Terraform deployments - misconfiguration?

[Jarvvski]

Hi there

I'm trying to do a deployment via terraform, and this works for the first pass. But any subsequent plan throws a spanner in the works

For example, on a second plan after a successful apply and deployment (i see in the logs things are working fine)

  # aws_serverlessapplicationrepository_cloudformation_stack.sso_sync will be updated in-place
  ~ resource "aws_serverlessapplicationrepository_cloudformation_stack" "sso_sync" {
        id               = "arn:aws:cloudformation:eu-west-2:765624835580:stack/serverlessrepo-ssosync-application/72dbff00-a38a-11f0-81e3-0a87db22ea11"
        name             = "ssosync-application"
      ~ parameters       = {
          + "DryRun"                  = "live"
          + "FunctionName"            = null
          + "GoogleGroupMatch"        = "*"
          + "GoogleUserMatch"         = null
          + "IgnoreGroups"            = null
          + "IgnoreUsers"             = null
          + "IncludeGroups"           = null
          + "LogFormat"               = "json"
          + "LogLevel"                = "warn"
          + "MemorySize"              = "128"
          + "ScheduleExpression"      = "rate(15 minutes)"
          + "SyncMethod"              = "groups"
          + "SyncSuspended"           = "ignore"
          + "TimeOut"                 = "300"
            # (7 unchanged elements hidden)
        }
        tags             = {}
      ~ tags_all         = {
          + "project"   = "services/admin"
            # (2 unchanged elements hidden)
        }
        # (5 unchanged attributes hidden)
    }

With the following terraform:

# other secret resources managed above this fold...


# Fetch SSOSync application metadata from AWS Serverless Application Repository
data "aws_serverlessapplicationrepository_application" "sso_sync" {
  application_id   = "arn:aws:serverlessrepo:us-east-2:004480582608:applications/SSOSync"
  semantic_version = local.ssosync_version
}

resource "aws_serverlessapplicationrepository_cloudformation_stack" "sso_sync" {
  name             = local.stack_name
  application_id   = data.aws_serverlessapplicationrepository_application.sso_sync.application_id
  semantic_version = data.aws_serverlessapplicationrepository_application.sso_sync.semantic_version
  capabilities     = data.aws_serverlessapplicationrepository_application.sso_sync.required_capabilities

  parameters = {
    DeployPattern = "App only"

    # Index 0 → GOOGLE_CREDENTIALS
    # Index 1 → GOOGLE_ADMIN
    # Index 2 → SCIM_ENDPOINT
    # Index 3 → SCIM_ACCESS_TOKEN
    # Index 4 → REGION
    # Index 5 → IDENTITY_STORE_ID
    CrossStackConfig = join(",", [
      aws_secretsmanager_secret.google_credentials.arn,
      aws_secretsmanager_secret.google_admin_email.arn,
      aws_secretsmanager_secret.scim_endpoint_url.arn,
      aws_secretsmanager_secret.scim_access_token.arn,
      aws_secretsmanager_secret.region.arn,
      aws_secretsmanager_secret.identity_store_id.arn
    ])

    # Configuration parameters
    SyncMethod         = local.sync_method
    GoogleGroupMatch   = local.google_group_match
    GoogleUserMatch    = local.google_user_match
    IncludeGroups      = local.include_groups
    IgnoreGroups       = ""
    IgnoreUsers        = ""
    DryRun             = local.dry_run
    PrecacheOrgUnits   = local.precache_org_units
    SyncSuspended      = "ignore"
    ScheduleExpression = local.schedule_expression
    TimeOut            = tostring(local.timeout)
    MemorySize         = tostring(local.memory_size)
    LogLevel           = "warn"
    LogFormat          = "json"
    FunctionName       = ""
  }

  depends_on = [
    aws_secretsmanager_secret.google_credentials,
    aws_secretsmanager_secret.google_admin_email,
    aws_secretsmanager_secret.scim_endpoint_url,
    aws_secretsmanager_secret.scim_access_token,
    aws_secretsmanager_secret.identity_store_id,
  ]
}

[ChrisPates]

Are there error messages or similar you can share?

I notice that some of the environment variables are being set to null when I would expect them to be empty strings.

SAR is using Cloudformation and a parameter can't be null, but instead is an empty string "".

Also, whilst in the template it shows the semantic version I don't see it in the plan out? Is that expected?

