terraform-provider-aws icon indicating copy to clipboard operation
terraform-provider-aws copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

`aws_grafana_role_association` fails to associate AWS SSO user/group IDs

Open bryantbiggs opened this issue 2 years ago • 17 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.9.0

Your version of Terraform is out of date! The latest version
is 1.1.8. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

  • aws_grafana_role_association

Terraform Configuration Files

resource "aws_grafana_role_association" "example" {
  role         = "ADMIN"
  group_ids     = ["<AWS SSO group ID>"]
  workspace_id = aws_grafana_workspace.example.id
}

resource "aws_grafana_workspace" "example" {
  account_access_type      = "CURRENT_ACCOUNT"
  authentication_providers = ["AWS_SSO"]
  permission_type          = "SERVICE_MANAGED"
  role_arn                 = aws_iam_role.assume.arn
}

resource "aws_iam_role" "assume" {
  name = "grafana-assume"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Sid    = ""
        Principal = {
          Service = "grafana.amazonaws.com"
        }
      },
    ]
  })
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

  • AWS SSO group ID that is specified in role association is associated with the workspace

Actual Behavior

  • After a successful apply, no additional diffs in a plan, there are no groups associate with the workspace in the console and group members cannot access the workspace. Manually adding the group through the console does work however; no diff shown in state after adding manually though.

Steps to Reproduce

  1. terraform apply
  2. Navigate to Grafana workspace in console
  3. Check athentication tab and you will see this error message that no AWS SSO users/groups are associated image

Important Factoids

  • No, pretty vanilla AWS organization with AWS SSO

References

  • #23791
  • #23665

bryantbiggs avatar Apr 09 '22 18:04 bryantbiggs

Seeing the same behavior, but will add that after manually associating the target SSO groups via the AWS console the desired role association magics itself into existence (at least as far as the console is concerned). Confirmed that that same information is viewable from the list_permissions boto3 method even when not showing in the console. Curious if the console is sneaking in a call to the UpdateWorkspaceAuthentication api endpoint?

userhas404d avatar Apr 22 '22 18:04 userhas404d

Yes...see the the same behaviour with user_id as well. I cannot associate the ADMIN or VIEWER role to an individual user. I have to assign it in the console

bmacauley avatar May 24 '22 14:05 bmacauley

I am also seeing this behavior. Can confirm that if I manually add a user from the AWS Console after setting permissions from Terraform, they will default to the correct permission. But I do have to add them manually from the console before I am able to log in via SSO.

sollie avatar Jun 14 '22 12:06 sollie

we faced the same issue in crossplane provider-jet-aws

Spec:
  Deletion Policy:  Delete
  For Provider:
    Group Ids:
      99672eabab-cbf5abfe-260c-469a-b708-144f60904000
    Region:        eu-central-1
    Role:          ADMIN
    Workspace Id:  g-aa57ea1300
    Workspace Id Ref:
      Name:  sample-workspace
  Provider Config Ref:
    Name:  default
Status:
  At Provider:
    Id:  g-aa57ea1300/ADMIN
  Conditions:
    Last Transition Time:  2022-07-15T19:44:41Z
    Reason:                Available
    Status:                True
    Type:                  Ready
    Last Transition Time:  2022-07-15T19:44:35Z
    Reason:                ReconcileSuccess
    Status:                True
    Type:                  Synced
Events:
  Type    Reason                   Age   From                                                                  Message
  ----    ------                   ----  ----                                                                  -------
  Normal  CreatedExternalResource  21s   managed/grafana.aws.jet.crossplane.io/v1alpha2, kind=roleassociation  Successfully requested creation of external resource

but the roles not associated https://github.com/crossplane-contrib/provider-jet-aws/pull/214

haarchri avatar Jul 15 '22 19:07 haarchri

From my communication with AWS support: it is not possible to create access to some SSO user/group from API, only modify permission (READER/EDITOR/ADMIN) to the one created from console. So I think better to describe this features in terraform docs.

tanshihaj avatar Jul 21 '22 09:07 tanshihaj

That's unfortunate - I prefer to control all aspects of my AWS environment through terraform, considering console use a last resort. I've commented out all of my grafana terraform config until this is possible.

