terraform-provider-grafana icon indicating copy to clipboard operation
terraform-provider-grafana copied to clipboard

Published 20 hours ago verified publisher icon grafana

[Bug]: wake up on stack URL with SAML SSO

Open skwasjer opened this issue 1 year ago • 2 comments

Terraform Version

1.9.7

Terraform Grafana Provider Version

>= 3.7

Grafana Version

11.3.0-77046

Affected Resource(s)

  • grafana_cloud_stack_service_account

Terraform Configuration Files

We did not change any TF files, only bumped the Grafana terraform provider from 3.6 to 3.7.

But specifically, the error reported below trips on line 41 which is:

resource "grafana_cloud_stack_service_account" "cloud_sa" {
  stack_slug  = grafana_cloud_stack.stack.slug
  name        = "${var.environment}_tf_provider"
  role        = "Admin"
  is_disabled = false
}

Expected Behavior

Planning succeeds and reports no stack difference/drift.

Actual Behavior

Works fine with 3.6 grafana terraform provider, but as soon as I upgrade to version => 3.7, planning takes a long time and eventually always fails.

grafana_cloud_stack.stack: Refreshing state... [id=xxx]
grafana_cloud_stack_service_account.cloud_sa: Refreshing state... [id=xxx:4]
grafana_cloud_access_policy.otlp: Refreshing state... [id=eu:xxx]
grafana_cloud_access_policy_token.otlp: Refreshing state... [id=eu:xxx]

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: error waiting for stack (URL: https://xxx.grafana.net/api/health) to be ready: Get "/login/saml": stopped after 10 redirects
│
│   with grafana_cloud_stack_service_account.cloud_sa,
│   on stack.tf line 41, in resource "grafana_cloud_stack_service_account" "cloud_sa":
│   41: resource "grafana_cloud_stack_service_account" "cloud_sa" {
│
╵

Note: redacted with xxx

Steps to Reproduce

  1. change version to 3.7 
    terraform {
  required_providers {
    grafana = {
      source  = "grafana/grafana"
      version = "3.7"
    }
  }
}
  2. terraform init -upgrade
  3. terraform validate
  4. terraform plan -out="./plan.zip" <- fails

Important Factoids

  1. We have a SAML SSO configuration in Grafana where Auth0 is our IdP. Under normal circumstances, when hitting the stack URL, the client is redirect to our IdP to authenticate. This configuration is not new, we've been using this for over a year.
  2. The stack is already warmed up and running, since we use it daily.
  3. When I test the health endpoint (chrome incognito mode), it succeeds: 
    {
  "database": "ok",
  "version": "11.3.0-77046",
  "commit": "27c7e33217024abcda54bbd33b9943bba87f17d7",
  "enterpriseCommit": "f4f09f59e3de7916711ab271b1275be27f9aaa5a"
}

Basically, I believe this to be a regression of #1727 perhaps related to the status code 200 check and the fact that the stack URL causes a redirect.

References

No response

skwasjer avatar Oct 09 '24 18:10 skwasjer