[Bug]: snowflake_external_oauth_integration always running a modify/update

[wpl-sf-nbirch]

Terraform CLI Version

0.87.0

Terraform Provider Version

1.9.4

Terraform Configuration

resource "snowflake_external_oauth_integration" "azure" {
  name                             = "AZURE_CLIENT"
  type                             = "AZURE"
  enabled                          = true
  issuer                           = "https://sts.windows.net/a...8/"
  snowflake_user_mapping_attribute = "LOGIN_NAME"
  jws_keys_urls                    = ["https://login.microsoftonline.com/a...8/discovery/v2.0/keys","https://login.windows.net/common/discovery/keys","https://login.microsoftonline.com/a...8/discovery/v2.0/keys?appid=2...373"]
  audience_urls                    = ["https://analysis.windows.net/powerbi/connector/Snowflake", "https://<org-account>.snowflakecomputing.com"]
  token_user_mapping_claims        = ["upn","sub"]
  any_role_mode                    = "ENABLE"
}

Category

category:resource

Object type(s)

resource:external_oauth_integration

Expected Behavior

There is no changes to the oauth provider being specified once deployed, however, subsequent runs of the plan is showing an update/modify is needed.

Actual Behavior

It doesn't seem to be handling the multiple values within the URL sets provided between the brackets, so it detects it as a change, event when no entries are changing.

Steps to Reproduce

1. Create and deploy a snowflake_external_oauth_integration
2. Re-run a plan and see updates being picked without changing resource

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Would you like to implement a fix?

• Yeah, I'll take it 😎

[sfc-gh-asawicki]

Hey @wpl-sf-nbirch. snowflake_external_oauth_integration resource was reworked in v0.93.0. Please first migrate to this version and check if the problem persists there.

[wimo-velux]

@sfc-gh-asawicki I can confirm that the problem persists in 0.94.1

[sfc-gh-asawicki]

Thanks for confirmation, @wimo-velux; we will try to reproduce it, and we will get back to you.

[sfc-gh-jmichalak]

@wimo-velux @wpl-sf-nbirch, Could you please provide the resource config with the steps you take here? I tried to reproduce it manually, but it's working correctly on my side.

[marius-sb1]

I have a similar problem to the bug description, but it's manifesting slightly differently: it wants to apply removal of the attributes under "show_output" which doesn't make much sense to me:

# snowflake_external_oauth_integration.powerbi_sso will be updated in-place
  ~ resource "snowflake_external_oauth_integration" "powerbi_sso" {
        id                                              = "powerbi_sso"
        name                                            = "powerbi_sso"
      ~ show_output                                     = [
          - {
              - category         = "SECURITY"
              - comment          = "Security integration for Power BI, allowing AD users/service accounts authenticated with Power BI (AD SSO) to log on to Snowflake from Power BI with their respective users"
              - created_on       = "2024-08-08 12:10:48.756 +0200 CEST"
              - enabled          = true
              - integration_type = "EXTERNAL_OAUTH - AZURE"
              - name             = "powerbi_sso"
            },
        ] -> (known after apply)
        # (11 unchanged attributes hidden)
    }

Running Terraform v1.8.2, provider registry.terraform.io/snowflake-labs/snowflake v0.94.1

[sfc-gh-jcieslak]

Hey @marius-sb1 👋
It's rather showing you the show_output field will be recomputed. That's a known bug and we'll fix it for snowflake_external_oauth_integration and every resource we already refactored in the essential objects list. The fix will be also applied to other _output fields. This bug is not harmful other than annoying plans showing up. If you don't care about show_output you can try to use this: https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle#ignore_changes but I'm not sure how it works on computed fields.

[mch-sb]

Hey @sfc-gh-jcieslak
Great to hear that you are looking into the _output-fields bug. Is there an issue/pr to subscribe to, to track it?

[sfc-gh-jcieslak]

Hey 👋
Yesterday, we released a new version of the provider (v0.95.0) where this issue should not occur. Please upgrade and let us know if the issue still persists, Thank You.

[mch-sb]

Hey again @sfc-gh-jcieslak !
We tried using ignore_changes on show_output, but got:

│ Warning: Redundant ignore_changes element
│ 
│   on modules/snowflake/dp_role.tf line 2, in resource "snowflake_warehouse" "warehouse":
│    2: resource "snowflake_warehouse" "warehouse" {
│ 
│ Adding an attribute name to ignore_changes tells Terraform to ignore future changes to the argument in configuration after the object has been created, retaining the value originally configured.
│ 
│ The attribute show_output is decided by the provider alone and therefore there can be no configured value to compare with. Including this attribute in ignore_changes has no effect. Remove the attribute from ignore_changes to quiet this warning.

We are using 0.96.0, and getting quite a bit of noise from the show_output in our tf-projects. Any suggestion on how to reduce the noise?

