Open mariusmitrofanbostontr opened 1 year ago
Hi @mariusmitrofanbostontr,
Don't think this error is directly related to the module as it's not using aws_identitystore_group data source. I believe you bumped the AWS provider version which has a deprecated filter argument in aws_identitystore_group. https://github.com/hashicorp/terraform-provider-aws/releases/tag/v4.40.0 Try changing that to the filtering syntax: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group
Hi @aurimasmick ,
The version I tried with is the following:
aws = {
source = "hashicorp/aws"
version = "~> 4.54.0"
}
The module was "copied" locally and has the following definition, instead of importing directly due to "security" constraints, but it is 1-to-1 match to yours:
data "aws_identitystore_group" "this" {
for_each = toset(local.groups)
identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
alternate_identifier {
unique_attribute {
attribute_path = "DisplayName"
attribute_value = each.value
}
}
}
After I switched back to using a filter (while maintaining the same AWS provider version of 4.54.0), it started working again but with the obvious deprecation notice:
Using filter =
data "aws_identitystore_group" "this" {
for_each = toset(local.groups)
identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
filter {
attribute_path = "DisplayName"
attribute_value = each.value
}
}
Dreprecation notice received during PLAN phase =
Plan: 4 to add, 0 to change, 4 to destroy.
╷
│ Warning: Argument is deprecated
│
│ with module.sso.data.aws_identitystore_group.this["group-from-microsoft-directory"],
│ on ../../../modules/sso/data.tf line 4, in data "aws_identitystore_group" "this":
│ 4: data "aws_identitystore_group" "this" {
│
│ Use the alternate_identifier attribute instead.
│
│ (and 4 more similar warnings elsewhere)
╵
Yes, your config should work as expected. I think you are right in thinking that it's related to https://github.com/hashicorp/terraform-provider-aws/issues/28139
We are experiencing the same issue. Any progress on possible resolution? Filter works fine, but alternate_identifier failed
It appears this works now. I just tested with provider 5.50.0 and I no longer get an error on groups that exist. Groups that don't exist, say as such. Also #33312 is the issue around removing filter again.
Full error is (with obfuscating of sensible data):
This issue has been encountered after switching to latest release.
Is it something related to this maybe -> https://github.com/hashicorp/terraform-provider-aws/issues/28139 ?
Or maybe because the group name format is
group_name@domain.com
instead ofgroup_name
?