aws_servicecatalog_portfolio_share concurrency and throttling issues

[sbutler]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.9
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v4.13.0

Affected Resource(s)

• aws_servicecatalog_portfolio_share

Terraform Configuration Files

terraform {
    required_version = "~> 1.1"
    required_providers {
        aws = {
            source = "hashicorp/aws"
            version = "~> 4.13"
        }
    }
}

variable "ou_names" {
    type    = list(string)
    default = ["example1", "example2", "example3"]
}

data "aws_organizations_organization" "this" {}

resource "aws_organizations_organizational_unit" "example" {
    for_each = toset(var.ou_names)

    name      = each.key
    parent_id = data.aws_organizations_organization.this.roots[0].id
}


resource "aws_servicecatalog_portfolio" "example" {
    name          = "Portfolio Share Bug Report"
    description   = "Example for reporting a bug in portfolio shares."
    provider_name = "Me"
}

resource "aws_servicecatalog_portfolio_share" "example_ou" {
    for_each = toset(var.ou_names)

    portfolio_id = aws_servicecatalog_portfolio.example.id
    principal_id = aws_organizations_organizational_unit.example[each.key].arn
    type         = "ORGANIZATIONAL_UNIT"
}

Debug Output

https://gist.github.com/sbutler/a0c33af877aed4e5c9ac05d6658edeea

Expected Behavior

The portfolio should be shared to all the OU's.

Actual Behavior

One or more might be created, but some will get a ThrottlingException and not be shared.

Steps to Reproduce

1. terraform apply

Important Factoids

Although I could not find documentation, experimentation revealed:

• AWS Service Catalog only supports creating a single portfolio share at a time.
• The CreatePortfolioShare API call can succeed, but the later DescribePortfolioShareStatus call can return an error in the ShareDetail.ShareErrors[*].Error field. After adding some enhanced error logging I could see this was ThrottlingException in my example.

[vaibhawamck]

Please merge this, need it urgently. Thank you!

[sl-miguelmichee]

any news on this PR?

[cacack]

How about now? I believe our team is now getting bitten by this and I'd rather not have to revert our changes to manage Service Catalog Portfolio shares..

[srgoni]

I'm not sure if this is has the same root cause, but I'm getting the following error when doing multiple concurrent deassociations (for example when changing the elements of the for_each):

InvalidStateException: Cannot process more than one portfolio share action at the same time for account ####. Try again later.

Please consider this as well in a possible fix.