terraform-provider-openstack: Error creating openstack_lb_loadbalancer_v2 with use_octavia="true"

Terraform Version

11.0

Affected Resource(s)

  • openstack_lb_loadbalancer_v2

Terraform Configuration Files

provider "openstack" {
  auth_url = "${ var.os_auth_url }"
  region = "${ var.os_region_name }"
  domain_name = "${ var.os_user_domain_name }"
  user_name = "${ var.os_username }"
  tenant_id = "${ var.os_project_id }"
  password = "${ var.os_password }"

  use_octavia = "${ var.use_octavia }"
}

resource "openstack_lb_loadbalancer_v2" "internal_lb" {
  name = "internal_lb"
  vip_subnet_id = "${ openstack_networking_subnet_v2.cncf.id }"
  vip_address = "${ var.internal_lb_ip }"
  security_group_ids = [ "${ var.security_group_id}" ]
}

Debug Output

http://paste.openstack.org/show/627664/

Expected Behavior

A load balancer should have been created at the Octavia endpoint.

Actual Behavior

The computed TenantID was not passed to the Octavia endpoint, resulting in “Validation failure: Missing project ID in request where one is required.”

Steps to Reproduce

  1. obtain credential on Vexxhost
  2. run terraform script that creates a v2 loadbalancer using octavia

Important Factoids

Running in Vexxhost with an octavia specific endpoint. It’s worth noting that the OpenStack LBaaS team strongly discourages using the Neutron LBaaS v2 API with automation tools such as Terraform and K8s. Use of the Neutron API when backed by Octavia (rather than the direct Octavia API) can result in race conditions that will leak ports owned by the Neutron service, resulting in ports, subnets, networks, and security groups that can not be deleted by an unprivileged user.

Changing the variable use_octavia to false results in successful load balancer creation.

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 15 (9 by maintainers)

Most upvoted comments

I think I have an idea of what’s going wrong. Given that the resource is created successfully, we know that this code path is completed:

https://github.com/terraform-providers/terraform-provider-openstack/blob/master/openstack/resource_openstack_lb_loadbalancer_v2.go#L126-L137

However, I think what is going wrong is here:

https://github.com/terraform-providers/terraform-provider-openstack/blob/master/openstack/resource_openstack_lb_loadbalancer_v2.go#L139-L147

However, the VIP port is not owned by the tenant when using the Octavia API until recently, which meant that you were trying to update a resource you do not own. This fix was added 3 days ago.

https://review.openstack.org/#/c/524254/

I will sync up our Octavia to the latest stable/pike at VEXXHOST and update everyone. @xgerman mentioned that it fixes things.

+4
mnaser on Dec 4, 2017

@jtopjian Yes, that’s correct.

@hogepodge I have been told that the event_streamer will change PENDING->ERROR if it’s working. Because of the way we set up rabbitMQ that never worked. Though I made a fix ( https://review.openstack.org/#/c/514452/) we decided to go with the Octavia API endpoint. So I can’t report if it’s working or not for sure.

+1
xgerman on Dec 1, 2017
Read more comments on GitHub
← terraform-provider-openstack: authentication worked in 1.3.0 but fails in 1.4.0
terraform-provider-openstack: Error with os-tenant-networks →