[Jarvvski]

I've added a lifecycle ignore wrapper around the parameters, which handles things for now. But isn't great of course

The plan output (without the lifecycle rule) is

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_serverlessapplicationrepository_cloudformation_stack.sso_sync will be updated in-place
  ~ resource "aws_serverlessapplicationrepository_cloudformation_stack" "sso_sync" {
        id               = "arn:aws:cloudformation:eu-west-2:765624835580:stack/serverlessrepo-ssosync-application/b88dd160-a392-11f0-9eea-0251406fc4bd"
        name             = "ssosync-application"
      ~ parameters       = {
          + "DryRun"                  = "live"
          - "GoogleAdminEmail"        = "****" -> null
          - "GoogleCredentials"       = "****" -> null
          + "GoogleGroupMatch"        = "*"
          + "GoogleUserMatch"         = null
          + "IgnoreGroups"            = null
          + "IgnoreUsers"             = null
          + "IncludeGroups"           = null
          + "LogFormat"               = "json"
          + "LogLevel"                = "warn"
          + "MemorySize"              = "128"
          - "SCIMEndpointAccessToken" = "****" -> null
          + "ScheduleExpression"      = "rate(15 minutes)"
          + "SyncMethod"              = "groups"
          + "SyncSuspended"           = "ignore"
          + "TimeOut"                 = "300"
            # (4 unchanged elements hidden)
        }
        tags             = {}
        # (6 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

The resources i'm provisioning is this (as a note, why are some items secrets like the region?):

locals {
  ssosync_version = "2.3.3" # get this via github

  # Google config
  google_admin_email = "<fake>"
  scim_endpoint_url  = "<fake>"
  identity_store_id  = "<fake>"
  aws_sso_region     = "eu-west-2"

  # Sync configuration
  google_group_match  = "*"                # Examples: "name:AWS*", "email:aws-*@company.com", "name=Admins", "*" for all
  google_user_match   = ""                 # Examples: "name:John*", "email:admin*", "*" for all. Leave empty for no filtering
  sync_method         = "groups"           # Options: "groups" or "users_groups"
  include_groups      = ""                 # Comma-separated group emails (e.g., "aws-admins@company.com,devs@company.com"). Only works with sync_method = "users_groups"
  dry_run             = "live"             # Options: "live" or "dry-run"
  precache_org_units  = "//"               # Examples: "/", "/Engineering,/Sales", "" to disable. Default "/" for all
  schedule_expression = "rate(15 minutes)" # Examples: "rate(15 minutes)", "rate(1 hour)", "cron(0 12 * * ? *)" for daily at noon UTC
  timeout             = 300                # Seconds (1-900)
  memory_size         = 128                # MB (128-10240)

  stack_name     = "ssosync-application"
  deploy_pattern = "App only" # "Bring our own secrets"

}

resource "aws_secretsmanager_secret" "google_credentials" {
  name                    = "SSOSync/GoogleCredentials"
  description             = "Google Cloud service account credentials JSON for SSOSync"
  recovery_window_in_days = 30
  kms_key_id              = "alias/aws/secretsmanager"

  tags = {
    Application = "SSOSync"
    ManagedBy   = "Terraform"
  }
}

resource "aws_secretsmanager_secret" "google_admin_email" {
  name                    = "SSOSync/GoogleAdminEmail"
  description             = "Google Workspace admin email for SSOSync"
  recovery_window_in_days = 30
  kms_key_id              = "alias/aws/secretsmanager"

  tags = {
    Application = "SSOSync"
    ManagedBy   = "Terraform"
  }
}

resource "aws_secretsmanager_secret_version" "google_admin_email" {
  secret_id     = aws_secretsmanager_secret.google_admin_email.id
  secret_string = local.google_admin_email
}

resource "aws_secretsmanager_secret" "scim_endpoint_url" {
  name                    = "SSOSync/SCIMEndpointUrl"
  description             = "AWS IAM Identity Center SCIM endpoint URL"
  recovery_window_in_days = 30
  kms_key_id              = "alias/aws/secretsmanager"

  tags = {
    Application = "SSOSync"
    ManagedBy   = "Terraform"
  }
}

resource "aws_secretsmanager_secret_version" "scim_endpoint_url" {
  secret_id     = aws_secretsmanager_secret.scim_endpoint_url.id
  secret_string = local.scim_endpoint_url
}

resource "aws_secretsmanager_secret" "scim_access_token" {
  name                    = "SSOSync/SCIMAccessToken"
  description             = "AWS IAM Identity Center SCIM access token"
  recovery_window_in_days = 30
  kms_key_id              = "alias/aws/secretsmanager"

  tags = {
    Application = "SSOSync"
    ManagedBy   = "Terraform"
  }
}

resource "aws_secretsmanager_secret" "identity_store_id" {
  name                    = "SSOSync/IdentityStoreID"
  description             = "AWS Identity Store ID"
  recovery_window_in_days = 30
  kms_key_id              = "alias/aws/secretsmanager"

  tags = {
    Application = "SSOSync"
    ManagedBy   = "Terraform"
  }
}

resource "aws_secretsmanager_secret_version" "identity_store_id" {
  secret_id     = aws_secretsmanager_secret.identity_store_id.id
  secret_string = local.identity_store_id
}

resource "aws_secretsmanager_secret" "region" {
  name                    = "SSOSync/Region"
  description             = "AWS region for IAM Identity Center"
  recovery_window_in_days = 30
  kms_key_id              = "alias/aws/secretsmanager"

  tags = {
    Application = "SSOSync"
    ManagedBy   = "Terraform"
  }
}

resource "aws_secretsmanager_secret_version" "region" {
  secret_id     = aws_secretsmanager_secret.region.id
  secret_string = local.aws_sso_region
}