[sfc-gh-jcieslak]

Hey @mch-sb
Here's an explanation for the error: https://discuss.hashicorp.com/t/ignore-changes-warning/44572. It seems ignore_changes won't work for computed fields (show_output is a computed field). But that's good, because I didn't elaborate on the topic of show_output, and I was wrong to propose ignore_changes on snowflake_external_oauth_integration. If it worked it could lead to issues with detecting resource changes and working properly. Here's a more detailed answer on that topic: #3118 (comment), but basically, the show_output is needed and it should be up-to-date. As this resource was recently refactored, we'll get back to it and make sure the infinite plan on show_output won't be appearing. Thank you for confirming.

[mch-sb]

Ah, i see, thanks!

[sfc-gh-jmichalak]

Hi @mch-sb 👋

Please provide the resource configuration and logs with TF_LOG=DEBUG. I couldn't reproduce the issue and I don't know why show_output would be marked as changed without changes in any other fields.

[mch-sb]

Hey @sfc-gh-jmichalak
Thanks for showing interest in my problem.

I have found a solution for my case, and the problem was also probably created by me.

We are creating the warehouse in a tf-module, and outputing the whole resource-output from the terraform-project, to be used in other terraform-projects.

Slimmed down example to reproduce my issue:

# top-level content
terraform {
  required_providers {
    snowflake = {
      source  = "snowflake-labs/snowflake"
      version = "0.95.0"
    }
  }
}
module "wh" {
  source = "./wh"
}
output "wh" { # this output is used by other terraform-projects
  value = module.wh.wh
}

# module-content
terraform {
  required_providers {
    snowflake = {
      source  = "Snowflake-labs/snowflake"
      version = ">= 0.95.0"
    }
  }
}

resource "snowflake_warehouse" "warehouse" {
  name                         = "MCH_TEST_WH"
  warehouse_size               = "XSMALL"
  auto_suspend                 = 300
  statement_timeout_in_seconds = 14400
  lifecycle {
    # Ignore all changes except name-change
    # unfortunately not possible with all except
    # https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/warehouse
    ignore_changes = [
      auto_resume,
      auto_suspend,
      comment,
      enable_query_acceleration,
      initially_suspended,
      max_cluster_count,
      max_concurrency_level,
      min_cluster_count,
      query_acceleration_max_scale_factor,
      resource_monitor,
      scaling_policy,
      statement_queued_timeout_in_seconds,
      statement_timeout_in_seconds,
      warehouse_size,
      warehouse_type,
    ]
  }
}

output "wh" { # outputting the whole output from the wh-resource
  value = snowflake_warehouse.warehouse
}

Output from the root-output is sourced into other terraform-projects with terraform_remote_state.

When having the module as is, we get something like:

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # module.wh.snowflake_warehouse.warehouse has changed
  ~ resource "snowflake_warehouse" "warehouse" {
        id                                  = "MCH_TEST_WH"
        name                                = "MCH_TEST_WH"
      ~ show_output                         = [
          ~ {
                name                                = "MCH_TEST_WH"
              ~ resumed_on                          = "2024-10-14 10:30:50.435 +0000 UTC" -> "2024-10-14 10:32:09.946 +0000 UTC"
              ~ started_clusters                    = 0 -> 1
              ~ state                               = "SUSPENDED" -> "STARTED"
              ~ updated_on                          = "2024-10-14 10:30:50.435 +0000 UTC" -> "2024-10-14 10:32:09.946 +0000 UTC"
                # (22 unchanged attributes hidden)
            },
        ]
        # (11 unchanged attributes hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Changes to Outputs:
  ~ wh = {
        id                                  = "MCH_TEST_WH"
        name                                = "MCH_TEST_WH"
      ~ show_output                         = [
          ~ {
                name                                = "MCH_TEST_WH"
              ~ resumed_on                          = "2024-10-14 10:30:50.435 +0000 UTC" -> "2024-10-14 10:32:09.946 +0000 UTC"
              ~ started_clusters                    = 0 -> 1
              ~ state                               = "SUSPENDED" -> "STARTED"
              ~ updated_on                          = "2024-10-14 10:30:50.435 +0000 UTC" -> "2024-10-14 10:32:09.946 +0000 UTC"
                # (22 unchanged attributes hidden)
            },
        ]
        # (17 unchanged attributes hidden)
    }

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

────────────────

But we have no need for the whole output later down the pipeline. And only outputting what we actually need from the root-level, terraform is not reporting the changes from show_output.

So summa summārum, it seems both the snowflake-provider and terraform are behaving as expected, and it was my bad that we got the changes-output, as there are actual changes to the output we were outputting

[sfc-gh-jmichalak]

Thanks for the detailed description. These changed fields in show_output are simply read from Snowflake and represent the warehouse state, and it looks like these values changed between terraform runs.

[sfc-gh-jmichalak]

Closing, as the provider is behaving correctly. If you have any further issues, please open a new issue.