search

Snowflake-Labs / terraform-provider-snowflake

Terraform provider for managing Snowflake accounts
https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest
MIT License
549 stars 420 forks source link

Conditional masking policy with multiple columns always forces replacement #2054

Closed fredriv closed 7 months ago

fredriv commented 1 year ago

Provider Version

0.70.1

Terraform Version

1.5.4

Describe the bug

We are creating a conditional masking policy with multiple columns in the signature. The masking policy is created correctly in Snowflake, but when running terraform plan afterwards it always claims that the signature has changed which forces replacement.

Expected behavior

The masking policy should not change.

Code samples and commands

Example masking policy that fails:

resource "snowflake_masking_policy" "example_conditional_masking_policy" {
  name = "EXAMPLE_CONDITIONAL_MASKING_POLICY"

  database           = "EXAMPLE_DB"
  schema             = "EXAMPLE_SCHEMA"
  return_data_type   = "NUMBER"
  masking_expression = <<-EOF
  case
    when current_role() in ('ADMIN') then val
    when customer_id <= 0 then 0
    else val
  end
EOF
  signature {
    column {
      name = "VAL"
      type = "NUMBER"
    }
    column {
      name = "CUSTOMER_ID"
      type = "NUMBER"
    }
  }
}

Output from terraform plan:

 # snowflake_masking_policy.example_conditional_masking_policy must be replaced
-/+ resource "snowflake_masking_policy" "example_conditional_masking_policy" {
      ~ id                    = "EXAMPLE_DB|EXAMPLE_SCHEMA|EXAMPLE_CONDITIONAL_MASKING_POLICY" -> (known after apply)
      ~ masking_expression    = <<-EOT
            case
              when current_role() in ('ADMIN') then val
              when customer_id <= 0 then 0
              else val
            end
        EOT
        name                  = "EXAMPLE_CONDITIONAL_MASKING_POLICY"
      ~ qualified_name        = "\"EXAMPLE_DB\".\"EXAMPLE_SCHEMA\".\"EXAMPLE_CONDITIONAL_MASKING_POLICY\"" -> (known after apply)
        # (4 unchanged attributes hidden)

      ~ signature {
          + column {
              + name = "CUSTOMER_ID"
              + type = "NUMBER" # forces replacement
            }

            # (1 unchanged block hidden)
        }
      - signature {
          - column {
              - name = "CUSTOMER_ID" -> null
              - type = "NUMBER" -> null # forces replacement
            }
        }
    }

Additional context

It looks like it also marks the masking expression as changed - could be related to issues with heredocs in https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/2053?

fredriv commented 1 year ago

It looks like it thinks the old signature only contains one column instead of two, thus forcing replacement?