[5.x] Defined Tag being applied to Tag Namespace
gotsysdba opened this issue ยท 2 comments
Community Note
- Please vote on this issue by adding a ๐ reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version and Provider Version
Terraform v1.5.6 on linux_amd64
- provider registry.terraform.io/hashicorp/cloudinit v2.3.2
- provider registry.terraform.io/hashicorp/helm v2.11.0
- provider registry.terraform.io/hashicorp/http v3.4.0
- provider registry.terraform.io/hashicorp/local v2.4.0
- provider registry.terraform.io/hashicorp/null v3.2.1
- provider registry.terraform.io/hashicorp/random v3.5.1
- provider registry.terraform.io/hashicorp/template v2.2.0
- provider registry.terraform.io/hashicorp/time v0.9.1
- provider registry.terraform.io/hashicorp/tls v4.0.4
- provider registry.terraform.io/oracle/oci v5.19.0
Affected Resource(s)
module.oke.module.iam.oci_identity_tag_namespace.oke[0]
Terraform Configuration Files
Specific Configuration:
create_iam_resources = true
create_iam_tag_namespace = true
use_defined_tags = true
Expected Behavior
Tag Namespace created and defined tag applied to all resources EXCEPT for the tag namespace itself.
Actual Behavior
During the creation of the tag namespace, an attempt to apply defined tags of that namespace to the namespace being created is performed (between ###):
# module.oke.module.iam.oci_identity_tag_namespace.oke[0] will be created
+ resource "oci_identity_tag_namespace" "oke" {
+ compartment_id = "ocid1.compartment.oc1..aaaaaaaaarzn4nsggcohioyrhyaddxccs5q64w5hzo45hzxreuo7qc6vs3ba"
### BEGIN Applying TN to the TN itself
+ defined_tags = {
+ "oke.role" = "iam"
+ "oke.state_id" = "wysiwyg"
}
### END
+ description = "Tag namespace for OKE resources"
+ freeform_tags = (known after apply)
+ id = (known after apply)
+ is_retired = (known after apply)
+ name = "oke"
+ state = (known after apply)
+ time_created = (known after apply)
}
Error:
โ Error: 400-RelatedResourceNotAuthorizedOrNotFound, The following tag namespaces / keys are not authorized or not found: TagNamespace oke does not exists.
โ with module.oke.module.vcn[0].oci_core_vcn.vcn,
โ on .terraform/modules/oke.vcn/vcn.tf line 4, in resource "oci_core_vcn" "vcn":
โ 4: resource "oci_core_vcn" "vcn" {
โ with module.oke.module.iam.oci_identity_tag_namespace.oke[0],
โ on modules/oke/modules/iam/tagging.tf line 60, in resource "oci_identity_tag_namespace" "oke":
โ 60: resource "oci_identity_tag_namespace" "oke" {
Steps to Reproduce
Deploy minimum cluster with these options:
create_iam_resources = true
create_iam_tag_namespace = true
use_defined_tags = true
It looks like a "chicken-and-egg" problem.
Are you trying to use a defined tag to the namespace definition of the same tag?
@robo-cap that is exactly what is happening; from: modules/oke/modules/iam/tagging.tf:
resource "oci_identity_tag_namespace" "oke" {
...
name = var.tag_namespace
defined_tags = local.defined_tags
...
}
Where local.defined_tags (same file) includes var.tag_namespace.
While this appears to be an easy fix (remove defined_tags from the oci_identity_tag_namespace resource), there is another issue. This made me question if I was using the tagging functionality correctly in the first place.
FWIW, the "other issue" (will open another if this one is not a result of me being a muppet):
module.oke.module.vcn[0].oci_core_vcn.vcn: Creating... <- Starts before the tag creation
module.oke.module.iam.oci_identity_tag_namespace.oke[0]: Creating...
module.oke.module.iam.time_sleep.await_iam_resources[0]: Creating..
module.oke.module.iam.oci_identity_tag_namespace.oke[0]: Creation complete after 2s [id=ocid1.tagnamespace.oc1..aaaaaaaatdgtjgg34g27o5iynrz67wzdspr4o3jae5arhvrawh2fr45abgfa]
When use_defined_tags = true, it will attempt to apply the defined tag of to be created namespace tag to the VCN... but the vcn creation has no dependency on that tag existing.