Add keyed mutex around tenant variables

Author: mik-ky

octopusdeploy_framework/resource_tenant_common_variable.go

@@ -3,6 +3,7 @@ package octopusdeploy_framework
 import (
 	"context"
 	"fmt"
+	"github.com/OctopusDeploy/terraform-provider-octopusdeploy/internal"
 	"strings"
 
 	"github.com/OctopusDeploy/go-octopusdeploy/v2/pkg/core"
@@ -95,6 +96,9 @@ func (t *tenantCommonVariableResource) Create(ctx context.Context, req resource.
 		return
 	}
 
+	internal.KeyedMutex.Lock(plan.TenantID.ValueString())
+	defer internal.KeyedMutex.Unlock(plan.TenantID.ValueString())
+
 	if len(plan.Scope) > 0 && !t.supportsV2() {
 		resp.Diagnostics.AddError(
 			"Scoped tenant variables are not supported",
@@ -210,7 +214,7 @@ func (t *tenantCommonVariableResource) createV2(ctx context.Context, plan *tenan
 		scope.EnvironmentIds = envIDs
 	}
 
-	var payloads []variables.TenantCommonVariablePayload
+	payloads := []variables.TenantCommonVariablePayload{}
 
 	for _, v := range getResp.Variables {
 		payloads = append(payloads, variables.TenantCommonVariablePayload{
@@ -244,8 +248,35 @@ func (t *tenantCommonVariableResource) createV2(ctx context.Context, plan *tenan
 	var createdID string
 	for _, v := range updateResp.Variables {
 		if v.LibraryVariableSetId == plan.LibraryVariableSetID.ValueString() && v.TemplateID == plan.TemplateID.ValueString() {
-			createdID = v.GetID()
-			break
+			// Also match on scope to handle multiple variables with same template but different scopes
+			if len(plan.Scope) > 0 {
+				if len(v.Scope.EnvironmentIds) > 0 {
+					planEnvs := plan.Scope[0].EnvironmentIDs.Elements()
+					if len(planEnvs) == len(v.Scope.EnvironmentIds) {
+						match := true
+						planEnvSet := make(map[string]bool)
+						for _, e := range planEnvs {
+							planEnvSet[e.String()] = true
+						}
+						for _, serverEnv := range v.Scope.EnvironmentIds {
+							if !planEnvSet["\""+serverEnv+"\""] {
+								match = false
+								break
+							}
+						}
+						if match {
+							createdID = v.GetID()
+							break
+						}
+					}
+				}
+			} else {
+				// No scope in plan, match unscoped variable
+				if len(v.Scope.EnvironmentIds) == 0 {
+					createdID = v.GetID()
+					break
+				}
+			}
 		}
 	}
 
@@ -269,6 +300,9 @@ func (t *tenantCommonVariableResource) Read(ctx context.Context, req resource.Re
 		return
 	}
 
+	internal.KeyedMutex.Lock(state.TenantID.ValueString())
+	defer internal.KeyedMutex.Unlock(state.TenantID.ValueString())
+
 	tenant, err := tenants.GetByID(t.Client, state.SpaceID.ValueString(), state.TenantID.ValueString())
 	if err != nil {
 		resp.Diagnostics.AddError("Error retrieving tenant", err.Error())
@@ -420,6 +454,9 @@ func (t *tenantCommonVariableResource) Update(ctx context.Context, req resource.
 		return
 	}
 
+	internal.KeyedMutex.Lock(plan.TenantID.ValueString())
+	defer internal.KeyedMutex.Unlock(plan.TenantID.ValueString())
+
 	// Validate scope block usage on unsupported servers
 	if len(plan.Scope) > 0 && !t.supportsV2() {
 		resp.Diagnostics.AddError(
@@ -488,7 +525,7 @@ func (t *tenantCommonVariableResource) updateV2(ctx context.Context, plan *tenan
 		scope.EnvironmentIds = envIDs
 	}
 
