippet above which are all pure resource in one script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@luckeyca