search

avlcloudtechnologies / terraform-aws-sso

Terraform module to manage AWS Single Sign-On (SSO) resources.
Apache License 2.0
37 stars 33 forks source link

Error reading AWS SSO Identity Store Group Data Source #14

Open mariusmitrofanbostontr opened 1 year ago

mariusmitrofanbostontr commented 1 year ago

Full error is (with obfuscating of sensible data):

│ Error: reading AWS SSO Identity Store Group Data Source (<<microsoft-directory-id-here>>): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: 0b04d135-07e8-4216-a577-01e4586badaa, api error UnknownOperationException: UnknownError

│ 

│   with module.sso.data.aws_identitystore_group.this["group-from-microsoft-directory"],

│   on ../../../modules/sso/data.tf line 4, in data "aws_identitystore_group" "this":

│    4: data "aws_identitystore_group" "this" {

This issue has been encountered after switching to latest release.

Is it something related to this maybe -> https://github.com/hashicorp/terraform-provider-aws/issues/28139 ?

Or maybe because the group name format is group_name@domain.com instead of group_name ?

aurimasmick commented 1 year ago

Hi @mariusmitrofanbostontr,

Don't think this error is directly related to the module as it's not using aws_identitystore_group data source. I believe you bumped the AWS provider version which has a deprecated filter argument in aws_identitystore_group. https://github.com/hashicorp/terraform-provider-aws/releases/tag/v4.40.0 Try changing that to the filtering syntax: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group

mariusmitrofanbostontr commented 1 year ago

Hi @aurimasmick ,

The version I tried with is the following:

    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.54.0"
    }

The module was "copied" locally and has the following definition, instead of importing directly due to "security" constraints, but it is 1-to-1 match to yours:

data "aws_identitystore_group" "this" {
  for_each          = toset(local.groups)
  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
  alternate_identifier {
    unique_attribute {
      attribute_path  = "DisplayName"
      attribute_value = each.value
    }
  }
}

After I switched back to using a filter (while maintaining the same AWS provider version of 4.54.0), it started working again but with the obvious deprecation notice:

Using filter =

data "aws_identitystore_group" "this" {
  for_each          = toset(local.groups)
  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
  filter {
    attribute_path  = "DisplayName"
    attribute_value = each.value
  }
}

Dreprecation notice received during PLAN phase = 


Plan: 4 to add, 0 to change, 4 to destroy.

╷

│ Warning: Argument is deprecated

│ 

│   with module.sso.data.aws_identitystore_group.this["group-from-microsoft-directory"],

│   on ../../../modules/sso/data.tf line 4, in data "aws_identitystore_group" "this":

│    4: data "aws_identitystore_group" "this" {

│ 

│ Use the alternate_identifier attribute instead.

│ 

│ (and 4 more similar warnings elsewhere)

╵
aurimasmick commented 1 year ago

Yes, your config should work as expected. I think you are right in thinking that it's related to https://github.com/hashicorp/terraform-provider-aws/issues/28139

sergikpas commented 8 months ago

We are experiencing the same issue. Any progress on possible resolution? Filter works fine, but alternate_identifier failed

bengaywins commented 1 month ago

It appears this works now. I just tested with provider 5.50.0 and I no longer get an error on groups that exist. Groups that don't exist, say as such. Also #33312 is the issue around removing filter again.