"Root resource was present, but now absent." Error when adding a default role to existing configuration

[BrandonALXEllisSS]

Terraform Version

v1.0.3

Affected Resource(s)

boundary_role

Terraform Configuration Files

Added this block to the boundary-reference-architecture aws deployment:

# Adds a global-level role granting administrative permissions within the core_infra project
resource "boundary_role" "system_admin" {
  name           = "system_admin"
  description    = "System Administrator role for core infra"
  scope_id       = boundary_scope.global.id
  grant_scope_id = boundary_scope.core_infra.id
  grant_strings = [
    "id=*;type=*;actions=*"
  ]
  default_role = true
}

Debug Output

module.boundary.boundary_role.system_admin: Creating...
2021-08-17T11:00:41.262-0400 [TRACE] readResourceInstanceState: no state present for module.boundary.boundary_role.system_admin
2021-08-17T11:00:41.262-0400 [INFO]  Starting apply for module.boundary.boundary_role.system_admin
2021-08-17T11:00:41.262-0400 [DEBUG] module.boundary.boundary_role.system_admin: applying the planned Create change
2021-08-17T11:00:41.262-0400 [TRACE] GRPCProvider: ApplyResourceChange
2021-08-17T11:00:41.473-0400 [TRACE] maybeTainted: module.boundary.boundary_role.system_admin encountered an error during creation, so it is now marked as tainted
2021-08-17T11:00:41.473-0400 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for module.boundary.boundary_role.system_admin
2021-08-17T11:00:41.473-0400 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for module.boundary.boundary_role.system_admin
2021-08-17T11:00:41.473-0400 [TRACE] evalApplyProvisioners: module.boundary.boundary_role.system_admin is tainted, so skipping provisioning
2021-08-17T11:00:41.473-0400 [TRACE] maybeTainted: module.boundary.boundary_role.system_admin was already tainted, so nothing to do
2021-08-17T11:00:41.473-0400 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for module.boundary.boundary_role.system_admin
2021-08-17T11:00:41.473-0400 [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: removing state object for module.boundary.boundary_role.system_admin
2021-08-17T11:00:41.481-0400 [TRACE] statemgr.Filesystem: creating backup snapshot at terraform.tfstate.backup
2021-08-17T11:00:41.496-0400 [TRACE] statemgr.Filesystem: state has changed since last snapshot, so incrementing serial to 463
2021-08-17T11:00:41.496-0400 [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate
2021-08-17T11:00:41.506-0400 [TRACE] vertex "module.boundary.boundary_role.system_admin": visit complete
2021-08-17T11:00:41.506-0400 [TRACE] dag/walk: upstream of "module.boundary.provider[\"registry.terraform.io/hashicorp/boundary\"] (close)" errored, so skipping
2021-08-17T11:00:41.506-0400 [TRACE] dag/walk: upstream of "meta.count-boundary (EachMode fixup)" errored, so skipping
2021-08-17T11:00:41.506-0400 [TRACE] dag/walk: upstream of "root" errored, so skipping
2021-08-17T11:00:41.507-0400 [TRACE] statemgr.Filesystem: have already backed up original terraform.tfstate to terraform.tfstate.backup on a previous write
2021-08-17T11:00:41.517-0400 [TRACE] statemgr.Filesystem: state has changed since last snapshot, so incrementing serial to 464
2021-08-17T11:00:41.517-0400 [TRACE] statemgr.Filesystem: writing snapshot at terraform.tfstate

Expected Behavior

New managed default group is created for the global scope

Actual Behavior

Error: Provider produced inconsistent result after apply

When applying changes to module.boundary.boundary_role.system_admin, provider module.boundary.provider[\"registry.terraform.io/hashicorp/boundary\"]" produced an unexpected new value: Root resource was present, but now absent.

This is a bug in the provider, which should be reported in the provider's own issue tracker.

Steps to Reproduce

Create a new default group in an existing boundary deployment using the reference architecture example

Important Factoids

My deployment is being done with extra workers in separate accounts. However, this should not affect the configuration of Boundary in question here.

I also have added an boundary_auth_method_oidc resource to the global scope.

[BrandonALXEllisSS]

Same error occurred when doing a full destroy on all boundary resources and then doing another apply

[xingluw]

Hi @BrandonALXEllisSS , sorry for the late response, is this still an issue for you? What version of the Terraform provider are you on?

[guitmz]

yes this is still an issue.. suddenly the provider wants to recreate all my resources and it fails with the same error during apply.. things just disappeared from state file suddenly

[louisruch]

@BrandonALXEllisSS @guitmz Sorry for the long turn around on getting eyes on a fix for this issue.

The error you are receiving is due to the specialized behavior around the default role. However, this role does not exist and was just a concept prior to the initial release of Boundary. It just happened to stay behind in the TF provider incorrectly.

I have a PR that removes this schema from the boundary_role resource, which will be part of the next release. But to get around this you just need to drop the default_role = true in your tf file