Error reading AWS SSO Identity Store Group Data Source

[mariusmitrofanbostontr]

Full error is (with obfuscating of sensible data):

│ Error: reading AWS SSO Identity Store Group Data Source (<<microsoft-directory-id-here>>): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: 0b04d135-07e8-4216-a577-01e4586badaa, api error UnknownOperationException: UnknownError

│ 

│   with module.sso.data.aws_identitystore_group.this["group-from-microsoft-directory"],

│   on ../../../modules/sso/data.tf line 4, in data "aws_identitystore_group" "this":

│    4: data "aws_identitystore_group" "this" {

This issue has been encountered after switching to latest release.

Is it something related to this maybe -> hashicorp/terraform-provider-aws#28139 ?

Or maybe because the group name format is group_name@domain.com instead of group_name ?

[aurimasmick]

Hi @mariusmitrofanbostontr,

Don't think this error is directly related to the module as it's not using aws_identitystore_group data source. I believe you bumped the AWS provider version which has a deprecated filter argument in aws_identitystore_group.
https://github.com/hashicorp/terraform-provider-aws/releases/tag/v4.40.0
Try changing that to the filtering syntax:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group

[mariusmitrofanbostontr]

Hi @aurimasmick ,

The version I tried with is the following:

    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.54.0"
    }

The module was "copied" locally and has the following definition, instead of importing directly due to "security" constraints, but it is 1-to-1 match to yours:

data "aws_identitystore_group" "this" {
  for_each          = toset(local.groups)
  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
  alternate_identifier {
    unique_attribute {
      attribute_path  = "DisplayName"
      attribute_value = each.value
    }
  }
}

After I switched back to using a filter (while maintaining the same AWS provider version of 4.54.0), it started working again but with the obvious deprecation notice:

Using filter =

data "aws_identitystore_group" "this" {
  for_each          = toset(local.groups)
  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]
  filter {
    attribute_path  = "DisplayName"
    attribute_value = each.value
  }
}

Dreprecation notice received during PLAN phase =

Plan: 4 to add, 0 to change, 4 to destroy.

╷

│ Warning: Argument is deprecated

│ 

│   with module.sso.data.aws_identitystore_group.this["group-from-microsoft-directory"],

│   on ../../../modules/sso/data.tf line 4, in data "aws_identitystore_group" "this":

│    4: data "aws_identitystore_group" "this" {

│ 

│ Use the alternate_identifier attribute instead.

│ 

│ (and 4 more similar warnings elsewhere)

╵

[aurimasmick]

Yes, your config should work as expected. I think you are right in thinking that it's related to hashicorp/terraform-provider-aws#28139

[sergikpas]

We are experiencing the same issue. Any progress on possible resolution?
Filter works fine, but alternate_identifier failed

[bengaywins]

It appears this works now. I just tested with provider 5.50.0 and I no longer get an error on groups that exist. Groups that don't exist, say as such. Also #33312 is the issue around removing filter again.