"CF-ServicePlanVisibilityAlreadyExists" with new "service-access" approach

[coffee-squirrel]

When trying out the new cf-mgmt service-access (#160; v1.0.31) we ran into the error below at the first occurrence of an Org already having access to a particular service plan.

# build 1 (no debug)
2019/08/14 13:11:52 I0814 13:11:52.304839 13 serviceaccess.go:163] adding plan Existing for service nfs to org system
2019/08/14 13:11:52 I0814 13:11:52.341225 13 serviceaccess.go:163] adding plan Existing for service nfs to org sandbox-org
error: cfclient error (CF-ServicePlanVisibilityAlreadyExists|260002): This combination of ServicePlan and Organization is already taken: organization_id and service_plan_id unique

# build 2 (debug)
2019/08/14 19:45:28 D0814 19:45:28.743539 15 initialize.go:50] Using Version: [1.0.31], Commit: [eb65902ff6615bf2181f921abd132570bc0d3061] of cf-mgmt
2019/08/14 19:45:29 D0814 19:45:29.386794 15 yaml_config.go:26] Processing org file config/sandbox/orgs.yml
2019/08/14 19:45:29 D0814 19:45:29.412409 15 orgs.go:198] Total orgs returned : 3
2019/08/14 19:45:29 D0814 19:45:29.412744 15 orgs.go:198] Total orgs returned : 3
2019/08/14 19:45:29 D0814 19:45:29.412788 15 orgs.go:198] Total orgs returned : 3
2019/08/14 19:45:29 I0814 19:45:29.412828 15 serviceaccess.go:163] adding plan Existing for service nfs-legacy to org system
2019/08/14 19:45:29 D0814 19:45:29.443928 15 orgs.go:198] Total orgs returned : 3
2019/08/14 19:45:29 I0814 19:45:29.443984 15 serviceaccess.go:163] adding plan Existing for service nfs-legacy to org sandbox-org
error: cfclient error (CF-ServicePlanVisibilityAlreadyExists|260002): This combination of ServicePlan and Organization is already taken: organization_id and service_plan_id unique

# build 3 (debug)
2019/08/22 18:03:18 D0822 18:03:18.900196 14 initialize.go:50] Using Version: [1.0.31], Commit: [eb65902ff6615bf2181f921abd132570bc0d3061] of cf-mgmt
2019/08/22 18:03:19 D0822 18:03:19.53541 14 yaml_config.go:26] Processing org file config/sandbox/orgs.yml
2019/08/22 18:03:19 D0822 18:03:19.559992 14 orgs.go:198] Total orgs returned : 3
2019/08/22 18:03:19 D0822 18:03:19.560583 14 orgs.go:198] Total orgs returned : 3
2019/08/22 18:03:19 D0822 18:03:19.560627 14 orgs.go:198] Total orgs returned : 3
2019/08/22 18:03:19 D0822 18:03:19.560718 14 orgs.go:198] Total orgs returned : 3
2019/08/22 18:03:19 I0822 18:03:19.560743 14 serviceaccess.go:163] adding plan Existing for service nfs-legacy to org sandbox-org
error: cfclient error (CF-ServicePlanVisibilityAlreadyExists|260002): This combination of ServicePlan and Organization is already taken: organization_id and service_plan_id unique

Our process was to:

1. cf-mgmt export-service-access-config to update the config (removed service-access: {}, generated service-access, etc.)
2. Set enable-service-access: true (as we hadn't used it prior)
3. Added and ran a job for cf-mgmt service-access

Here's a stripped-down extract from this foundation's cf-mgmt.yml:

enable-service-access: true
ignore-legacy-service-access: true

service-access:
- broker: nfsbroker
  services:
  - service: nfs-legacy
    limited_access_plans:
    - plan: Existing
      orgs:
      - sandbox-org
  - service: nfs
    limited_access_plans:
    - plan: Existing
      orgs:
      - sandbox-org

API version is 2.135.0 (PAS 2.6.4).

[calebwashburn]

Can you provide the output of cf service-access?

