pagerduty_team_membership: cannot delete team membership for user who is a member of another team w/ an unrelated escalation policy

[mdb]

team_membership fails to support the the following team membership deletion scenario:

• user1 is a member of team1 and team2
• team1 is associated to escalation_policy1; team2 is associated to escalation_policy2
• user1's team1 membership is removed from Terraform HCL

As a result, the following error occurs:

pagerduty_team_membership.redacted: Still destroying... [id=REDACTED:REDACTED, 2m0s elapsed]

  | │ Error: PUT API call to https://api.pagerduty.com/teams/team1/escalation_policies/escalation_policy2 failed 400 Bad Request. Code: 2001, Errors: <nil>, Message: Escalation Policy has already been taken; Error while trying to associate back team "team1" to Escalation Policy "escalation_policy2". Resource succesfully deleted, but some team association couldn't be completed, so you need to run "terraform plan -refresh-only" and again "terraform apply/destroy" in order to remediate the drift

In addition to the apply failure, also note...

• user1's team1 membership is not actually successfully deleted in my case (I haven't quite gotten to the bottom of this, yet)
• terraform plan -refresh-only does not resolve the issue, despite the error message suggesting it does (perhaps because user1's team membership is not deleted in my case)
• "successfully" is misspelled in the error message ;)

Why?

IIUC, I believe this is because, at least at the time of writing (HEAD master commit 149d755), in order to delete a team membership...

1. the provider collects all escalation policies associated to user1 (escalation_policy1, escalation_policy2)
2. the provider disassociates escalation_policy1 and escalation_policy2 from team1
3. the provider deletes user1's team1 membership
4. the provider re-associates escalation_policy1 and escalation_policy2 to team1; this fails because escalation_policy2 was never associated with team1; it's associated with team2, where user1 is also a member

Terraform Version

1+

Affected Resource(s)

• team_membership

Terraform Configuration Files

resource "pagerduty_team" "team1" {
  name = "team1"
}

resource "pagerduty_team" "team2" {
  name = "team2"
}

# NOTE: The original TF configuration featured user1 as a member of team1.
# Now, we'd like to remove that membership.
# resource "pagerduty_team_membership" "user1_team1" {
#   user_id = pagerduty_user.user1.id
#   team_id = pagerduty_team.team1.id
# }

resource "pagerduty_team_membership" "user1_team2" {
  user_id = pagerduty_user.user1.id
  team_id = pagerduty_team.team2.id
}

resource "pagerduty_escalation_policy" "team1" {
  name  = pagerduty_team.team1.name
  teams = [pagerduty_team.team1.id]
  ...
}

resource "pagerduty_escalation_policy" "team2" {
  name  = pagerduty_team.team2.name
  teams = [pagerduty_team.team2.id]
  ...
}

Expected Behavior

user1's team1 membership can be deleted.

Actual Behavior

The following error occurs:

pagerduty_team_membership.redacted: Still destroying... [id=REDACTED:REDACTED, 2m0s elapsed]

  | │ Error: PUT API call to https://api.pagerduty.com/teams/REDACTED_TEAM/escalation_policies/REDACTED_EP failed 400 Bad Request. Code: 2001, Errors: <nil>, Message: Escalation Policy has already been taken; Error while trying to associate back team "REDACTED_TEAM" to Escalation Policy "REDACTED_EP". Resource succesfully deleted, but some team association couldn't be completed, so you need to run "terraform plan -refresh-only" and again "terraform apply/destroy" in order to remediate the drift
  | │
  | │

Potential fix implementation?

Ideally ideally, team membership management would not require the out-of-band disassociating/re-associating of escalation policies to teams. However, perhaps a stop gap solution could be for the provider to only disassociate and re-associate the escalation policies associated to the team whose membership is being altered (and not all the escalation policies associated to the user, which may include other teams' escalation policies).