[Bug]: data "aws_identitystore_user" not working as intended

[ghost]

Terraform Core Version

1.3.4

AWS Provider Version

4.39.0

Affected Resource(s)

according to the docs for data aws_identitystore_user. I should be able to retrieve a user from the identity store. provider using code that looks like this:

# retrieve user from directory service
data "aws_identitystore_user" "lee_user" {
  identity_store_id =  tolist(data.aws_ssoadmin_instances.main.identity_store_ids)[0]
  alternate_identifier {
    unique_attribute {
      attribute_path  = "UserName"
      attribute_value = "lee@example.com"
    }
  }
}

Expected Behavior

data.aws_identitystore_user.lee_user.id should be assigned the value of the user with the UserName "lee@example.com"

if an error occurs, it should appropriately identify that error

Actual Behavior

api error UnknownOperationException: UnknownError was raised

Relevant Error/Panic Output Snippet

│ Error: reading AWS SSO Identity Store User Data Source (d-XXXXXXXXXX): operation error identitystore: GetUserId, https response error StatusCode: 400, RequestID: e2fa4632-1bca-4a9e-842b-b4a83b28ed42, api error UnknownOperationException: UnknownError
│ 
│   with data.aws_identitystore_user.lee_user,
│   on main.tf line 56, in data "aws_identitystore_user" "lee_user":
│   56: data "aws_identitystore_user" "lee_user" {
│

Terraform Configuration Files

see above

Steps to Reproduce

see above

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[appian-ashugarts]

We have just had this happen on provider version 4.38.0 and 4.34.0 also, but not 4.33.0 and 4.32.0 (we didn't try the intermediary versions between 4.34 and 4.38 FWIW). Terraform version was 1.2.8, but it seems clear to me that it's a provider issue.

[rob-orr]

I did try 4.34.0 and 4.37.0 (as well as 4.38.0 and 4.39.0) and got the same error. 4.33.0 was the last version that did not have this issue. For now, we've worked around this by pinning the provider but we obviously won't be able to use updates until this is fixed.

[rob-orr]

For a little more context, here's our data source that is triggering the exception (similar to OP but not exactly the same):

data "aws_identitystore_user" "user_identity" {
  for_each          = toset(local.user_list)
  identity_store_id = tolist(data.aws_ssoadmin_instances.corp_org_sso.identity_store_ids)[0]
  filter {
    attribute_path  = "UserName"
    attribute_value = "${each.key}@example.com"
  }
}

[gdavison]

Hi, @chris-at-covariance. I'm going to look into this. Unfortunately, the

operation error identitystore: GetUserId, https response error StatusCode: 400, RequestID: e2fa4632-1bca-4a9e-842b-b4a83b28ed42, api error UnknownOperationException: UnknownError

part of the error message is what's returned by the AWS API, so we don't have any control over that

[gdavison]

Hi @chris-at-covariance, are you still seeing this error? I was able to recreate it last week, but not today.

For some additional information:

1. What region are you using?

2. Which type of Identity Source are you using to back your Identity Store: Identity Center directory, Active Directory, or an External Identity Provider?

[ghost]

I rewrote the code to work around it, it will take me a little bit to see if it’s still a problem We’re using us-East-1 Using Active Directory as the identity store

…

-Chris

On Mon, Dec 5, 2022 at 15:41 Graham Davison ***@***.***> wrote: Hi @chris-at-covariance <https://github.com/chris-at-covariance>, are you still seeing this error? I was able to recreate it last week, but not today. For some additional information: 1. What region are you using? 2. Which type of Identity Source are you using to back your Identity Store: Identity Center directory, Active Directory, or an External Identity Provider? — Reply to this email directly, view it on GitHub <#27830 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A32CNR25MN4CCZR563OHF43WLZHOZANCNFSM6AAAAAASBPR2DY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- This message is intended only for the use of the Addressee and may contain information that is privileged and confidential. If you are not the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately.

[Phylu]

I did some digging around after encountering the same issue but for the aws_identitystore_group which had the very same change in its behaviour. Posting here, as the underlying issue is the same. I did my debugging with the groups data object, but this should not be a difference to the user one.

