Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: Error: failed to find allowed user domains, err = object does not exist #2927

Closed
1 task
nicolamarangoni opened this issue Jul 11, 2024 · 15 comments
Closed
1 task
Assignees
Labels
bug Used to mark issues with provider's incorrect behavior

Comments

@nicolamarangoni
Copy link

Terraform CLI Version

1.9.2

Terraform Provider Version

0.93

Terraform Configuration

Upgraded the provider from 0.92 to 0.93

Category

category:resource

Object type(s)

No response

Expected Behavior

After align resources with new 0.93 standards, the plan should be successful.

Actual Behavior

The resource snowflake_saml2_integration fails with the below message message.
Reverting to snowflake_saml_integration doesn't help. I get the same error.

│ Error: failed to find allowed user domains, err = object does not exist
│ 
│   with snowflake_saml2_integration.saml_integration,
│   on snowflake_aad_provisioner.tf line 31, in resource "snowflake_saml2_integration" "saml_integration":
│   31: resource "snowflake_saml2_integration" "saml_integration" {

Steps to Reproduce

Upgrade provider to 0.93 with a deployment containing snowflake_saml2_integration.

How much impact is this issue causing?

High

Logs

No response

Additional Information

No response

Would you like to implement a fix?

  • Yeah, I'll take it 😎
@nicolamarangoni nicolamarangoni added the bug Used to mark issues with provider's incorrect behavior label Jul 11, 2024
@sfc-gh-asawicki
Copy link
Collaborator

Hey @nicolamarangoni. Thanks for reaching out to us.

Please share the config and the DEBUG logs.

@nicolamarangoni
Copy link
Author

This is our config:

resource "snowflake_scim_integration" "aad_provisioning" {
  name        = "AAD_PROVISIONING"
  run_as_role = "AAD_PROVISIONER"
  scim_client = "AZURE"
  enabled     = true
}

resource "snowflake_saml2_integration" "saml_integration" {
  name                      = "AAD_SAML"
  enabled                   = true
  saml2_enable_sp_initiated = true
  saml2_provider            = "ADFS"
  saml2_issuer              = "https://sts.windows.net/3825a6f3-24cb-47d4-8aa2-35d3e5891324/"
  saml2_sso_url             = "https://login.microsoftonline.com/3825a6f3-24cb-47d4-8aa2-35d3e5891324/saml2"
  saml2_x509_cert           = jsondecode(data.aws_secretsmanager_secret_version.azure_app.secret_string)["saml2_x509_cert"]

@nicolamarangoni
Copy link
Author

terragrunt.log

@nicolamarangoni
Copy link
Author

Adding something like allowed_user_domains = ["example.com"] doesn't fix it

@sfc-gh-asawicki
Copy link
Collaborator

Thanks! cc: @sfc-gh-jmichalak

@sfc-gh-jmichalak
Copy link
Collaborator

Hi @nicolamarangoni 👋 We're assuming that we get user domains from Snowflake describe, but for some reason it's probably missing here. Can you check that ALLOWED_USER_DOMAINS is listed in DESCRIBE INTEGRATION AAD_SAML?

@nicolamarangoni
Copy link
Author

Hi @sfc-gh-jmichalak ALLOWED_USER_DOMAINS is not listed.

@gbatiz
Copy link

gbatiz commented Jul 15, 2024

Same here. We also cannot downgrade as the database resource has been upgraded and we are getting the error:

╷
│ Error: Resource instance managed by newer provider version
│ 
│ The current state of ....database was created by a newer provider version than is currently selected. Upgrade the snowflake provider to work
│ with this state.
╵```

@sfc-gh-jmichalak
Copy link
Collaborator

@gbatiz @nicolamarangoni Thanks for your feedback, this is undocumented Snowflake behavior and we're investigating it internally.

@sfc-gh-asawicki
Copy link
Collaborator

sfc-gh-asawicki commented Jul 16, 2024

@gbatiz Until we know if this is a Snowflake issue or intentional undocumented behavior, you can use provider alias for the saml resource (so that only saml resource works on the previous version but you use the newest for the databases and all other objects).

@gbatiz
Copy link

gbatiz commented Jul 17, 2024

@gbatiz Until we know if this is a Snowflake issue or intentional undocumented behavior, you can use provider alias for the saml resource (so that only saml resource works on the previous version but you use the newest for the databases and all other objects).

@sfc-gh-asawicki Reading the docs, I am not sure how to do this, if possible. Version is not something the providers aliases can differ on. Do you have a working example of this that you are comfortable sharing by any chance?

@sfc-gh-asawicki
Copy link
Collaborator

I don't have a working solution share, but this is a bit tricky solution, so after giving it a second, maybe we shouldn't have recommended it.

Still, the alternative would be to split into different deployments but this is a more time-consuming solution.

We are investigating internally the encountered behavior; as a last resort, we will provide a workaround in v0.94.0.

@gbatiz
Copy link

gbatiz commented Jul 17, 2024

Thanks! For now we commented out the code for the resource and removed it from terraform state. Once the issue is resolved, we import it back.

sfc-gh-jmichalak added a commit that referenced this issue Jul 25, 2024
<!-- Feel free to delete comments as you fill this in -->
- add a state upgrader to set `default` for affected resources
- add an entry the in migration guide with explanation of the issue
(also add a warning for v0.93)
- add sdk validation for setting conflicting values
- add resource validation for setting conflicting values in
create/update (can't do it as ValidateFunc because it has scope of only
one field)
- add acceptance tests to cover flow with this issue
- improve docs for other security integrations


## Test Plan
<!-- detail ways in which this PR has been tested or needs to be tested
-->
* [x] acceptance tests
<!-- add more below if you think they are relevant -->
* [x] unit tests

## References
<!-- issues documentation links, etc  -->
References
#2946,
#2927.
@sfc-gh-jmichalak
Copy link
Collaborator

sfc-gh-jmichalak commented Jul 29, 2024

@gbatiz @nicolamarangoni This has been fixed in v0.94. Please follow our migration guide.

When this field is missing from the output, instead of failing the whole operation, now it's only logged.

@sfc-gh-asawicki
Copy link
Collaborator

Closing as completed. Please open a new one if the error persists in the newest provider version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Used to mark issues with provider's incorrect behavior
Projects
None yet
Development

No branches or pull requests

4 participants