search

Snowflake-Labs / terraform-provider-snowflake

Terraform provider for managing Snowflake accounts
https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest
MIT License
529 stars 410 forks source link

[Bug]: Error: failed to find allowed user domains, err = object does not exist #2927

Closed nicolamarangoni closed 1 day ago

nicolamarangoni commented 1 month ago

Terraform CLI Version

1.9.2

Terraform Provider Version

0.93

Terraform Configuration

Upgraded the provider from 0.92 to 0.93

Category

category:resource

Object type(s)

No response

Expected Behavior

After align resources with new 0.93 standards, the plan should be successful.

Actual Behavior

The resource snowflake_saml2_integration fails with the below message message. Reverting to snowflake_saml_integration doesn't help. I get the same error.

│ Error: failed to find allowed user domains, err = object does not exist
│ 
│   with snowflake_saml2_integration.saml_integration,
│   on snowflake_aad_provisioner.tf line 31, in resource "snowflake_saml2_integration" "saml_integration":
│   31: resource "snowflake_saml2_integration" "saml_integration" {

Steps to Reproduce

Upgrade provider to 0.93 with a deployment containing snowflake_saml2_integration.

How much impact is this issue causing?

High

Logs

No response

Additional Information

No response

Would you like to implement a fix?

sfc-gh-asawicki commented 1 month ago

Hey @nicolamarangoni. Thanks for reaching out to us.

Please share the config and the DEBUG logs.

nicolamarangoni commented 1 month ago

This is our config:

resource "snowflake_scim_integration" "aad_provisioning" {
  name        = "AAD_PROVISIONING"
  run_as_role = "AAD_PROVISIONER"
  scim_client = "AZURE"
  enabled     = true
}

resource "snowflake_saml2_integration" "saml_integration" {
  name                      = "AAD_SAML"
  enabled                   = true
  saml2_enable_sp_initiated = true
  saml2_provider            = "ADFS"
  saml2_issuer              = "https://sts.windows.net/3825a6f3-24cb-47d4-8aa2-35d3e5891324/"
  saml2_sso_url             = "https://login.microsoftonline.com/3825a6f3-24cb-47d4-8aa2-35d3e5891324/saml2"
  saml2_x509_cert           = jsondecode(data.aws_secretsmanager_secret_version.azure_app.secret_string)["saml2_x509_cert"]
nicolamarangoni commented 1 month ago

terragrunt.log

nicolamarangoni commented 1 month ago

Adding something like allowed_user_domains = ["example.com"] doesn't fix it

sfc-gh-asawicki commented 1 month ago

Thanks! cc: @sfc-gh-jmichalak

sfc-gh-jmichalak commented 1 month ago

Hi @nicolamarangoni 👋 We're assuming that we get user domains from Snowflake describe, but for some reason it's probably missing here. Can you check that ALLOWED_USER_DOMAINS is listed in DESCRIBE INTEGRATION AAD_SAML?

nicolamarangoni commented 1 month ago

Hi @sfc-gh-jmichalak ALLOWED_USER_DOMAINS is not listed.

gbatiz commented 1 month ago

Same here. We also cannot downgrade as the database resource has been upgraded and we are getting the error:


╷
│ Error: Resource instance managed by newer provider version
│ 
│ The current state of ....database was created by a newer provider version than is currently selected. Upgrade the snowflake provider to work
│ with this state.
╵```
sfc-gh-jmichalak commented 1 month ago

@gbatiz @nicolamarangoni Thanks for your feedback, this is undocumented Snowflake behavior and we're investigating it internally.

sfc-gh-asawicki commented 1 month ago

@gbatiz Until we know if this is a Snowflake issue or intentional undocumented behavior, you can use provider alias for the saml resource (so that only saml resource works on the previous version but you use the newest for the databases and all other objects).

gbatiz commented 1 month ago

@gbatiz Until we know if this is a Snowflake issue or intentional undocumented behavior, you can use provider alias for the saml resource (so that only saml resource works on the previous version but you use the newest for the databases and all other objects).

@sfc-gh-asawicki Reading the docs, I am not sure how to do this, if possible. Version is not something the providers aliases can differ on. Do you have a working example of this that you are comfortable sharing by any chance?

sfc-gh-asawicki commented 1 month ago

I don't have a working solution share, but this is a bit tricky solution, so after giving it a second, maybe we shouldn't have recommended it.

Still, the alternative would be to split into different deployments but this is a more time-consuming solution.

We are investigating internally the encountered behavior; as a last resort, we will provide a workaround in v0.94.0.

gbatiz commented 1 month ago

Thanks! For now we commented out the code for the resource and removed it from terraform state. Once the issue is resolved, we import it back.

sfc-gh-jmichalak commented 1 month ago

@gbatiz @nicolamarangoni This has been fixed in v0.94. Please follow our migration guide.

When this field is missing from the output, instead of failing the whole operation, now it's only logged.

sfc-gh-asawicki commented 1 day ago

Closing as completed. Please open a new one if the error persists in the newest provider version.