duplicate fix

Signed-off-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>

Author: h3adex

stackit/internal/services/authorization/roleassignments/resource.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"strings"
+	"time"
 
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
@@ -154,6 +155,21 @@ func (r *roleAssignmentResource) Create(ctx context.Context, req resource.Create
 	ctx = tflog.SetField(ctx, "role", model.Role.ValueString())
 	ctx = tflog.SetField(ctx, "resource_type", r.apiName)
 
+	lockKey := fmt.Sprintf("%s,%s,%s",
+		model.ResourceId.ValueString(),
+		model.Role.ValueString(),
+		model.Subject.ValueString(),
+	)
+
+	// Terraform executes resources in parallel. If two resources define the same
+	// role assignment, they create a "Check-Then-Act" race condition:
+	// 1. Thread A creates -> Success
+	// 2. Thread B creates -> Duplicate Error
+	// This lock forces Thread B to wait until Thread A completes, allowing
+	// the subsequent duplicate check to correctly find the existing assignment.
+	unlock := authorizationUtils.LockAssignment(lockKey)
+	defer unlock()
+
 	listMemberResp, err := r.authorizationClient.ListMembers(ctx, r.apiName, model.ResourceId.ValueString()).Subject(model.Subject.ValueString()).Execute()
 	if err != nil {
 		core.LogAndAddError(ctx, &resp.Diagnostics, "Error listing current resource members", fmt.Sprintf("Calling API: %v", err))
@@ -188,6 +204,10 @@ func (r *roleAssignmentResource) Create(ctx context.Context, req resource.Create
 
 	err = mapListMembersResponse(listMembersResponse, &model)
 	if err != nil {
+		if errors.Is(err, errRoleAssignmentNotFound) {
+			resp.State.RemoveResource(ctx)
+			return
+		}
 		core.LogAndAddError(ctx, &resp.Diagnostics, fmt.Sprintf("Error creating %s role assignment", r.apiName), fmt.Sprintf("Processing API payload: %v", err))
 		return
 	}
@@ -197,6 +217,10 @@ func (r *roleAssignmentResource) Create(ctx context.Context, req resource.Create
 	if resp.Diagnostics.HasError() {
 		return
 	}
+
+	// safety sleep due to api cache
+	time.Sleep(1 * time.Second)
+
 	tflog.Info(ctx, fmt.Sprintf("%s role assignment created", r.apiName))
 }
 

stackit/internal/services/authorization/utils/util.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"sync"
 
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/stackitcloud/stackit-sdk-go/core/config"
@@ -43,3 +44,29 @@ func TypeConverter[R any](data any) (*R, error) {
 	}
 	return &result, err
 }
+
+// Global map to hold locks for specific assignment IDs
+// This ensures that creating the same assignment in parallel waits for the first one to finish
+var (
+	assignmentLocksMu sync.Mutex
+	assignmentLocks   = make(map[string]*sync.Mutex)
+)
+
+// LockAssignment acquires a lock for a specific assignment identifier.
+// It returns an unlock function that must be deferred.
+func LockAssignment(id string) func() {
+	assignmentLocksMu.Lock()
+	mu, ok := assignmentLocks[id]
+	if !ok {
+		mu = &sync.Mutex{}
+		assignmentLocks[id] = mu
+	}
+	assignmentLocksMu.Unlock()
+
+	mu.Lock()
+
+	// Return the cleanup function
+	return func() {
+		mu.Unlock()
+	}
+}

stackit/internal/services/authorization/utils/util_test.go

@@ -4,7 +4,9 @@ import (
 	"context"
 	"os"
 	"reflect"
+	"sync"
 	"testing"
+	"time"
 
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	sdkClients "github.com/stackitcloud/stackit-sdk-go/core/clients"
@@ -146,3 +148,82 @@ func TestTypeConverter(t *testing.T) {
 		})
 	}
 }
+
+func TestLockAssignment(t *testing.T) {
+	// Test Case 1: Serialization (Same Key)
+	// Ensures that two processes cannot hold the lock for the same ID simultaneously.
+	t.Run("same key serialization", func(t *testing.T) {
+		key := "uuid,reader,project"
+		var criticalSectionActive bool
+		var wg sync.WaitGroup
+
+		// Goroutine 1
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			unlock := LockAssignment(key)
+			defer unlock()
+
+			// Mark that we are inside the critical section
+			criticalSectionActive = true
+			// Sleep to simulate API work and give G2 a chance to interrupt if the lock is broken
+			time.Sleep(100 * time.Millisecond)
+			criticalSectionActive = false
+		}()
+
+		// Goroutine 2
+		// Wait a tiny bit to ensure G1 has started and acquired the lock
+		time.Sleep(10 * time.Millisecond)
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+
+			// This should block until G1 releases the lock
+			unlock := LockAssignment(key)
+			defer unlock()
+
+			// If the lock works, G1 must have finished (setting criticalSectionActive = false)
+			if criticalSectionActive {
+				t.Error("LockAssignment failed: entered critical section while another goroutine held the lock")
+			}
+		}()
+
+		wg.Wait()
+	})
+
+	// Test Case 2: Different Keys
+	t.Run("different keys parallelism", func(t *testing.T) {
+		key1 := "uuid_a"
+		key2 := "uuid_b"
+
+		start := time.Now()
+		var wg sync.WaitGroup
+
+		wg.Add(2)
+
+		// Worker for Key 1
+		go func() {
+			defer wg.Done()
+			unlock := LockAssignment(key1)
+			defer unlock()
+			time.Sleep(100 * time.Millisecond)
+		}()
+
+		// Worker for Key 2
+		go func() {
+			defer wg.Done()
+			unlock := LockAssignment(key2)
+			defer unlock()
+			time.Sleep(100 * time.Millisecond)
+		}()
+
+		wg.Wait()
+		duration := time.Since(start)
+
+		// If they ran sequentially, it would take >200ms.
+		// If parallel, it should take ~100ms. We use 150ms as a safe threshold.
+		if duration > 150*time.Millisecond {
+			t.Errorf("LockAssignment with different keys blocked execution. Duration: %v", duration)
+		}
+	})
+}