# Fetch SSOSync application metadata from AWS Serverless Application Repository
data "aws_serverlessapplicationrepository_application" "sso_sync" {
  application_id   = "arn:aws:serverlessrepo:us-east-2:004480582608:applications/SSOSync"
  semantic_version = local.ssosync_version
}

# Deploy SSOSync application from AWS Serverless Application Repository
resource "aws_serverlessapplicationrepository_cloudformation_stack" "sso_sync" {
  name             = local.stack_name
  application_id   = data.aws_serverlessapplicationrepository_application.sso_sync.application_id
  semantic_version = data.aws_serverlessapplicationrepository_application.sso_sync.semantic_version
  capabilities     = data.aws_serverlessapplicationrepository_application.sso_sync.required_capabilities

  parameters = {
    # Deployment pattern - using "App Only" mode where Terraform manages separate secrets
    # and the SAR app will reference these existing ARNs
    DeployPattern = local.deploy_pattern

    # Index 0 → GOOGLE_CREDENTIALS
    # Index 1 → GOOGLE_ADMIN
    # Index 2 → SCIM_ENDPOINT
    # Index 3 → SCIM_ACCESS_TOKEN
    # Index 4 → REGION
    # Index 5 → IDENTITY_STORE_ID
    CrossStackConfig = join(",", [
      aws_secretsmanager_secret.google_credentials.arn,
      aws_secretsmanager_secret.google_admin_email.arn,
      aws_secretsmanager_secret.scim_endpoint_url.arn,
      aws_secretsmanager_secret.scim_access_token.arn,
      aws_secretsmanager_secret.region.arn,
      aws_secretsmanager_secret.identity_store_id.arn
    ])

    # Configuration parameters
    SyncMethod         = local.sync_method
    GoogleGroupMatch   = local.google_group_match
    GoogleUserMatch    = local.google_user_match
    IncludeGroups      = local.include_groups
    IgnoreGroups       = ""
    IgnoreUsers        = ""
    DryRun             = local.dry_run
    PrecacheOrgUnits   = local.precache_org_units
    SyncSuspended      = "ignore"
    ScheduleExpression = local.schedule_expression
    TimeOut            = tostring(local.timeout)
    MemorySize         = tostring(local.memory_size)
    LogLevel           = "warn"
    LogFormat          = "json"
    FunctionName       = "GoogleSSOSync"
  }

  depends_on = [
    aws_secretsmanager_secret.google_credentials,
    aws_secretsmanager_secret.google_admin_email,
    aws_secretsmanager_secret.scim_endpoint_url,
    aws_secretsmanager_secret.scim_access_token,
    aws_secretsmanager_secret.identity_store_id,
  ]

  # for now, just ignore all parameter changes..
  # https://github.com/awslabs/ssosync/issues/273
  lifecycle {
    ignore_changes = [
      parameters
    ]
  }
}

[ChrisPates]

So this point, you are very correct.

The resources i'm provisioning is this (as a note, why are some items secrets like the region?):
See Expand the Options for storing the sensitive parameters to include binary secrets and SSM Parameter Store

The Region secrets doesn't need to exist, it can be extracted from the SCIM api endpoint, so it will be going in v3.x.x

[Jarvvski]

Using SSM Parameter Store would be great for this use case, so the linked issue is great to see

Any thoughts on the parameters though? I wouldn't have thought it was expected that I'd add them to the lifecycle ignore rule

[tiany4]

For the parameters, you need to add the secrets as parameters too. Otherwise they don't exist to Terraform, hence the nulls

# secrets
GoogleAdminEmail        = data.aws_secretsmanager_secret_version.google_admin_email.secret_string
GoogleCredentials       = data.aws_secretsmanager_secret_version.google_credentials.secret_string
IdentityStoreID         = data.aws_secretsmanager_secret_version.identity_store_id.secret_string
Region                  = data.aws_secretsmanager_secret_version.region.secret_string # not really a secret; it will be removed in 3.x.x
SCIMEndpointAccessToken = data.aws_secretsmanager_secret_version.scim_endpoint_access_token.secret_string
SCIMEndpointUrl         = data.aws_secretsmanager_secret_version.scim_endpoint.secret_string