-	var payloads []variables.TenantCommonVariablePayload
+	payloads := []variables.TenantCommonVariablePayload{}
 
 	for _, v := range getResp.Variables {
 		if v.GetID() == plan.ID.ValueString() {
@@ -585,7 +622,7 @@ func (t *tenantCommonVariableResource) migrateV1ToV2OnUpdate(ctx context.Context
 		scope.EnvironmentIds = envIDs
 	}
 
-	var payloads []variables.TenantCommonVariablePayload
+	payloads := []variables.TenantCommonVariablePayload{}
 
 	for _, v := range getResp.Variables {
 		if v.LibraryVariableSetId == plan.LibraryVariableSetID.ValueString() && v.TemplateID == plan.TemplateID.ValueString() {
@@ -645,6 +682,9 @@ func (t *tenantCommonVariableResource) Delete(ctx context.Context, req resource.
 		return
 	}
 
+	internal.KeyedMutex.Lock(state.TenantID.ValueString())
+	defer internal.KeyedMutex.Unlock(state.TenantID.ValueString())
+
 	tenant, err := tenants.GetByID(t.Client, state.SpaceID.ValueString(), state.TenantID.ValueString())
 	if err != nil {
 		resp.Diagnostics.AddError("Error retrieving tenant", err.Error())
@@ -715,7 +755,7 @@ func (t *tenantCommonVariableResource) deleteV2(ctx context.Context, state *tena
 		return
 	}
 
-	var payloads []variables.TenantCommonVariablePayload
+	payloads := []variables.TenantCommonVariablePayload{}
 
 	for _, v := range getResp.Variables {
 		if v.GetID() == state.ID.ValueString() {

octopusdeploy_framework/resource_tenant_project_variable.go

@@ -92,14 +92,15 @@ func findProjectVariableByID(variables []variables.TenantProjectVariable, id str
 }
 
 func (t *tenantProjectVariableResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
-	internal.Mutex.Lock()
-	defer internal.Mutex.Unlock()
 	var plan tenantProjectVariableResourceModel
 	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
+	internal.KeyedMutex.Lock(plan.TenantID.ValueString())
+	defer internal.KeyedMutex.Unlock(plan.TenantID.ValueString())
+
 	tflog.Debug(ctx, "Creating tenant project variable")
 
 	// Validate that either environment_id or scope is provided, but not both
@@ -149,6 +150,47 @@ func (t *tenantProjectVariableResource) Create(ctx context.Context, req resource
 	resp.Diagnostics.Append(resp.State.Set(ctx, &plan)...)
 }
 
+func (t *tenantProjectVariableResource) createV1(ctx context.Context, plan *tenantProjectVariableResourceModel, tenant *tenants.Tenant, hasEnvironmentID bool, resp *resource.CreateResponse) {
+	tflog.Debug(ctx, "Using V1 API for tenant project variable")
+
+	if !hasEnvironmentID {
+		resp.Diagnostics.AddError("Invalid configuration", "environment_id is required for V1 API")
+		return
+	}
+
+	id := fmt.Sprintf("%s:%s:%s:%s", plan.TenantID.ValueString(), plan.ProjectID.ValueString(), plan.EnvironmentID.ValueString(), plan.TemplateID.ValueString())
+
+	tenantVariables, err := t.Client.Tenants.GetVariables(tenant)
+	if err != nil {
+		resp.Diagnostics.AddError("Error retrieving tenant variables", err.Error())
+		return
+	}
+
+	isSensitive, err := checkIfVariableIsSensitive(tenantVariables, *plan)
+	if err != nil {
+		resp.Diagnostics.AddError("Error checking if variable is sensitive", err.Error())
+		return
+	}
+
+	if err := updateTenantProjectVariable(tenantVariables, *plan, isSensitive); err != nil {
+		resp.Diagnostics.AddError("Error updating tenant project variable", err.Error())
+		return
+	}
+
+	_, err = t.Client.Tenants.UpdateVariables(tenant, tenantVariables)
+	if err != nil {
+		resp.Diagnostics.AddError("Error updating tenant variables", err.Error())
+		return
+	}
+
+	plan.ID = types.StringValue(id)
+	plan.SpaceID = types.StringValue(tenant.SpaceID)
+
+	tflog.Debug(ctx, "Tenant project variable created with V1 API", map[string]interface{}{
+		"id": plan.ID.ValueString(),
+	})
+}
+
 func (t *tenantProjectVariableResource) createV2(ctx context.Context, plan *tenantProjectVariableResourceModel, tenant *tenants.Tenant, spaceID string, hasEnvironmentID bool, resp *resource.CreateResponse) {
 	tflog.Debug(ctx, "Using V2 API for tenant project variable")
 
