Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azuread_access_package_assignment_policy: DuplicateKey, concurrency issue #1239

Open
Thacai opened this issue Nov 1, 2023 · 2 comments
Open

azuread_access_package_assignment_policy: DuplicateKey, concurrency issue #1239

Thacai opened this issue Nov 1, 2023 · 2 comments
Labels
api-bug feature/identity-governance upstream-microsoft

Comments

@Thacai
Copy link

Thacai commented Nov 1, 2023

Hi, whenever multiple azuread_access_package_assignment_policy are being created (for_each), it fails with "DuplicateKey: There is already a duplicated entity." (there is no existing policy), but whenever running with -parallelism=1 it works every time.

Seems to me there is a concurrency issue in the client, not handling this properly.

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

TF: 1.6.2
Azuread: 2.45.0

Affected Resource(s)

azuread_access_package_assignment_policy

Terraform Configuration Files

resource "azuread_access_package_assignment_policy" "aws" {
  for_each          = local.additional_team_groups
  access_package_id = azuread_access_package.team_package[each.key].id
  display_name      = "assignment-policy-${each.value.name}"
  description       = "My assignment policy"
  duration_in_days  = 0
  extension_enabled = true

  requestor_settings {
    requestor {
      object_id    = azuread_group.aws["team"].object_id
      subject_type = "groupMembers"
    }
    requests_accepted = true
    scope_type        = "SpecificDirectorySubjects"
  }

  approval_settings {
    approval_required                = true
    approval_required_for_extension  = true
    requestor_justification_required = true

    approval_stage {
      approval_timeout_in_days        = 14
      approver_justification_required = false

      primary_approver {
        object_id    = azuread_group.aws["owner"].object_id
        subject_type = "groupMembers"
      }
    }
  }

  assignment_review_settings {
    access_recommendation_enabled = false
    enabled                       = true
    review_frequency              = "halfyearly"
    duration_in_days              = 30
    review_type                   = "Reviewers"
    reviewer {
      object_id    = azuread_group.aws["owner"].object_id
      subject_type = "groupMembers"
    }
    access_review_timeout_behavior  = "removeAccess"
    approver_justification_required = false
    starting_on                     = time_offset.access_package_review_start_date.rfc3339
  }
}

Debug Output

`Error: Creating access package assignment policy "assignment-policy-AWS.aws.platform.ReleaseManagers"

with module.aws_platform.azuread_access_package_assignment_policy.aws["release_managers"],
on ../modules/groups/identity_governance.tf line 29, in resource "azuread_access_package_assignment_policy" "aws":
29: resource "azuread_access_package_assignment_policy" "aws" {

AccessPackageAssignmentPolicyClient.BaseClient.Post(): unexpected status 409 with OData error: DuplicateKey: There is already a duplicated entity.`

Panic Output

Expected Behavior

Multiple assignment policies is created, when running terraform apply

Actual Behavior

Fails when only using terraform apply
Workaround: terraform apply -parallelism=1

Steps to Reproduce

  • terraform apply containing multiple of
    • azuread_access_package
    • azuread_access_package_resource_catalog_association (aadgroup)
    • azuread_access_package_assignment_policy (for the access packages)

Important Factoids

References
@manicminer
Copy link
Contributor

Thanks for reporting this @Thacai. I've done some testing and was able to reproduce this. However, this seems to be an API issue, specifically related to the requestor settings. If I omit the requestor_settings block, it works every time. The provider isn't doing anything noteworthy here, it's passing through whatever is in your configuration, so I'd suggest experimenting with this if you want to narrow it down further.

In the meantime, I'm marking this as an API bug. I'll leave this issue open for now and it'd be great if you could report back if you find any more info on this. Thanks!

@aaron-warner-nzta
Copy link

I've also hit this issue, similar scenario. When creating multiple assignments in a single session (it doesn't need to be multiple assignments against the same package, just multiple within the same run) it will fail after the first is assigned. Retry and it will be fine creating the second. A single assignment will be fine. Using parallelism set to 1 allows it to complete on the first run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api-bug feature/identity-governance upstream-microsoft
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@manicminer @Thacai @aaron-warner-nzta