Cannot Upgrade Fleet Integration when agents are using the integration

[markjandejong]

Describe the bug
When attempting to upgrade the Fleet integration to a newer version when in use by Agents, an error occurs.

  # module.fleet_integration["juniper_srx"].elasticstack_fleet_integration.main must be replaced
+/- resource "elasticstack_fleet_integration" "main" {
      ~ id      = "75ecee05ad0cad8ab715f26ab2876aa0f9673f47" -> (known after apply)
        name    = "juniper_srx"
      ~ version = "1.20.0" -> "1.20.1" # forces replacement

╷
│ Error: Unexpected status code from server: got HTTP 400
│ 
│ {"statusCode":400,"error":"Bad Request","message":"unable to remove package
│ with existing package policy(s) in use by agent(s)"}
╵
ERRO[0055] 1 error occurred:
        * exit status 1

Every attempt to mitigate the error have been unsuccessful. Setting either force and/or skip_destroy to true does not resolve the issue. I have attempted to add lifecycle { create_before_destroy: true } on the resource. This does deploy the latest version, but then cannot remove the older version, presenting the same error as above.

To Reproduce
Steps to reproduce the behavior:

1. Deploy Fleet integrations using terraform.
2. Deploy Fleet policies using the Fleet integration.
3. Assign the policy to agents.
4. Attempt to increase the version number of the Fleet integration to upgrade.

Expected behavior
The integration should upgrade as it would by clicking the upgrade button in the Kibana Fleet UI.

Versions (please complete the following information):

• OS: linux
• Terraform Version 4.6
• Provider version 0.11.0
• Elasticsearch Version 8.11.4

[DaneViking7]

Any updates or timelines on this issue? The current work around I have is to remove any integration policies, so that the integration can be uninstalled and reinstalled but that causes downtime and potentially duplicate data in my datasets.

[nick-benoit]

Note that in SDH-9139 there is a second customer also running into this same problem. Just adding context so we have a better idea of how many customers this is impacting.

[mag-mkorn]

We already opened a support case for this issue, as well. In fact, this should impact anyone using the provider.

[davidhtml]

+1 We are facing the same issue in our organisation. Currently steps that were attempted:

1. Upgrade integration version from terraform - FAILS, reason │ {"statusCode":400,"error":"Bad Request","message":"Unable to remove package with existing package policy(s) in use by agent(s)"}

2. Upgrading integration from GUI manually (which works), but fixing terraform is not possible. Tried playing around with all possible combinations in terraform e.g.

  force        = false
  skip_destroy = true

  lifecycle {
    ignore_changes  = [version]
    prevent_destroy = true
  }

Terraform still breaks, because in state version is old, and even force = false, did not help, because resource is still being replaced.

3. Removing resource from terraform state and trying to re-import - FAILS, reason: │ This resource does not support import. Please contact the provider developer for additional information.

Of course deleting integration and deleting integration policy and redeploying from scratch works, this could be acceptable in staging environments, but requires too much of manual effort and nothing we want to practice in production.

[simon-weimann]

+1

Is there any news on this. We also run into this issue and I am wondering how this should work or if there is a workaround.

The first run of terraform works, if there is no integration, but succeeding changes to the integration will fail:

│ {"statusCode":400,"error":"Bad Request","message":"Unable to remove package
│ with existing package policy(s) in use by agent(s)"}

[cuspofaries]

Hi @tobio, I am still having this issue. Can we please reopen it ? Cheers

[tobio]

@cuspofaries it's just been merged into the main branch and will be fixed in the next release which should be out in the next 2 weeks.