[coffee-squirrel]

$ cf service-access
Getting service access as coffee-squirrel...
broker: app-autoscaler
   service          plan       access   orgs
   app-autoscaler   standard   all

broker: identity-service-broker
   service      plan       access   orgs
   p-identity   sso-devl   all
   p-identity   uaa        none

broker: nfsbroker
   service      plan       access    orgs
   nfs-legacy   Existing   limited   sandbox-org,system
   nfs          Existing   limited   sandbox-org,system

broker: redis-odb
   service   plan           access   orgs
   p.redis   cache-large    all
   p.redis   cache-medium   all
   p.redis   cache-small    all

broker: smbbroker
   service   plan       access   orgs
   smb       Existing   all

[calebwashburn]

@coffee-squirrel Wasn't able to exactly reproduce this but added some additional debug logging if you can try with https://github.com/pivotalservices/cf-mgmt/releases/tag/v1.0.32 and provide output if still having issues.

[coffee-squirrel]

@calebwashburn Sure, here's build 4:

2019/08/22 20:49:28 D0822 20:49:28.326746 16 initialize.go:50] Using Version: [1.0.32], Commit: [d82cc13a6b6ea4025d01b5b9abb2c121e78fec9b] of cf-mgmt
2019/08/22 20:49:28 D0822 20:49:28.995221 16 yaml_config.go:26] Processing org file config/sandbox/orgs.yml
2019/08/22 20:49:29 D0822 20:49:29.021455 16 orgs.go:198] Total orgs returned : 3
2019/08/22 20:49:29 I0822 20:49:29.041616 16 serviceaccess.go:215] removing plan sso-devl for service p-identity from org delivery
2019/08/22 20:49:29 D0822 20:49:29.09946 16 serviceaccess.go:111] Current Visiblities [{OrgGUID:1de7a706-fae1-4358-809e-e6d6f2e40c2e ServicePlanGUID:ffc666fb-a150-4cd7-8450-93fdc8d8068f} {OrgGUID:d9150da6-0e23-4cb7-af6a-876b8157f8d9 ServicePlanGUID:ffc666fb-a150-4cd7-8450-93fdc8d8068f}] for plan nfs-legacy
2019/08/22 20:49:29 D0822 20:49:29.09955 16 orgs.go:198] Total orgs returned : 3
2019/08/22 20:49:29 D0822 20:49:29.099659 16 orgs.go:198] Total orgs returned : 3
2019/08/22 20:49:29 D0822 20:49:29.099733 16 orgs.go:198] Total orgs returned : 3
2019/08/22 20:49:29 D0822 20:49:29.099801 16 service_plan.go:45] OrgGUID 1de7a706-fae1-4358-809e-e6d6f2e40c2e is not in []
2019/08/22 20:49:29 I0822 20:49:29.099879 16 serviceaccess.go:164] adding plan Existing for service nfs-legacy to org sandbox-org
error: cfclient error (CF-ServicePlanVisibilityAlreadyExists|260002): This combination of ServicePlan and Organization is already taken: organization_id and service_plan_id unique

There are 3 Orgs: delivery, sandbox-org, and system. Also:

protected_orgs:
- system
- p-spring-cloud-services
- splunk-nozzle-org
- redis-test-ORG*
- appdynamics-org
- org-*

[calebwashburn]

@coffee-squirrel I believe I have this ran into a corner - https://github.com/pivotalservices/cf-mgmt/releases/tag/v1.0.33

[coffee-squirrel]

@calebwashburn Looks like v1.0.33 resulted in a successful build 5 (output below).

I've noticed, however, it's giving system (the only existing Org in protected_orgs) access to the nfsbroker services' plans despite them being limited_access_plans containing only sandbox-org.

