Closed nicolamarangoni closed 1 day ago
Hey @nicolamarangoni. Thanks for reaching out to us.
Please share the config and the DEBUG logs.
This is our config:
resource "snowflake_scim_integration" "aad_provisioning" {
name = "AAD_PROVISIONING"
run_as_role = "AAD_PROVISIONER"
scim_client = "AZURE"
enabled = true
}
resource "snowflake_saml2_integration" "saml_integration" {
name = "AAD_SAML"
enabled = true
saml2_enable_sp_initiated = true
saml2_provider = "ADFS"
saml2_issuer = "https://sts.windows.net/3825a6f3-24cb-47d4-8aa2-35d3e5891324/"
saml2_sso_url = "https://login.microsoftonline.com/3825a6f3-24cb-47d4-8aa2-35d3e5891324/saml2"
saml2_x509_cert = jsondecode(data.aws_secretsmanager_secret_version.azure_app.secret_string)["saml2_x509_cert"]
Adding something like allowed_user_domains = ["example.com"]
doesn't fix it
Thanks! cc: @sfc-gh-jmichalak
Hi @nicolamarangoni 👋 We're assuming that we get user domains from Snowflake describe, but for some reason it's probably missing here. Can you check that ALLOWED_USER_DOMAINS
is listed in DESCRIBE INTEGRATION AAD_SAML
?
Hi @sfc-gh-jmichalak ALLOWED_USER_DOMAINS is not listed.
Same here. We also cannot downgrade as the database resource has been upgraded and we are getting the error:
╷
│ Error: Resource instance managed by newer provider version
│
│ The current state of ....database was created by a newer provider version than is currently selected. Upgrade the snowflake provider to work
│ with this state.
╵```
@gbatiz @nicolamarangoni Thanks for your feedback, this is undocumented Snowflake behavior and we're investigating it internally.
@gbatiz Until we know if this is a Snowflake issue or intentional undocumented behavior, you can use provider alias for the saml resource (so that only saml resource works on the previous version but you use the newest for the databases and all other objects).
@gbatiz Until we know if this is a Snowflake issue or intentional undocumented behavior, you can use provider alias for the saml resource (so that only saml resource works on the previous version but you use the newest for the databases and all other objects).
@sfc-gh-asawicki Reading the docs, I am not sure how to do this, if possible. Version is not something the providers aliases can differ on. Do you have a working example of this that you are comfortable sharing by any chance?
I don't have a working solution share, but this is a bit tricky solution, so after giving it a second, maybe we shouldn't have recommended it.
Still, the alternative would be to split into different deployments but this is a more time-consuming solution.
We are investigating internally the encountered behavior; as a last resort, we will provide a workaround in v0.94.0.
Thanks! For now we commented out the code for the resource and removed it from terraform state. Once the issue is resolved, we import it back.
@gbatiz @nicolamarangoni This has been fixed in v0.94. Please follow our migration guide.
When this field is missing from the output, instead of failing the whole operation, now it's only logged.
Closing as completed. Please open a new one if the error persists in the newest provider version.
Terraform CLI Version
1.9.2
Terraform Provider Version
0.93
Terraform Configuration
Category
category:resource
Object type(s)
No response
Expected Behavior
After align resources with new 0.93 standards, the plan should be successful.
Actual Behavior
The resource snowflake_saml2_integration fails with the below message message. Reverting to snowflake_saml_integration doesn't help. I get the same error.
Steps to Reproduce
Upgrade provider to 0.93 with a deployment containing snowflake_saml2_integration.
How much impact is this issue causing?
High
Logs
No response
Additional Information
No response
Would you like to implement a fix?