launchdarkly_team_role_mapping Team not found error

[joe-hutchinson-cko]

Appears like the newly implemented launchdarkly_team_role_mapping resource can sometimes error when referencing a team that is being created as part of the same Terraform apply operation.

The provider should handle team not found type errors with retries.

[ldhenry]

Hey @joe-hutchinson-cko, can you share what your config looks like (specifically the team_key)? I ask because it sounds like you may need to take advantage of the depends_on meta-argument. Depending on how your module is structured, Terraform might not be able to identify that the team_role_mapping resource has a dependency on another resource.

In general we try to avoid retrying 404s because they are a good indication that the underlying resource has been deleted. However, if things are still not working after using a depends_on then we may need to consider adding a few retries.

[joe-hutchinson-cko]

Hey Henry, sorry should have added some code to this to start with.

resource "okta_group" "writers" {
  name        = "App.LaunchDarkly.${local.name}.writers"
  description = "LaunchDarkly project team ${local.name}"
}

resource "launchdarkly_custom_role" "writers" {
  key         = "${local.name}-writers-role"
  name        = "${local.name} Writers Role"
  description = "Role for ${local.name} project created by Terraform"

  policy_statements {
    effect    = "allow"
    resources = ["proj/${var.project_key}:env/*:flag/*"]
    actions = [
      "applyApprovalRequest",
      "attachReleasePipeline",
      "cloneFlag",
      "copyFlagConfigFrom",
      "copyFlagConfigTo",
      "createApprovalRequest",
      "createFlag",
      "createFlagLink",
      "createTriggers",
      "deleteApprovalRequest",
      "deleteFlag",
      "deleteFlagLink",
      "deleteTriggers",
      "detachReleasePipeline",
      "manageFlagFollowers",
      "updateApprovalRequest",
      "updateAttachedGoals",
      "updateClientSideFlagAvailability",
      "updateDescription",
      "updateExpiringRules",
      "updateExpiringTargets",
      "updateFallthrough",
      "updateFeatureWorkflows",
      "updateFlagCodeReferences",
      "updateFlagCustomProperties",
      "updateFlagDefaultVariations",
      "updateFlagLink",
      "updateFlagRuleDescription",
      "updateFlagSalt",
      "updateFlagVariations",
      "updateGlobalArchived",
      "updateIncludeInSnippet",
      "updateMaintainer",
      "updateName",
      "updateOffVariation",
      "updateOn",
      "updatePrerequisites",
      "updateReleasePhaseCompleted",
      "updateRules",
      "updateScheduledChanges",
      "updateTags",
      "updateTargets",
      "updateTemporary",
      "updateTriggers"
    ]
  }

  policy_statements {
    effect    = "allow"
    resources = ["proj/*"]
    actions   = ["viewProject"]
  }
}

resource "launchdarkly_team_role_mapping" "writers" {
  team_key         = lower(okta_group.writers.name)
  custom_role_keys = [launchdarkly_custom_role.writers.key]
}

The above is all in all defined in a single module, as I'm referencing outputs of each resource in creation of the next would allow TF in infer the correct order of creation. Happy to try adding depends_on but I'm thinking this is unlikely to resolve this one.

[ldhenry]

Thanks for sharing. Given that you are using the output from the okta_group resource it sounds like the issue is a propagation delay between when the Okta group gets created and when the LaunchDarkly team gets created. I agree that depends_on likely won't solve the issue in this case and I'll work on getting a fix in place.

Just to confirm, are you seeing these only during the creation of a new team or are they also happening when updating an existing team?

[joe-hutchinson-cko]

So far just when creating a new team. It appears to be happening consistently.

[joe-hutchinson-cko]

Hi Henry,
Made any progress?

Bit more detail this is definitely occurring when you Terraform the team at the same time as trying to link it to the role. Error received is:

Unable to create the team/role mapping because the team
 <team name> does not exist.

I can put an arbitrary delay in creating the role mapping but it's a bit of a hack, better solution is for LD API or provider to handle this gracefully.

[ldhenry]

Hey @joe-hutchinson-cko,

We're pretty heads down on new feature work but I'll try to get someone to pick it up next week. Sorry for the the delay on this.

Thanks,
Henry

[ldhenry]

Hey @joe-hutchinson-cko,

We just released v2.15.2 of the Terraform provider. This release includes 404 retries for the launchdarkly_team_role_mapping resource. Currently there is hard coded maximum of 12 retries which should buy you about 20s from when the team is created via Okta and when it appears in LaunchDarkly. If that is not enough we can look into making the max retry count configurable.

Cheers,
Henry