2019/08/22 21:50:39 D0822 21:50:39.521329 14 initialize.go:50] Using Version: [1.0.33], Commit: [5e2233f3d5713e99b5122c60ae78a9989653748f] of cf-mgmt
2019/08/22 21:50:40 D0822 21:50:40.218785 14 yaml_config.go:26] Processing org file config/sandbox/orgs.yml
2019/08/22 21:50:40 D0822 21:50:40.24392 14 orgs.go:198] Total orgs returned : 3
2019/08/22 21:50:40 D0822 21:50:40.24434 14 serviceaccess.go:111] Current Visiblities [{OrgGUID:d9150da6-0e23-4cb7-af6a-876b8157f8d9 ServicePlanGUID:ffc666fb-a150-4cd7-8450-93fdc8d8068f} {OrgGUID:1de7a706-fae1-4358-809e-e6d6f2e40c2e ServicePlanGUID:ffc666fb-a150-4cd7-8450-93fdc8d8068f}] for plan nfs-legacy
2019/08/22 21:50:40 D0822 21:50:40.244536 14 serviceaccess.go:134] Duplicate org sandbox-org in [sandbox-org system sandbox-org]
2019/08/22 21:50:40 D0822 21:50:40.244998 14 orgs.go:198] Total orgs returned : 3
2019/08/22 21:50:40 D0822 21:50:40.245022 14 serviceaccess.go:189] plan Existing for service nfs-legacy already visible to org sandbox-org
2019/08/22 21:50:40 D0822 21:50:40.245243 14 orgs.go:198] Total orgs returned : 3
2019/08/22 21:50:40 D0822 21:50:40.245496 14 serviceaccess.go:189] plan Existing for service nfs-legacy already visible to org system
2019/08/22 21:50:40 D0822 21:50:40.245667 14 serviceaccess.go:111] Current Visiblities [{OrgGUID:1de7a706-fae1-4358-809e-e6d6f2e40c2e ServicePlanGUID:9922bed8-82dc-4bf7-a954-9cb90b8a44a0} {OrgGUID:d9150da6-0e23-4cb7-af6a-876b8157f8d9 ServicePlanGUID:9922bed8-82dc-4bf7-a954-9cb90b8a44a0}] for plan nfs
2019/08/22 21:50:40 D0822 21:50:40.245854 14 serviceaccess.go:134] Duplicate org sandbox-org in [sandbox-org system sandbox-org]
2019/08/22 21:50:40 D0822 21:50:40.246017 14 orgs.go:198] Total orgs returned : 3
2019/08/22 21:50:40 D0822 21:50:40.246167 14 serviceaccess.go:189] plan Existing for service nfs already visible to org sandbox-org
2019/08/22 21:50:40 D0822 21:50:40.246358 14 orgs.go:198] Total orgs returned : 3
2019/08/22 21:50:40 D0822 21:50:40.246622 14 serviceaccess.go:189] plan Existing for service nfs already visible to org system

[calebwashburn]

@coffee-squirrel It will only give access to protected orgs that match orgs that exist. It processes this list of patterns to find orgs that match and always grants limited service-access to those orgs due to brokers, etc that get deployed into orgs that you aren't managing with cf-mgmt. Interesting that for some reason your sandbox-org was a duplicate somehow which either is due to it being listed and being a protected-org or there is another bug somewhere that I need to chase down.

Can you share a few more details about your deployment?

1. latest version of what is in your protected orgs list?
2. contents of config/sandbox/orgs.yml
3. output of cf orgs command

Thanks

[coffee-squirrel]

@calebwashburn : Okay, I had assumed system would've had to be explicitly listed in limited_access_plans, so seeing service-access give that Org nfsbroker plan access was a bit unexpected. Not a big deal, though.

latest version of what is in your protected orgs list?
contents of config/sandbox/orgs.yml

# Organizations
orgs:
- sandbox-org
- delivery

# Allow deleting Organizations
enable-delete-orgs: true

# Always ignore these Organizations
protected_orgs:
- system
- p-spring-cloud-services
- splunk-nozzle-org
- redis-test-ORG*
- appdynamics-org
- org-*

output of cf orgs command

$ cf orgs
Getting orgs as coffee-squirrel...

name
delivery
sandbox-org
system

[calebwashburn]

Closing this issue as assume it's fixed now.