Internal server conflict error when using Service Accounts

[volodymyrZotov]

Your environment

Terraform Provider Version: 1.2.2

Connect Server Version: n/a

OP CLI Version: 2.23.0

OS: macOS 14.1.1

Terraform Version: 1.6.4

What happened?

When using provider with Service Accounts users may encounter the following error op error: (409) Conflict: Internal server conflict when create/update/delete a bunch of items in the same vault as Terraform Provider handles each resource separately and therefore it makes a bunch of parallel requests using CLI for each of the resources.

What did you expect to happen?

No errors occurred.

Steps to reproduce

1. Create Service Account token with write permissions.
2. Create main.tf with the following content (see Notes section below)
3. terraform init
4. terraform apply
5. Some items won't be created and you should see op error: (409) Conflict: Internal server conflict in the console.

Notes & Logs

main.tf example

terraform {
  required_providers {
    onepassword = {
      source  = "1Password/onepassword"
      version = "~> 1.2.2"
    }
  }
}

provider "onepassword" {
  service_account_token = "your_service_account_token"
}

resource "onepassword_item" "demo_password" {
  vault = "vault_id"

  title    = "Demo Password Recipe"
  category = "password"

  password_recipe {
    length  = 40
    symbols = false
  }

  section {
    label = "API Creds"

    field {
      label = "PORT"
      type  = "CONCEALED"
      value = "8080"
    }

    field {
      label = "HOSTNAME"
      value = "example.com"
    }
  }
}

resource "onepassword_item" "demo_login" {
  vault = "vault_id"

  title    = "Demo Terraform Login changed"
  category = "login"
  username = "test@example.com"
}

resource "onepassword_item" "demo_sections" {
  vault = "vault_id"

  title    = "Demo Terraform Item with Sections"
  category = "login"
  username = "test_changed@example.com"


  section {
    label = "Terraform Section"

    field {
      label = "API_KEY"
      type  = "CONCEALED"
      value = "2Federate2!"
    }

    field {
      label = "HOSTNAME"
      value = "example.com"
    }
  }

  section {
    label = "Terraform Second Section"

    field {
      label = "App Specific Password"
      type  = "CONCEALED"

      password_recipe {
        length  = 30
        symbols = false
      }
    }

    field {
      label = "User"
      value = "dchanged emo"
    }
  }
}

resource "onepassword_item" "another_password" {
  vault = "vault_id"

  title    = "Another Demo Password Recipe"
  category = "password"

  password_recipe {
    length  = 40
    symbols = false
  }
}

resource "onepassword_item" "another_demo_login" {
  vault = "vault_id"

  title    = "Another Demo Terraform Login changed"
  category = "login"
  username = "test@example.com"
}

resource "onepassword_item" "another_demo_sections" {
  vault = "vault_id"

  title    = "Another Demo Terraform Item with Sections"
  category = "login"
  username = "test_changed@example.com"


  section {
    label = "Terraform Section"

    field {
      label = "API_KEY"
      type  = "CONCEALED"
      value = "2Federate2!"
    }

    field {
      label = "HOSTNAME"
      value = "example.com"
    }
  }

  section {
    label = "Another Terraform Second Section"

    field {
      label = "App Specific Password"
      type  = "CONCEALED"

      password_recipe {
        length  = 30
        symbols = false
      }
    }

    field {
      label = "User"
      value = "dchanged emo"
    }
  }
}

Possible solution:

The issue might be solved by adding a retry mechanism when getting 409 error from the server using op-cli.