grafana_sso_settings azuread / Entra ID - new required field (client_authentication)

[Sizzl]

Terraform Version

1.10.4

Terraform Grafana Provider Version

3.16.0

Grafana Version

Cloud

Affected Resource(s)

grafana_sso_settings

Terraform Configuration Files

terraform {
  required_providers {
    grafana = {
      source  = "grafana/grafana"
      version = "3.16.0"
    }
  }
}

locals {
  # For testing only -- credentials would naturally be handled elsewhere
  sso_app = {
    tenantid = "<insert tid>"
    application_id = "<insert clientid>"
    secret_value = "<insert secret>"
  }
}

## Generated stack
provider "grafana" {
  alias = "cloud_stack_eu"
  url   = "<insert existing cloud stack url>"
  auth  = "<insert existing auth token>"
}

## Hooks up SSO for Entra ID
###- https://registry.terraform.io/providers/grafana/grafana/latest/docs/resources/sso_settings
resource "grafana_sso_settings" "entra_id_sso_settings" {
  provider      = grafana.cloud_stack_eu
  provider_name = "azuread"
  oauth2_settings {
    name                  = "Microsoft Entra ID"
    auth_url              = "https://login.microsoftonline.com/${local.sso_app.tenantid}/oauth2/v2.0/authorize"
    token_url             = "https://login.microsoftonline.com/${local.sso_app.tenantid}/oauth2/v2.0/token"
    client_id             = local.sso_app.application_id
    client_secret         = local.sso_app.secret_value
    allow_sign_up         = true
    auto_login            = true
    scopes                = "openid profile email offline_access"
    use_pkce              = true
    use_refresh_token     = true
    role_attribute_path   = "contains(info. Roles[*], 'admin') && 'Admin' || contains(info. Roles[*], 'editor') && 'Editor' || contains(info. Roles[*], 'viewer') && 'Viewer'"
    role_attribute_strict = true  # require app registration member association!
    skip_org_role_sync    = false # require app registration member association!
  }
}

Expected Behavior

grafana_sso_settings.entra_id_sso_settings: Modifying... [id=azuread]
grafana_sso_settings.entra_id_sso_settings: Modifications complete after 0s [id=azuread]

Actual Behavior

API failure returned:

2025-01-20T15:44:09.573Z [ERROR] provider.terraform-provider-grafana_v3.16.0.exe: Response contains error diagnostic: @module=sdk.proto diagnostic_summary="failed to create the SSO settings for provider azuread: [PUT /v1/sso-settings/{key}][400] updateProviderSettingsBadRequest {\"message\":\"Invalid client authentication method.\"}" tf_req_id=e402d802-f01b-d036-d62d-bb5b999d9b79 tf_resource_type=grafana_sso_settings tf_rpc=ApplyResourceChange @caller=github.com/hashicorp/terraform-plugin-go@v0.25.0/tfprotov5/internal/diag/diagnostics.go:58 diagnostic_detail="" diagnostic_severity=ERROR tf_proto_version=5.7 tf_provider_addr=registry.terraform.io/grafana/grafana timestamp=2025-01-20T15:44:09.569Z
2025-01-20T15:44:10.742Z [ERROR] vertex "grafana_sso_settings.entra_id_sso_settings" error: failed to create the SSO settings for provider azuread: [PUT /v1/sso-settings/{key}][400] updateProviderSettingsBadRequest {"message":"Invalid client authentication method."}

Steps to Reproduce

1. terraform apply
2. If it didn't fail first time, adjust the oauth2_settings.name field (or force any other change for the resource - I spotted this initially when secret was rotated).
3. terraform apply

Important Factoids

Looks like an API change at source (i.e., in this case Grafana Cloud), the following custom setting can be added to the terraform resource oauth2_settings (based on scraping network PUT in CloudUI):

oauth2_settings {
 ...
    custom = {
      client_authentication = "client_secret_post"
    }
}

Does this need to be handled better in the provider resource, or documentation to be updated to show as "required"?

References

No response

[spinillos]

@grafana/identity-access-team could you check this?

Looks like that the are a lot of fields used here that aren't in TF or documented.

[kalleep]

Thanks for the ping @spinillos , I think we should fix this on grafana side first while the feature is hashed out fully cc @mgyongyosi

We should update https://github.com/grafana/grafana/blob/main/pkg/login/social/connectors/azuread_oauth.go#L385-L387 to perform the same check as we do when client_secret_post is set

[kalleep]

Merged fix into grafana,

Lets keep this one open because we need to add support for other client authentication methods here

[boettluSICKAG]

I just tested this with the latest grafana image and I am still getting the Invalid client authentication method. error. The workaround with the oauth2_settings.custom.client_authentication field works fine though!

[Sizzl]

Guessing there's been another downstream change as a slightly different error has started appearing for this resource, whether using the above workaround or not 🤕

It's now complaining that the auth_url isn't present, even though it is.

The only fix I've found is to forcefully update any older providers to >=3.16.0