Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

problem destroying created users if they are pending #761

Closed
ninjadude333 opened this issue Jan 10, 2023 · 4 comments
Closed

problem destroying created users if they are pending #761

ninjadude333 opened this issue Jan 10, 2023 · 4 comments
Labels
bug

Comments

@ninjadude333
Copy link

Terraform Cloud/Enterprise version

Terraform Cloud Ent 1.3.7

Terraform version

Terraform v1.3.5
on windows_amd64

Terraform Configuration Files

resource "tfe_team" "Maturity_Networking" {
  name         = "Maturity-Networking"
  organization = "my-org"
}

resource "tfe_team_access" "Networking" {
  access       = "write"
  team_id      = tfe_team.Maturity_Networking.id
  workspace_id = tfe_workspace.xyz.id
}

resource "tfe_organization_membership" "Network-member" {
  organization = "my-org"
  email        = "[email protected]"
}

resource "tfe_team_organization_members" "Network-membership" {
  team_id = tfe_team.Maturity_Networking.id
  organization_membership_ids = [
    tfe_organization_membership.Network-member.id
  ]
}

Debug Output

Error: Error removing organization membership [ou-cBPYrENVPk5kdCrg ou-qLK7jAGpXqwat9J2] to team team-7YqSiLKNGc8iBZQy: bad request
│
│ ou-cBPYrENVPk5kdCrg is not a member
│ bad request

Expected Behavior

the destory run should have completed successfully and delete the pending users. (or at least finish the run without breaking)

Actual Behavior

destroy run is failing with the above error

Additional Context

if the pending user was already pending, then the apply run will also fail with the error:

│ Error: Error creating membership [email protected] for organization TeraSky: invalid attribute
│
│ User is already an organization member
│
│   with tfe_organization_membership.App2-members["[email protected]"],
│   on teams.tf line 72, in resource "tfe_organization_membership" "App2-members":
│   72: resource "tfe_organization_membership" "App2-members" {
@Uk1288
Copy link
Contributor

Uk1288 commented Jan 11, 2023

Hello @ninjadude333, I was able to successfully run terraform apply and destroy on the terraform configuration above. The debug output above tries to remove 2 organization memberships but the config depicts adding only 1 membership. Can you confirm that,
(1) this is the complete config producing this error
(2) the two org memberships exist before running terraform destroy

With regards to an apply failing when re-adding a user that was already pending, this is the expected behaviour. For every user added to an org, an organization member is created and associated to that user regardless of the user status. For an existing pending user, the error User is already an organization member is the expected error. To re-add a pending user successfully, the existing user instance must first be deleted.

@ninjadude333
Copy link
Author

hi,
this is the complete code, you should be able to reproduce the issue:

resource "tfe_team" "Maturity_App1" {
  name         = "Maturity-App1"
  organization = var.tfc_org
}

resource "tfe_team_access" "App1" {
  access       = "write"
  team_id      = tfe_team.Maturity_App1.id
  workspace_id = tfe_workspace.IaC-Maturity-Workshop-Phase4-app1.id
}

locals {
  app1_team_members = toset(["[email protected]", "[email protected]"])
}

resource "tfe_organization_membership" "App1-members" {
  organization = var.tfc_org
  for_each     = local.app1_team_members
  email        = each.key
}

resource "tfe_team_organization_members" "App1-membership" {
  team_id  = tfe_team.Maturity_App1.id
  for_each = local.app1_team_members
  organization_membership_ids = [
    tfe_organization_membership.App1-members[each.key].id
  ]
}

about the re-apply the message might be correct, but it should just skip the creation, and not break the entire apply run.

thanks,
dave.

@Uk1288
Copy link
Contributor

Uk1288 commented Jan 13, 2023

Hi,

Thanks for sending an updated config. I was able to reproduce the issue, I have added some details and proposed solution.

When using for_each to configure a resource block, Terraform creates one instance for each member of the set. In the case of the configuration above, one instance of tfe_team_organization_members is created for each member included in the organization_membership_ids collection. This leads to the existence of the 2 instances managing the same set of members.

As a result, during the destroy phase, each instance of the tfe_team_organization_members resource attempts to delete the same organization members. The first delete request succeeds but the subsequent requests fail.

What is needed here, is for Terraform to create just 1 instance of tfe_team_organization_members resource which will manage all the organization members in the set. The for expression will accomplish this. Proposed configuration is to replace the for_each in the tfe_team_organization_members with the following for expression:

resource "tfe_team_organization_members" "App1-membership" {
  team_id  = tfe_team.Maturity_App1.id
  organization_membership_ids = [for member in local.app1_team_members : tfe_organization_membership.App1-members[member].id]
}

@Uk1288 Uk1288 mentioned this issue Jan 13, 2023
Merged
@ninjadude333
Copy link
Author

great, works like a charm :)
thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Uk1288 @ninjadude333