Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setting session_duration in aws_ssoadmin_permission_set seems to clear relay_state #17411

Closed
mccanney opened this issue Feb 2, 2021 · 3 comments · Fixed by #17423
Closed
Assignees
Labels
bug Addresses a defect in current functionality. service/ssoadmin Issues and PRs that pertain to the ssoadmin service.
Milestone

Comments

@mccanney
Copy link

mccanney commented Feb 2, 2021

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

PS C:\> terraform -v
Terraform v0.14.5
+ provider registry.terraform.io/hashicorp/aws v3.26.0

Affected Resource(s)

  • aws_ssoadmin_permission_set

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

variable "session_duration" {
  type = string
  default = "PT1H"
}

data "aws_ssoadmin_instances" "this" {}

data "aws_region" "this" {}

resource "aws_ssoadmin_permission_set" "this" {
  description = "Permission Set for Admin access"
  name = "Admin-Full"
  instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0]
  relay_state = "https://${data.aws_region.this.name}.console.aws.amazon.com/console/home?region=${data.aws_region.this.name}#"
  session_duration = var.session_duration
}

Expected Behavior

If I apply the above, it will apply correctly with the session_duration set to its default of PT1H. The issue arises when I want to alter the default session duration.

Actual Behavior

Changing session_duration to a value longer than 2 hours - for example, PT3H - results in the silent removal of the relay_state attribute from the Permission Set. A subsequent terraform apply then shows the relay_state attribute as missing and will add it but also set session_duration back to PT1H. Whereupon you loop around forever.

Steps to Reproduce

  1. terraform apply using the above code.
  2. Alter session_duration to PT3H or higher.
  3. terraform apply
  4. terraform plan shows relay_state missing.
  5. terraform apply to re-add relay_state.
  6. terraform plan shows session_duration set to PT1H.
  7. And so on.
@ghost ghost added the service/ssoadmin Issues and PRs that pertain to the ssoadmin service. label Feb 2, 2021
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Feb 2, 2021
@anGie44 anGie44 added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Feb 2, 2021
@anGie44
Copy link
Contributor

anGie44 commented Feb 2, 2021

Thank you for raising this issue @mccanney. I'm able to reproduce and can see we'll need to modify the UpdatePermissionSet call to pass in the existing relay_state value as we're not doing so by default. interesting though the the "description" field does not go missing as we're also not passing that value on updates as well 🤔

@ghost
Copy link

ghost commented Feb 5, 2021

This has been released in version 3.27.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Mar 7, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Mar 7, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. service/ssoadmin Issues and PRs that pertain to the ssoadmin service.
Projects
None yet
2 participants