AWS Region: eu-central-1
Identity source: AD Connector
Authentication method: Active Directory
Provisioning method: AD Sync

Everything works with the terraform-provider-aws in version <= 3.40 with the following configuration:

data "aws_identitystore_group" "group" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]

  filter {
    attribute_path  = "DisplayName"
    attribute_value = "group@example.org"
  }
}

After upgrading the provider and adjusting the deprecated filtering as follows, it does not work anymore:

data "aws_identitystore_group" "group" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0]

  alternate_identifier {
    unique_attribute {
      attribute_path  = "DisplayName"
      attribute_value = "group@example.org"
    }
  }
}

Looking at the requests in debug mode, one can see that the request using the new GetGroupId method as described in #27762 does not work where the ListGroups method work

Previous Versions:

data.aws_identitystore_group.group: Reading...
[DEBUG] [aws-sdk-go-v2] Request
POST / HTTP/1.1
Host: identitystore.eu-central-1.amazonaws.com
User-Agent: APN/1.0 HashiCorp/1.0 Terraform/1.3.6 (+https://www.terraform.io) terraform-provider-aws/dev (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.17.1 os/macos lang/go/1.18.4 md/GOOS/darwin md/GOARCH/amd64 api/identitystore/1.15.7
Content-Length: 125
Amz-Sdk-Invocation-Id: [REDACTED]
Amz-Sdk-Request: attempt=1; max=25
Authorization: [REDACTED]
Content-Type: application/x-amz-json-1.1
X-Amz-Date: [REDACTED]
X-Amz-Security-Token: [REDACTED]
X-Amz-Target: AWSIdentityStore.ListGroups
Accept-Encoding: gzip

{"Filters":[{"AttributePath":"DisplayName","AttributeValue":"group@example.org"}],"IdentityStoreId":"d-9967361e99"}
[DEBUG] [aws-sdk-go-v2] Response
HTTP/2.0 200 OK
Content-Length: 118
Content-Type: application/x-amz-json-1.1
Date: Fri, 23 Dec 2022 09:39:48 GMT
X-Amzn-Requestid: [REDACTED]

{"Groups":[{"DisplayName":"group@example.org","GroupId":"[REDACTED]"}]}
data.aws_identitystore_group.group: Read complete after 0s [id=[REDACTED]]

data.aws_identitystore_group.group: Reading...
[DEBUG] [aws-sdk-go-v2] Request
POST / HTTP/1.1
Host: identitystore.eu-central-1.amazonaws.com
User-Agent: APN/1.0 HashiCorp/1.0 Terraform/1.3.6 (+https://www.terraform.io) terraform-provider-aws/4.48.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.17.3 os/macos lang/go/1.19.3 md/GOOS/darwin md/GOARCH/amd64 api/identitystore/1.15.9
Content-Length: 155
Amz-Sdk-Invocation-Id: [REDACTED]
Amz-Sdk-Request: attempt=1; max=25
Authorization: [REDACTED]
Content-Type: application/x-amz-json-1.1
X-Amz-Date: [REDACTED]
X-Amz-Security-Token: [REDACTED]
X-Amz-Target: AWSIdentityStore.GetGroupId
Accept-Encoding: gzip

{"AlternateIdentifier":{"UniqueAttribute":{"AttributePath":"DisplayName","AttributeValue":"group@example.org"}},"IdentityStoreId":"[REDACTED]"}

[DEBUG] [aws-sdk-go-v2] Response
HTTP/2.0 400 Bad Request
Content-Length: 38
Content-Type: application/x-amz-json-1.1
Date: Fri, 23 Dec 2022 09:44:07 GMT
X-Amzn-Requestid: [REDACTED]

{"__type":"UnknownOperationException"}
[DEBUG] [aws-sdk-go-v2] request failed with unretryable error https response error StatusCode: 400, RequestID: [REDACTED], api error UnknownOperationException: UnknownError
Response contains error diagnostic: tf_req_id=[REDACTED] tf_rpc=ReadDataSource @caller=github.com/hashicorp/terraform-plugin-go@v0.14.2/tfprotov5/internal/diag/diagnostics.go:55 @module=sdk.proto tf_proto_version=5.3 diagnostic_summary="reading AWS SSO Identity Store Group Data Source ([REDACTED]): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: [REDACTED], api error UnknownOperationException: UnknownError" tf_data_source_type=aws_identitystore_group tf_provider_addr=registry.terraform.io/hashicorp/aws diagnostic_detail= diagnostic_severity=ERROR timestamp=2022-12-23T10:44:07.767+0100
[ERROR] vertex "data.aws_identitystore_group.group" error: reading AWS SSO Identity Store Group Data Source ([REDACTED]): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: [REDACTED], api error UnknownOperationException: UnknownError
[ERROR] vertex "data.aws_identitystore_group.group (expand)" error: reading AWS SSO Identity Store Group Data Source ([REDACTED]): operation error identitystore: GetGroupId, https response error StatusCode: 400, RequestID: , api error UnknownOperationException: UnknownError

[ewbankkit]

@chris-at-covariance We were unable to reproduce this in our acceptance tests, so I went ahead and restored the old filter functionality (using the ListUsers API) in #28937.
If this does not fix the problem, please open a new issue.
Thanks.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.