@@ -193,7 +235,7 @@ func (t *tenantProjectVariableResource) createV2(ctx context.Context, plan *tena
 	}
 
 	// Build payloads for ALL existing variables plus the new one
-	var payloads []variables.TenantProjectVariablePayload
+	payloads := []variables.TenantProjectVariablePayload{}
 
 	// Add all existing variables
 	for _, v := range getResp.Variables {
@@ -229,8 +271,29 @@ func (t *tenantProjectVariableResource) createV2(ctx context.Context, plan *tena
 	var createdID string
 	for _, v := range updateResp.Variables {
 		if v.ProjectID == plan.ProjectID.ValueString() && v.TemplateID == plan.TemplateID.ValueString() {
-			createdID = v.GetID()
-			break
+			// Also match on scope to handle multiple variables with same template but different scopes
+			if len(plan.Scope) > 0 {
+				if len(v.Scope.EnvironmentIds) > 0 {
+					planEnvs := plan.Scope[0].EnvironmentIDs.Elements()
+					if len(planEnvs) == len(v.Scope.EnvironmentIds) {
+						match := true
+						planEnvSet := make(map[string]bool)
+						for _, e := range planEnvs {
+							planEnvSet[e.String()] = true
+						}
+						for _, serverEnv := range v.Scope.EnvironmentIds {
+							if !planEnvSet["\""+serverEnv+"\""] {
+								match = false
+								break
+							}
+						}
+						if match {
+							createdID = v.GetID()
+							break
+						}
+					}
+				}
+			}
 		}
 	}
 
@@ -254,57 +317,16 @@ func (t *tenantProjectVariableResource) createV2(ctx context.Context, plan *tena
 	})
 }
 
-func (t *tenantProjectVariableResource) createV1(ctx context.Context, plan *tenantProjectVariableResourceModel, tenant *tenants.Tenant, hasEnvironmentID bool, resp *resource.CreateResponse) {
-	tflog.Debug(ctx, "Using V1 API for tenant project variable")
-
-	if !hasEnvironmentID {
-		resp.Diagnostics.AddError("Invalid configuration", "environment_id is required for V1 API")
-		return
-	}
-
-	id := fmt.Sprintf("%s:%s:%s:%s", plan.TenantID.ValueString(), plan.ProjectID.ValueString(), plan.EnvironmentID.ValueString(), plan.TemplateID.ValueString())
-
-	tenantVariables, err := t.Client.Tenants.GetVariables(tenant)
-	if err != nil {
-		resp.Diagnostics.AddError("Error retrieving tenant variables", err.Error())
-		return
-	}
-
-	isSensitive, err := checkIfVariableIsSensitive(tenantVariables, *plan)
-	if err != nil {
-		resp.Diagnostics.AddError("Error checking if variable is sensitive", err.Error())
-		return
-	}
-
-	if err := updateTenantProjectVariable(tenantVariables, *plan, isSensitive); err != nil {
-		resp.Diagnostics.AddError("Error updating tenant project variable", err.Error())
-		return
-	}
-
-	_, err = t.Client.Tenants.UpdateVariables(tenant, tenantVariables)
-	if err != nil {
-		resp.Diagnostics.AddError("Error updating tenant variables", err.Error())
-		return
-	}
-
-	plan.ID = types.StringValue(id)
-	plan.SpaceID = types.StringValue(tenant.SpaceID)
-
-	tflog.Debug(ctx, "Tenant project variable created with V1 API", map[string]interface{}{
-		"id": plan.ID.ValueString(),
-	})
-}
-
 func (t *tenantProjectVariableResource) Read(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
-	internal.Mutex.Lock()
-	defer internal.Mutex.Unlock()
-
 	var state tenantProjectVariableResourceModel
 	resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
+	internal.KeyedMutex.Lock(state.TenantID.ValueString())
+	defer internal.KeyedMutex.Unlock(state.TenantID.ValueString())
+
 	tenant, err := tenants.GetByID(t.Client, state.SpaceID.ValueString(), state.TenantID.ValueString())
 	if err != nil {
 		resp.Diagnostics.AddError("Error retrieving tenant", err.Error())
@@ -482,15 +504,15 @@ func (t *tenantProjectVariableResource) migrateV1ToV2OnRead(ctx context.Context,
 }
 
