Error when running `terraform apply` - Snowflake region Australia East

[allanw]

Provider Version

terraform providers: 0.22.0

Terraform Version

0.15.0

Describe the bug

When I run terraform apply I get the following error:

│ Error: error creating database: Post "https://xxxxx.AZURE_AUSTRALIAEAST.snowflakecomputing.com:443/session/v1/login-request?requestId=xxxxx&request_guid=xxxxx&roleName=SYSADMIN": x509: certificate is valid for *.us-west-2.snowflakecomputing.com, *.snowflakecomputing.com, *.global.snowflakecomputing.com, *.prod1.us-west-2.aws.snowflakecomputing.com, *.prod2.us-west-2.aws.snowflakecomputing.com, *.us-west-2.aws.snowflakecomputing.com, not xxxxx.AZURE_AUSTRALIAEAST.snowflakecomputing.com
│ 
│   on main.tf line 14, in resource "snowflake_database" "db":
│   14: resource "snowflake_database" "db" {

Expected behavior

This should create a database in my Snowflake instance.

[yohei1126]

error creating database: Post "https://xxxxx.AZURE_AUSTRALIAEAST.snowflakecomputing.com:443/session/v1/login-request?requestId=xxxxx&request_guid=xxxxx&roleName=SYSADMIN": x509: certificate is valid for *.us-west-2.snowflakecomputing.com, *.snowflakecomputing.com, *.global.snowflakecomputing.com, *.prod1.us-west-2.aws.snowflakecomputing.com, *.prod2.us-west-2.aws.snowflakecomputing.com, *.us-west-2.aws.snowflakecomputing.com, not xxxxx.AZURE_AUSTRALIAEAST.snowflakecomputing.com

There is issue on your certificate not a bug on this terraform plugin

[leeadh]

I got thes same issue as well by following this guide https://guides.snowflake.com/guide/terraforming_snowflake/index.html?index=..%2F..index#4

I followed the steps here exactly. Any help?

[derekpierce]

I ran into the same issue and was able to temporarily work around but defining the region like this:

provider "snowflake" {
    username = "..."
  account  = "..."
  region   = "ca-central-1.aws"
  role     = "..."
}

Seems the format of the POST request doesn't match what snowflake is actually expecting:

x509: certificate is valid for *.us-west-2.snowflakecomputing.com, *.snowflakecomputing.com, *.global.snowflakecomputing.com, *.prod1.us-west-2.aws.snowflakecomputing.com, *.prod2.us-west-2.aws.snowflakecomputing.com, *.us-west-2.aws.snowflakecomputing.com, not xxxxxxx.AWS_CA_CENTRAL_1.snowflakecomputing.com

[JimMcKenzieSmith]

For me, the region had to be set to "us-west-2". Then it started working. The tutorial says to use the output of "SELECT current_region();" which is "AWS_US_WEST_2"... but that does not work.

[realtimdunbar]

I added the following as line 12

region = "us-east-1"

and everything worked like a champ

Obviously you'll need to add your own AWS region for that line

[caiolauro]

same here... I try to connect to us-east-2, but it is not accepted. I've even tried @JimMcKenzieSmith tip of trying "SELECT current_region();":

-request?requestId=19d312c7-3576-4b27-aaff-eb1d25f1cb6a&request_guid=8fe73dcd-0fc1-409f-b0fc-d1f11800a88c&roleName=SYSADMIN": x509: certificate is valid for *.us-west-2.snowflakecomputing.com, *.us-west-2.aws.snowflakecomputing.com, *.global.snowflakecomputing.com, *.snowflakecomputing.com, *.prod1.us-west-2.aws.snowflakecomputing.com, *.prod2.us-west-2.aws.snowflakecomputing.com, not XXXXXX.AWS_US_EAST_2.snowflakecomputing.com

[caiolauro]

I ran into the same issue and was able to temporarily work around but defining the region like this:

provider "snowflake" {
    username = "..."
  account  = "..."
  region   = "ca-central-1.aws"
  role     = "..."
}

Seems the format of the POST request doesn't match what snowflake is actually expecting:

x509: certificate is valid for *.us-west-2.snowflakecomputing.com, *.snowflakecomputing.com, *.global.snowflakecomputing.com, *.prod1.us-west-2.aws.snowflakecomputing.com, *.prod2.us-west-2.aws.snowflakecomputing.com, *.us-west-2.aws.snowflakecomputing.com, not xxxxxxx.AWS_CA_CENTRAL_1.snowflakecomputing.com

Changing region from "us-east-2" to "us-east-2.aws" also worked for me :D

[muideen]

I also ran into this issue and I had to change my region from "us-east-2" to "us-east-2.aws".

thanks to everyone who contributed on this thread

[onelharrison]

I also ran into this issue. However, changing my region from "us-east-2" to "us-east-2.aws" doesn't address the problem. Instead of getting the x509 error, I get Error: error creating database: 390100 (08004): Incorrect username or password was specified. I'm pretty certain the credentials I'm using are correct as they work via the browser.

Terraform version: 0.14.7 Snowflake provider version: 0.25.33

[stuudmuffin]

I ran into this issue today also. I finally realized that there is a link to a reference table in the guide. Solved my issue.

[sl-tarvin]

Using an Account Name as an Identifier

The account identifier for an account in your organization takes one of the following forms, depending on where and how the identifier is used:

<orgname>-account_name (for most URLs and other general purpose usage)

To resolve this issue, remove the Terraform environment variable SNOWFLAKE_REGION since it is optional and replace the environment value SNOWFLAKE_ACCOUNT using the taxonomy above instead of the generic account identifier

This will generate a URL in the format MY_ORG-MY_ACCOUNT.snowflakecomputing.com which will be covered by the pattern *.snowflakecomputing.com

[froblesmartin]

Using an Account Name as an Identifier

The account identifier for an account in your organization takes one of the following forms, depending on where and how the identifier is used:

<orgname>-account_name (for most URLs and other general purpose usage)

To resolve this issue, remove the Terraform environment variable SNOWFLAKE_REGION since it is optional and replace the environment value SNOWFLAKE_ACCOUNT using the taxonomy above instead of the generic account identifier

This will generate a URL in the format MY_ORG-MY_ACCOUNT.snowflakecomputing.com which will be covered by the pattern *.snowflakecomputing.com

It has worked for me in both, your way and also specifying the region with the format "region.cloud" (in my case west-europe.azure"). I have been able to see the organization name and account on the new UI at the left bottom of the website, just in case someone else struggles a bit searching that info while not being admin 😂

[cappadona]

This has tripped us up as well. Just submitted a PR (#1398) that attempts to shed light on the different Snowflake account identifier formats in hope that it may help future adopters when configuring this provider.

[ybressler]

I did the following to get things to work for me:

1. unset SNOWFLAKE_REGION
2. export SNOWFLAKE_ACCOUNT="ORG_ID-ACCOUNT_ID"

The SNOWFLAKE_ACCOUNT should match the characters on your login URL.

[davesgonechina]

I ran into this issue today also. I finally realized that there is a link to a reference table in the guide. Solved my issue.

Ran into this problem doing the tutorial, would be great if that pointed to the reference guide so you can get it right manually rather than a query that produces a string that fails with an unhelpful message. This issue also seems to be the same thing: https://github.com/Snowflake-Labs/sfquickstarts/issues/799

[sfc-gh-asawicki]

We are closing this issue as part of a cleanup described in announcement. If you believe that the issue is still valid in v0.89.0, please open a new ticket.