Is there a feature request to enable sso user/group admin from the API? Will gladly upvote it

chrisxaustin avatar Jul 21 '22 16:07 chrisxaustin

@mhausenblas did you have a feeling that we can bring it in ? We really need this feature from API perspective to assign SSO Groups to Roles

haarchri avatar Jul 21 '22 21:07 haarchri

@haarchri we'd need to engage the right team, I don't have enough context to confirm, I'm afraid. Let me share internally and see where it goes.

mhausenblas avatar Jul 22 '22 09:07 mhausenblas

Are there any updates? Thanks,

SukruHan avatar Oct 03 '22 10:10 SukruHan

I am experiencing the same issue :bow:

EricBizet avatar Oct 14 '22 08:10 EricBizet

Same issue for us, we have to do the association manually to make it work.

nikoul avatar Nov 01 '22 09:11 nikoul

AMG is currently working on a fix for this. Will update when fix is live.

carvjust avatar Nov 10 '22 23:11 carvjust

I am also seeing this behavior. Can confirm that if I manually add a user from the AWS Console after setting permissions from Terraform, they will default to the correct permission. But I do have to add them manually from the console before I am able to log in via SSO.

User ID seems to be resolved. I was able to provision the workspace and associate the user with ADMIN role using the aws_grafana_role_association resource. If someone is interested, I have the code and a step by step process doc ready.

kunduso avatar Nov 22 '22 12:11 kunduso

~~I can confirm this has been fixed. Thanks :bow:~~

EricBizet avatar Dec 13 '22 05:12 EricBizet

edit: not working anymore, probably still in progress :thinking:

EricBizet avatar Dec 14 '22 06:12 EricBizet

@mhausenblas any update you might be able to share?

bryantbiggs avatar Feb 02 '23 18:02 bryantbiggs

Hello, I'm facing the same problem i.e. SSO users doesn't work. I'm getting creating Grafana Workspace Role Association: BadRequestException: when trying to create role association from Terraform.

But It works good when I do this from AWS console (UI).

dnaprawa-capgemini avatar Feb 23 '23 11:02 dnaprawa-capgemini

any progress here ?

haarchri avatar Mar 29 '23 12:03 haarchri

Hello, the issue is fixed from Managed Grafana's end. Please check out the updated user doc, and IAM policy required to manage permissions from CLI/SDK.

mengdic avatar Mar 30 '23 00:03 mengdic

Can confirm I can add a SSO group now through the terraform provider 👍

tmszk avatar Mar 30 '23 10:03 tmszk

which version you running from terraform provider ? - we get the same issue then before

    Message:               apply failed: creating Grafana Workspace Role Association: BadRequestException: 
                           status code: 400, request id: 0ea64ed0-33ac-4678-9113-8cab4f0d4575:

haarchri avatar Mar 30 '23 10:03 haarchri

which version you running from terraform provider ? - we get the same issue then before

    Message:               apply failed: creating Grafana Workspace Role Association: BadRequestException: 
                           status code: 400, request id: 0ea64ed0-33ac-4678-9113-8cab4f0d4575:

I'm using hashicorp/aws v4.51.0

tmszk avatar Mar 30 '23 12:03 tmszk

we running: 4.56.0

haarchri avatar Mar 30 '23 12:03 haarchri

@mengdic were there user facing API changes made to correct this?

bryantbiggs avatar Mar 30 '23 12:03 bryantbiggs

I'm using 4.59.0 and I'm constantly getting 400 code "BadRequestException".

dnaprawa-capgemini avatar Mar 30 '23 13:03 dnaprawa-capgemini

There were no user facing changes made to the UpdatePermissions API. As @mengdic pointed out, AWS managed policy for workspace permission management was updated. From @tmszk comment above, changes to terraform provider might be the cause of BadRequestException to be generated.

anuragarora avatar Mar 30 '23 18:03 anuragarora

@anuragarora do you have any recommendation what to do to avoid the BadRequestException in the newest provider versions?

dnaprawa-capgemini avatar Mar 31 '23 09:03 dnaprawa-capgemini

@anuragarora kind reminder :)

dnaprawa-capgemini avatar Apr 17 '23 11:04 dnaprawa-capgemini

Hi @dnaprawa-capgemini , we checked on our end and the update-permissions API is working correctly since the fix applied 3 weeks ago. If you are still seeing the error, then we will need Terraform/HashiCorp team to check on this.

mengdic avatar Apr 18 '23 20:04 mengdic

@mengdic what do you mean by the fix? Is it included in latest version of AWS provider?

dnaprawa-capgemini avatar Apr 24 '23 06:04 dnaprawa-capgemini