 func (t *tenantProjectVariableResource) Update(ctx context.Context, req resource.UpdateRequest, resp *resource.UpdateResponse) {
-	internal.Mutex.Lock()
-	defer internal.Mutex.Unlock()
-
 	var plan tenantProjectVariableResourceModel
 	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
+	internal.KeyedMutex.Lock(plan.TenantID.ValueString())
+	defer internal.KeyedMutex.Unlock(plan.TenantID.ValueString())
+
 	// Validate that either environment_id or scope is provided, but not both
 	hasEnvironmentID := !plan.EnvironmentID.IsNull() && plan.EnvironmentID.ValueString() != ""
 	hasScope := len(plan.Scope) > 0
@@ -575,7 +597,7 @@ func (t *tenantProjectVariableResource) updateV2(ctx context.Context, plan *tena
 		scope.EnvironmentIds = []string{plan.EnvironmentID.ValueString()}
 	}
 
-	var payloads []variables.TenantProjectVariablePayload
+	payloads := []variables.TenantProjectVariablePayload{}
 
 	for _, v := range getResp.Variables {
 		if v.GetID() == plan.ID.ValueString() {
@@ -676,7 +698,7 @@ func (t *tenantProjectVariableResource) migrateV1ToV2OnUpdate(ctx context.Contex
 		scope.EnvironmentIds = []string{plan.EnvironmentID.ValueString()}
 	}
 
-	var payloads []variables.TenantProjectVariablePayload
+	payloads := []variables.TenantProjectVariablePayload{}
 
 	for _, v := range getResp.Variables {
 		if v.ProjectID == plan.ProjectID.ValueString() && v.TemplateID == plan.TemplateID.ValueString() {
@@ -737,15 +759,15 @@ func (t *tenantProjectVariableResource) migrateV1ToV2OnUpdate(ctx context.Contex
 }
 
 func (t *tenantProjectVariableResource) Delete(ctx context.Context, req resource.DeleteRequest, resp *resource.DeleteResponse) {
-	internal.Mutex.Lock()
-	defer internal.Mutex.Unlock()
-
 	var state tenantProjectVariableResourceModel
 	resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
+	internal.KeyedMutex.Lock(state.TenantID.ValueString())
+	defer internal.KeyedMutex.Unlock(state.TenantID.ValueString())
+
 	tenant, err := tenants.GetByID(t.Client, state.SpaceID.ValueString(), state.TenantID.ValueString())
 	if err != nil {
 		resp.Diagnostics.AddError("Error retrieving tenant", err.Error())
@@ -757,8 +779,8 @@ func (t *tenantProjectVariableResource) Delete(ctx context.Context, req resource
 		spaceID = tenant.SpaceID
 	}
 
-	useV1API := isCompositeID(state.ID.ValueString())
-	if !useV1API {
+	isV1ID := isCompositeID(state.ID.ValueString())
+	if !isV1ID {
 		t.deleteV2(ctx, &state, spaceID, resp)
 	} else {
 		t.deleteV1(ctx, &state, tenant, resp)
@@ -786,7 +808,7 @@ func (t *tenantProjectVariableResource) deleteV2(ctx context.Context, state *ten
 		return
 	}
 
-	var payloads []variables.TenantProjectVariablePayload
+	payloads := []variables.TenantProjectVariablePayload{}
 
 	for _, v := range getResp.Variables {
 		if v.GetID() == state.ID.ValueString() {