oracle-devrel/terraform-oci-ocloud-foundation

Apply fails to create oci_bastion_session

Closed this issue · 4 comments

While plan works ok apply fails with the following error. Re-running the stack doesn't help.

Error: 400-BadErrorResponse
Provider version: 4.43.0, released on 2021-09-08.
Service: Bastion Session
Error Message: Failed to parse json from response body due to: json: cannot unmarshal number into Go struct field servicefailure.code of type string. With response body {
"code" 400,
"message"" : ""To create a Managed SSH session, the Bastion plugin must be in the RUNNING state on the target instance, but the plugin is not running on ocid1.instance.oc1.eu-frankfurt-1.antheljshycylkyc7e2bfbywqgbjxvfzqzvglof3xmc5qxzrdhkqbxai2eaq. Enable the Bastion plugin on the target instance before creating the session."
}.
OPC request ID: f8fecbc11ce788188fd72543a553a08b/5C66EBDC5094376F24EB0DE912EC0628/0004B55AC773A892972F0572F192D30C
Suggestion: Please retry or contact support for help with service: Bastion Session
with module.operator.oci_bastion_session.ssh[0],
on component/application_host/ssh.tf line 4, in resource "oci_bastion_session" "ssh"
4: resource "oci_bastion_session" "ssh" {

Correct - when you enable bastion session you need to run apply twice.

Added to the issue list: "It is recommended to run the first "terraform apply" without bastion session enabled. Enabling the bastion session in the first run will produce an error message. Run the "apply" a second time resolves the issue". We will resolve that later.

Can the famous time_sleep resource that waits for e.g. 2 minutes after the target instance has been created (duration to be tested) before the bastion service gets generated, help here? I know, it is not beautiful, but helpful. Having to run "apply" twice is much less beautiful.

Well, unfortunately not. It is actually set already. But this is not a timing issue, but caused by the fact that data request does not deliver the session data. Chaining the requests like proposed in slack can not be applied without creating an error when the flag is changed from true to false. Looks like a dead end street to me and working with a default false flag to prepare a succesful second run just appeared as the least intrusive option to me.