terraform-provider-aws: `aws_grafana_role_association` fails to associate AWS SSO user/group IDs
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform CLI and Terraform AWS Provider Version
Terraform v1.1.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.9.0
Your version of Terraform is out of date! The latest version
is 1.1.8. You can update by downloading from https://www.terraform.io/downloads.html
Affected Resource(s)
aws_grafana_role_association
Terraform Configuration Files
resource "aws_grafana_role_association" "example" {
role = "ADMIN"
group_ids = ["<AWS SSO group ID>"]
workspace_id = aws_grafana_workspace.example.id
}
resource "aws_grafana_workspace" "example" {
account_access_type = "CURRENT_ACCOUNT"
authentication_providers = ["AWS_SSO"]
permission_type = "SERVICE_MANAGED"
role_arn = aws_iam_role.assume.arn
}
resource "aws_iam_role" "assume" {
name = "grafana-assume"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "grafana.amazonaws.com"
}
},
]
})
}
Debug Output
N/A
Panic Output
N/A
Expected Behavior
- AWS SSO group ID that is specified in role association is associated with the workspace
Actual Behavior
- After a successful apply, no additional diffs in a plan, there are no groups associate with the workspace in the console and group members cannot access the workspace. Manually adding the group through the console does work however; no diff shown in state after adding manually though.
Steps to Reproduce
terraform apply- Navigate to Grafana workspace in console
- Check
athenticationtab and you will see this error message that no AWS SSO users/groups are associated
Important Factoids
- No, pretty vanilla AWS organization with AWS SSO
References
About this issue
- Original URL
- State: open
- Created 2 years ago
- Reactions: 45
- Comments: 34 (9 by maintainers)
AMG is currently working on a fix for this. Will update when fix is live.
looks like Grafana 9.4 is working for
aws_grafana_role_associationwe see this issue only with Grafana 8.xCan confirm I can add a SSO group now through the terraform provider 👍
any progress here ?
User ID seems to be resolved. I was able to provision the workspace and associate the user with ADMIN role using the
aws_grafana_role_associationresource. If someone is interested, I have the code and a step by step process doc ready.@mhausenblas did you have a feeling that we can bring it in ? We really need this feature from API perspective to assign SSO Groups to Roles
I am also seeing this behavior. Can confirm that if I manually add a user from the AWS Console after setting permissions from Terraform, they will default to the correct permission. But I do have to add them manually from the console before I am able to log in via SSO.
Seeing the same behavior, but will add that after manually associating the target SSO groups via the AWS console the desired role association magics itself into existence (at least as far as the console is concerned). Confirmed that that same information is viewable from the
list_permissionsboto3 method even when not showing in the console. Curious if the console is sneaking in a call to the UpdateWorkspaceAuthentication api endpoint?