terraform-provider-snowflake icon indicating copy to clipboard operation
terraform-provider-snowflake copied to clipboard
verified publisher icon Snowflake-Labs

Crash when MFA used on 2 providers

Open Oracen opened this issue 1 year ago • 8 comments

Terraform CLI and Provider Versions

Terraform v1.7.5
on linux_amd64
+ provider registry.terraform.io/hashicorp/null v3.2.2
+ provider registry.terraform.io/snowflake-labs/snowflake v0.87.3-pre

Terraform Configuration

terraform {
  required_providers {
    snowflake = {
      source  = "Snowflake-Labs/snowflake"
      version = "0.87.3-pre"
    }
  }
}

provider "snowflake" {
  alias         = "security"
  account       = "account"
  user          = var.snowflake_username
  password      = var.snowflake_password
  role          = "SECURITYADMIN"
  authenticator = "UsernamePasswordMFA"

  client_request_mfa_token = true
}


provider "snowflake" {
  alias         = "system"
  account       = "account"
  user          = var.snowflake_username
  password      = var.snowflake_password
  role          = "SYSADMIN"
  authenticator = "UsernamePasswordMFA"

  client_request_mfa_token = true
}

Also requires a whole application's definition. You need a non-trivial number of resources to trigger this race condition. The key is having both client_request_mfa_token = true

Expected Behavior

Provider should cache MFA response to prevent hundreds of Duo messages. Each provider should independently store the provider.

Actual Behavior

Plan operation crashes, stack trace attached. I assume this is providers in child modules not namespacing credentials properly, or some kind of operation that needs a Mutex guard.

Steps to Reproduce

  1. terraform plan

How much impact is this issue causing?

Medium

Logs

https://gist.github.com/Oracen/2b818c2d25dabe7bffbd366176b39fea

Additional Information

Workaround for now is to use accounts without 2FA for deployment of our core Snowflake architecture. This will work short term but is obviously undesirable.

Oracen avatar Apr 08 '24 02:04 Oracen

Having dug into this a bit deeper, I don't know if this is an issue with the provider or the underlying Go Snowflake library. In Python they handle multiple reads/writes to the temp credential cache using semaphores. The Go stacktrace code appears to be hitting the same file, but I don't know if the issue is in how the TF provider accesses the secret or how Go handles access to the filesystem.

Oracen avatar Apr 08 '24 05:04 Oracen

Hey @Oracen. Thanks for reaching out to us.

From the logs provided it seems more like a bug in the underlying gosnowflake driver library. Please file a ticket in https://github.com/snowflakedb/gosnowflake.

sfc-gh-asawicki avatar Apr 08 '24 08:04 sfc-gh-asawicki

hi folks - so the issue is handled over there in gosnowflake so please head to the linked issue for progress tracking; I'll update that one with the progress.

For any viable workaround, I'm not sure if we have any, if your operations on the (tons of) resources cannot complete due to the race condition on the temporal credential cache file. Until the underlying issue is fixed, could implementing a (little) sleep every now and then between resources help maybe, to reduce the contention on the same credential cache?

sfc-gh-dszmolka avatar Apr 17 '24 04:04 sfc-gh-dszmolka

A possible workaround would be also to split the current configuration into two separate workspaces so that only a single provider is used in the given run. It may require some work, though.

sfc-gh-asawicki avatar Apr 17 '24 09:04 sfc-gh-asawicki

short update regarding the timeline and progress: gosnowflake fix merged, and the new version of the driver is expected to be released towards end of April 2024

afterwards, the TF provider also needs to bump the gosnowflake dependency + a new version released which carries the fixed gosnowflake

sfc-gh-dszmolka avatar Apr 18 '24 10:04 sfc-gh-dszmolka

Thanks, @sfc-gh-dszmolka, for the update and for the fast fix. I will schedule a bump of the version on the provider side.

sfc-gh-asawicki avatar Apr 18 '24 11:04 sfc-gh-asawicki

I'll confirm that splitting into separate TF configs with single providers does work, but may require modifications to your RBAC strategy. If you have a nice divide between resources + policies it works well, with only the additional CICD time + mental overhead as a cost.

If you're blocked, probably worth doing, but the easier way is to be nice to your DBAs and get them to set MINS_TO_BYPASS_MFA= X for a suitable value of X

Oracen avatar Apr 25 '24 02:04 Oracen

fix in gosnowflake released with 1.10.0

sfc-gh-dszmolka avatar May 08 '24 12:05 sfc-gh-dszmolka

Hey @Oracen @sfc-gh-dszmolka. We have bumped the driver to v1.10.0, we should do the release tomorrow.

sfc-gh-asawicki avatar May 15 '24 11:05 sfc-gh-asawicki

Hey @Oracen, we released v0.91.0 yesterday. Please upgrade to the newest version and let us know if this fixes your issues.

sfc-gh-asawicki avatar May 17 '24 06:05 sfc-gh-asawicki

Will do so monday

Oracen avatar May 17 '24 07:05 Oracen

would be really curious to hear about how it went; did the fix really help ?

sfc-gh-dszmolka avatar May 28 '24 09:05 sfc-gh-dszmolka

Hey @Oracen. Was your problem fixed with the version bump? :)

sfc-gh-asawicki avatar Jun 22 '24 07:06 sfc-gh-asawicki

Yes, it was. Worked like a charm. Appreciate it!

Oracen avatar Jun 22 '24 09:06 Oracen

Great to hear that! I am closing the ticket then. Thanks for the help @sfc-gh-dszmolka.

sfc-gh-asawicki avatar Jun 24 '24 08:06 sfc-gh-asawicki