search

Snowflake-Labs / terraform-provider-snowflake

Terraform provider for managing Snowflake accounts
https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest
MIT License
530 stars 411 forks source link

[Bug]: snowflake_external_oauth_integration always running a modify/update #3006

Open wpl-sf-nbirch opened 3 weeks ago

wpl-sf-nbirch commented 3 weeks ago

Terraform CLI Version

0.87.0

Terraform Provider Version

1.9.4

Terraform Configuration

resource "snowflake_external_oauth_integration" "azure" {
  name                             = "AZURE_CLIENT"
  type                             = "AZURE"
  enabled                          = true
  issuer                           = "https://sts.windows.net/a...8/"
  snowflake_user_mapping_attribute = "LOGIN_NAME"
  jws_keys_urls                    = ["https://login.microsoftonline.com/a...8/discovery/v2.0/keys","https://login.windows.net/common/discovery/keys","https://login.microsoftonline.com/a...8/discovery/v2.0/keys?appid=2...373"]
  audience_urls                    = ["https://analysis.windows.net/powerbi/connector/Snowflake", "https://<org-account>.snowflakecomputing.com"]
  token_user_mapping_claims        = ["upn","sub"]
  any_role_mode                    = "ENABLE"
}

Category

category:resource

Object type(s)

resource:external_oauth_integration

Expected Behavior

There is no changes to the oauth provider being specified once deployed, however, subsequent runs of the plan is showing an update/modify is needed.

Actual Behavior

It doesn't seem to be handling the multiple values within the URL sets provided between the brackets, so it detects it as a change, event when no entries are changing.

image

Steps to Reproduce

  1. Create and deploy a snowflake_external_oauth_integration
  2. Re-run a plan and see updates being picked without changing resource

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Would you like to implement a fix?

sfc-gh-asawicki commented 3 weeks ago

Hey @wpl-sf-nbirch. snowflake_external_oauth_integration resource was reworked in v0.93.0. Please first migrate to this version and check if the problem persists there.

wimo-velux commented 3 weeks ago

@sfc-gh-asawicki I can confirm that the problem persists in 0.94.1

sfc-gh-asawicki commented 3 weeks ago

Thanks for confirmation, @wimo-velux; we will try to reproduce it, and we will get back to you.

sfc-gh-jmichalak commented 3 weeks ago

@wimo-velux @wpl-sf-nbirch, Could you please provide the resource config with the steps you take here? I tried to reproduce it manually, but it's working correctly on my side.

marius-sb1 commented 2 weeks ago

I have a similar problem to the bug description, but it's manifesting slightly differently: it wants to apply removal of the attributes under "show_output" which doesn't make much sense to me:

# snowflake_external_oauth_integration.powerbi_sso will be updated in-place
  ~ resource "snowflake_external_oauth_integration" "powerbi_sso" {
        id                                              = "powerbi_sso"
        name                                            = "powerbi_sso"
      ~ show_output                                     = [
          - {
              - category         = "SECURITY"
              - comment          = "Security integration for Power BI, allowing AD users/service accounts authenticated with Power BI (AD SSO) to log on to Snowflake from Power BI with their respective users"
              - created_on       = "2024-08-08 12:10:48.756 +0200 CEST"
              - enabled          = true
              - integration_type = "EXTERNAL_OAUTH - AZURE"
              - name             = "powerbi_sso"
            },
        ] -> (known after apply)
        # (11 unchanged attributes hidden)
    }

Running Terraform v1.8.2, provider registry.terraform.io/snowflake-labs/snowflake v0.94.1

sfc-gh-jcieslak commented 2 weeks ago

Hey @marius-sb1 👋 It's rather showing you the show_output field will be recomputed. That's a known bug and we'll fix it for snowflake_external_oauth_integration and every resource we already refactored in the essential objects list. The fix will be also applied to other _output fields. This bug is not harmful other than annoying plans showing up. If you don't care about show_output you can try to use this: https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle#ignore_changes but I'm not sure how it works on computed fields.

mch-sb commented 1 week ago

Hey @sfc-gh-jcieslak Great to hear that you are looking into the _output-fields bug. Is there an issue/pr to subscribe to, to track it?

sfc-gh-jcieslak commented 1 week ago

Hey 👋 Yesterday, we released a new version of the provider (v0.95.0) where this issue should not occur. Please upgrade and let us know if the issue still persists, Thank You.