terraform-provider-consul: Provider produced inconsistent result after apply

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.

terraform --version
Terraform v0.12.9
+ provider.consul v2.6.0

Affected Resource(s)

Please list the resources as a list, for example:

consul_acl_policy

If this issue appears to affect multiple resources, it may be an issue with Terraform’s core, so please mention this.

Terraform Configuration Files

provider "consul" {
  address        = "10.10.10.101:8501"
  scheme         = "https"
  datacenter     = "mydc"
  version        = ">= 2.6.0"
  ca_file        = "/Users/myuser/.tls/consul/mydc-consul-agent-ca.pem"
  cert_file      = "/Users/myuser/.tls/consul/mydc-cli-consul-1.pem"
  key_file       = "/Users/myuser/.tls/consul/mydc-cli-consul-1-key.pem"

}

resource "consul_acl_policy" "consul_test" {
  name  = "consul-test"
  rules = <<-RULE
    node "consul-test" {
      policy = "write"
    }
    RULE
}

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

https://gist.github.com/kpettijohn/81cdd2588f7526b35f74c25d3a127c3d

Panic Output

If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the crash.log.

Expected Behavior

Successful Terraform apply

Actual Behavior

Terraform throws the following error after creating the new policy in Consul.

Error: Provider produced inconsistent result after apply

After the first error if another Terraform apply is attempted it will fail again but with another error saying that a policy with that name already exists.

Error: error creating ACL policy: Unexpected response code: 500 (rpc error making call: Invalid Policy: A Policy with Name "consul-test" already exists)

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

terraform apply

Important Factoids

Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs?

I have ACLs enabled and am currently using the Bootstrap Token (Global Management) token.

References

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 15

Commits related to this issue

Fix error checking in resourceConsulACLPolicyRead() Failing to read a policy from the server does not necessarly mean that the policy has been removed, the network can be down, the correct datacenter... — committed to remilapeyre/terraform-provider-consul by deleted user 5 years ago
Fix error checking in ACL resources (#167) Failing to read a policy from the server does not necessarly mean that the policy has been removed, the network can be down, the correct datacenter may no... — committed to hashicorp/terraform-provider-consul by deleted user 5 years ago

Most upvoted comments

Thanks @kpettijohn, this is indeed an issue. I made some tests and I find Consul’s behavior weird with policies and multiple datacenters.

I’ll keep you updated and hopefully post a fix shortly.

remilapeyre on Nov 15, 2019