Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session timeout to 15 minutes and terraform cannot refresh the token #2892

Closed
luiof opened this issue Jul 19, 2021 · 1 comment · Fixed by #2974
Closed

Session timeout to 15 minutes and terraform cannot refresh the token #2892

luiof opened this issue Jul 19, 2021 · 1 comment · Fixed by #2974

Comments

@luiof
Copy link
Contributor

luiof commented Jul 19, 2021

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

$ terraform -v
Terraform v1.0.2
on darwin_amd64
+ provider registry.terraform.io/hashicorp/helm v2.2.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.3.2
+ provider registry.terraform.io/hashicorp/local v2.1.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/time v0.7.1
+ provider registry.terraform.io/ibm-cloud/ibm v1.27.1

Affected Resource(s)

  • ibm_container_vpc_worker_pool
  • ibm_container_vpc_cluster

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "ibm_container_vpc_cluster" "cluster" {
  name                            = "test-cluster"
  vpc_id                          = var.vpc_id
  kube_version                    = "4.7"
  flavor                          = local.default_pool.machine_type
  entitlement                     = var.ocp_entitlement
  cos_instance_crn                = var.cos_instance_crn
  worker_count                    = local.default_pool.workers_per_zone
  resource_group_id               = var.resource_group_id
  wait_till                       = "IngressReady"
  force_delete_storage            = true
  disable_public_service_endpoint = false

  dynamic "zones" {
    for_each = [
      for subnet in data.ibm_is_subnets.all_subnets.subnets :
      subnet if length(regexall(".+-${local.default_pool.subnet_prefix}-.+", subnet.name)) > 0 && subnet.vpc == var.vpc_id
    ]
    content {
      subnet_id = zones.value.id
      name      = zones.value.zone
    }
  }
}

resource "ibm_container_vpc_worker_pool" "pool" {
  for_each          = { for pool in local.other_pools : pool.pool_name => pool }
  vpc_id            = var.vpc_id
  resource_group_id = var.resource_group_id
  cluster           = ibm_container_vpc_cluster.cluster.id
  worker_pool_name  = each.value.pool_name
  flavor            = each.value.machine_type
  worker_count      = each.value.workers_per_zone

  dynamic "zones" {
    for_each = [
      for subnet in data.ibm_is_subnets.all_subnets.subnets :
      subnet if length(regexall(".+-${each.value.subnet_prefix}-.+", subnet.name)) > 0 && subnet.vpc == var.vpc_id
    ]
    content {
      subnet_id = zones.value.id
      name      = zones.value.zone
    }
  }
}

The input variables are:

# Resource Group Variables
variable "resource_group_id" {
  type        = string
  description = "The name of the IBM Cloud resource group where the cluster will be created/can be found."
}

variable "region" {
  type        = string
  description = "The IBM Cloud region where the cluster will be installed."
}

# Cluster Variables
variable "cluster_name" {
  type        = string
  description = "The name of the cluster that will be created within the resource group"
}

variable "worker_pools" {
  type = list(object({
    subnet_prefix     = string
    pool_name         = string
    machine_type      = string
    workers_per_zone  = number
    resource_group_id = optional(string)
  }))
  default = [
    {
      subnet_prefix    = "private"
      pool_name        = "default" 
      machine_type     = "bx2.4x16"
      workers_per_zone = 2
    },
    {
      subnet_prefix    = "edge"
      pool_name        = "edge"
      machine_type     = "bx2.4x16"
      workers_per_zone = 2
    },
    {
      subnet_prefix    = "transit"
      pool_name        = "transit"
      machine_type     = "bx2.4x16"
      workers_per_zone = 2
    }
  ]
}

variable "ocp_version" {
  type        = string
  description = "The version of the OpenShift cluster that should be provisioned (format 4.x)"
  default     = "4.6"
}

variable "cluster_ready_when" {
  type        = string
  description = "The cluster is ready when one of the following: MasterNodeReady, OneWorkerNodeReady, IngressReady"
  default     = "IngressReady"
}
variable "disable_public_endpoint" {
  type        = bool
  description = "Flag indicating that the public endpoint should be disabled"
  default     = false
}

variable "ocp_entitlement" {
  type        = string
  description = "Value that is applied to the entitlements for OCP cluster provisioning"
  default     = "cloud_pak"
}

variable "force_delete_storage" {
  type        = bool
  description = "Delete attached storage when destroying the cluster - Default: false"
  default     = false
}

variable "cos_name" {
  type        = string
  description = "Name of the COS instance to provision. New instance only provisioned if `use_existing_cos = false`. Default: `<cluster_name>_cos`"
  default     = null
}

variable "use_existing_cos" {
  type        = bool
  description = "Use an existing cos instance?"
  default     = false
}

variable "existing_cos_id" {
  type        = string
  description = "The COS id of an already existing COS instance. Only required if 'use_existing_cos = true'"
  default     = null
}

# VPC Variables
variable "vpc_id" {
  type        = string
  description = "Id of the VPC instance that will be used"
}

Actual Behavior

When we try to provision some resources that require more than 15 minutes, we get an error about a 400 on the refresh token due to inactivity:
Error: Authentication failed, Unable to refresh auth token: Request failed with status code: 400, BXNIM0439E: Transaction-Id:[aWFtaWQtNi43LTExMTQyLTM4MmZjODItNzc1ZDk0NjVjNy03ZzRuNQ-8e6d40eb7a1342399ff46a1fa8605638] Session 'C-c89bd585-c6b1-47b8-b8a4-ac0b8c9d11c1' is invalidated due to inactivity.. Try again later

This seems to be generated by the session timeout of the account configured to 15 minutes. Indeed if we try using another account with a session timeout configured to 2h, we complete the provision without issue.
So the problem seems to be in the provider that cannot refresh correctly the token without considering the TTL of the token.

Steps to Reproduce

With a session timeout account configured to 15 minutes:

  1. Run export TF_VAR_ibmcloud_api_key="${MY_APIKEY}"
  2. terraform apply
  3. See that the elaboration is not completed with an 400 error code due to inactivity
@hkantare
Copy link
Collaborator

We will plan to take it up in the next sprint

This was referenced Aug 5, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: IAM Session inactivity kavya498/terraform-provider-ibm
2 participants
@hkantare @luiof