Unable to grant alert privileges

[markgandy]

Provider Version

0.64.0

Terraform Version

1.3.0

Describe the bug

Snowflake alert resources were added recently, which is great. But I'm unable to create a role with the required privileges to create/execute alerts. I get errors in the plan for CREATE ALERT and EXECUTE ALERT

╷
--
  | │ Error: expected privilege to be one of [CREATE EXTERNAL TABLE CREATE MATERIALIZED VIEW MODIFY CREATE FILE FORMAT CREATE MASKING POLICY CREATE SESSION POLICY CREATE STREAM CREATE TAG CREATE VIEW MONITOR CREATE ROW ACCESS POLICY CREATE SEQUENCE CREATE STAGE USAGE OWNERSHIP ADD SEARCH OPTIMIZATION CREATE FUNCTION CREATE PIPE CREATE PROCEDURE CREATE TABLE CREATE TASK CREATE TEMPORARY TABLE], got CREATE ALERT
  | │
  | │   with module.alert_role.snowflake_schema_grant.this["DATALAKE/STRUCTURED/CREATE ALERT"],
  | │   on modules/roles/main.tf line 39, in resource "snowflake_schema_grant" "this":
  | │   39:   privilege              = each.value.privilege
  | │
  | ╵
  | ╷
  | │ Error: expected privilege to be one of [APPLY PASSWORD POLICY AUDIT EXECUTE MANAGED TASK APPLY ROW ACCESS POLICY CREATE CREDENTIAL CREATE SHARE EXECUTE TASK MONITOR MONITOR EXECUTION MONITOR SECURITY MANAGE ACCOUNT SUPPORT CASES APPLY SESSION POLICY ATTACH POLICY CREATE DATABASE CREATE DATA EXCHANGE LISTING CREATE USER CREATE ACCOUNT OVERRIDE SHARE RESTRICTIONS MANAGE USER SUPPORT CASES MANAGE GRANTS PURCHASE DATA EXCHANGE LISTING APPLY TAG IMPORT SHARE PROVISION APPLICATION CREATE FAILOVER GROUP CREATE INTEGRATION CREATE WAREHOUSE MANAGE ORGANIZATION SUPPORT CASES APPLY MASKING POLICY CREATE NETWORK POLICY CREATE ROLE MONITOR USAGE], got EXECUTE ALERT
  | │
  | │   with module.alert_role.snowflake_account_grant.this["EXECUTE ALERT"],
  | │   on modules/roles/main.tf line 68, in resource "snowflake_account_grant" "this":
  | │   68:   privilege              = each.value
  | │
  | ╵

Expected behavior

We should be able to add grant alert privileges

Code samples and commands

resource "snowflake_schema_grant" "grant" {
  database_name = "database"
  schema_name   = "schema"

  privilege = "CREATE ALERT"
  roles     = ["role1", "role2"]
  shares    = ["share1", "share2"]

  on_future         = false
  with_grant_option = false
}

Additional context

I guess including the alert privileges was missed when the alert resources were added

[mlorek]

@markgandy where do you see CREATE ALERT permission? they are not listed here: https://docs.snowflake.com/en/user-guide/security-access-control-privileges#alert-privileges

[markgandy]

@markgandy where do you see CREATE ALERT permission? they are not listed here: https://docs.snowflake.com/en/user-guide/security-access-control-privileges#alert-privileges

@mlorek CREATE ALERT is under the schema privileges (and EXECUTE ALERT is under global privileges)

This guide documents how they should be granted - https://docs.snowflake.com/en/user-guide/alerts

[culpgrant]

I would like to add to this issue you cannot grant the EXECUTE ALERT privilege on the resource snowflake_alert you get the same error as above.

Code Sample:

resource "snowflake_account_grant" "grant" {
  roles             = ["role1", "role2"]
  privilege         = "EXECUTE ALERT"
  with_grant_option = false
}

[sfc-gh-jcieslak]

Hey 👋 Closing the issue as it's referring to the deprecated resource and we're not supporting them. Please, try to use the latest provider version with the non-deprecated resources (e.g. snowflake_grant_privileges_to_account_role). If the issue persists on the non-deprecated resource, please create a new GitHub issue. The migration guide may help during migration to the latest resources. Here's a list of the latest, non-deprecated, grant resources:

Resources snowflake_grant_privileges_to_database_role snowflake_grant_privileges_to_account_role snowflake_grant_account_role snowflake_grant_database_role snowflake_grant_application_role (coming soon) snowflake_grant_privileges_to_share snowflake_grant_ownership (coming soon)

Data sources snowflake_grants