search

Snowflake-Labs / terraform-provider-snowflake

Terraform provider for managing Snowflake accounts
https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest
MIT License
545 stars 419 forks source link

Plugin encountered an error #2253

Closed adrian-montero-hkkd closed 10 months ago

adrian-montero-hkkd commented 10 months ago

Terraform CLI and Provider Versions

I'm using TF Cloud version 1.6.3

Terraform Configuration

resource "snowflake_grant_privileges_to_role" "db_grants_to_fivetran_role" {
  provider = snowflake.securityadmin
  privileges = ["USAGE","MONITOR","CREATE SCHEMA"] 
  role_name = snowflake_role.fivetran_role.name
  on_account_object {
    object_name = snowflake_database.fivetran_database.name
    object_type = "DATABASE"
  }
  with_grant_option = false
}

Expected Behavior

I expected TF/ the snowflake provider to create a db_grants_to_fivetran_role resource and apply the grants in the SF instance.

Actual Behavior

Error: Plugin did not respond The plugin encountered an error, and failed to respond to the plugin6.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.

Steps to Reproduce

  1. terraform apply

How much impact is this issue causing?

High

Logs

No response

Additional Information

Error Log from provider:

Stack trace from the terraform-provider-snowflake_v0.79.0 plugin:

panic: runtime error: index out of range [1] with length 1

goroutine 101 [running]: github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk.NewDatabaseObjectIdentifierFromFullyQualifiedName({0xc0010d6090?, 0x1df9b46?}) github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk/identifier_helpers.go:159 +0xcc github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources.configureAccountRoleGrantPrivilegeOptions(0xc001296de0?, {0xc0012d3c10, 0x1, 0x1}, 0x0?, 0xc000afacf0) github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources/grant_privileges_to_role.go:748 +0x8f1 github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources.CreateGrantPrivilegesToRole(0x0?, {0x1d3ff80?, 0xc0005b36c0?}) github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources/grant_privileges_to_role.go:460 +0x226 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(Resource).create(0x20b4e60?, {0x20b4e60?, 0xc0012c4810?}, 0xd?, {0x1d3ff80?, 0xc0005b36c0?}) github.com/hashicorp/terraform-plugin-sdk/v2@v2.29.0/helper/schema/resource.go:766 +0x178 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(Resource).Apply(0xc00002a540, {0x20b4e60, 0xc0012c4810}, 0xc0012ccc30, 0xc0012bc300, {0x1d3ff80, 0xc0005b36c0}) github.com/hashicorp/terraform-plugin-sdk/v2@v2.29.0/helper/schema/resource.go:909 +0xa7e github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(GRPCProviderServer).ApplyResourceChange(0xc00091cc18, {0x20b4e60?, 0xc0012c44b0?}, 0xc0012d6050) github.com/hashicorp/terraform-plugin-sdk/v2@v2.29.0/helper/schema/grpc_provider.go:1060 +0xe8d github.com/hashicorp/terraform-plugin-mux/tf5to6server.v5tov6Server.ApplyResourceChange({{0x20d4480?, 0xc00091cc18?}}, {0x20b4e60, 0xc0012c44b0}, 0x0?) github.com/hashicorp/terraform-plugin-mux@v0.12.0/tf5to6server/tf5to6server.go:37 +0x5a github.com/hashicorp/terraform-plugin-mux/tf6muxserver.(muxServer).ApplyResourceChange(0x20b4db8?, {0x20b4e60?, 0xc00095f050?}, 0xc0013045f0) github.com/hashicorp/terraform-plugin-mux@v0.12.0/tf6muxserver/mux_server_ApplyResourceChange.go:36 +0x1b5 github.com/hashicorp/terraform-plugin-go/tfprotov6/tf6server.(server).ApplyResourceChange(0xc000927e00, {0x20b4e60?, 0xc00095e840?}, 0xc0009621c0) github.com/hashicorp/terraform-plugin-go@v0.19.0/tfprotov6/tf6server/server.go:857 +0x574 github.com/hashicorp/terraform-plugin-go/tfprotov6/internal/tfplugin6._Provider_ApplyResourceChange_Handler({0x1ce79a0?, 0xc000927e00}, {0x20b4e60, 0xc00095e840}, 0xc000962150, 0x0) github.com/hashicorp/terraform-plugin-go@v0.19.0/tfprotov6/internal/tfplugin6/tfplugin6_grpc.pb.go:467 +0x170 google.golang.org/grpc.(Server).processUnaryRPC(0xc0002634a0, {0x20c4d00, 0xc000590680}, 0xc0011b4b40, 0xc000ac63f0, 0x2e01958, 0x0) google.golang.org/grpc@v1.58.2/server.go:1376 +0xdd2 google.golang.org/grpc.(Server).handleStream(0xc0002634a0, {0x20c4d00, 0xc000590680}, 0xc0011b4b40, 0x0) google.golang.org/grpc@v1.58.2/server.go:1753 +0xa36 google.golang.org/grpc.(Server).serveStreams.func1.1() google.golang.org/grpc@v1.58.2/server.go:998 +0x98 created by google.golang.org/grpc.(*Server).serveStreams.func1 google.golang.org/grpc@v1.58.2/server.go:996 +0x18c

Error: The terraform-provider-snowflake_v0.79.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely helpful if you could report the crash with the plugin's maintainers so that it can be fixed. The output above should help diagnose the issue.

sfc-gh-jcieslak commented 10 months ago

@adrian-montero-hkkd Hey, from the error message, it seems that the error occurred in the resource that wanted to grant privileges on_schema, not on_object_account, and to resolve the error you have to pass the fully qualified schema name (probably somewhere in your config on_schema.schema_name = "<schema_name>", but should be on_schema.schema_name = "\"<database_name>\".\"<schema_name>\""). It's similar to this issue. Please see and let me know if that resolves your issue.

adrian-montero-hkkd commented 10 months ago

I'm actually trying to do the grant at the db level. So that wouldn't work. Right now I'm using the previous snowflake_database_grant but I get the deprecated warning (but it does work, the permissions are granted successfully): 

resource "snowflake_database_grant" "db_grant_usage_to_fivetran_role" {
  provider = snowflake.securityadmin
  database_name = snowflake_database.fivetran_database.name
  privilege = "USAGE"
  roles = [ snowflake_role.fivetran_role.name ]
  enable_multiple_grants = true
}

I was expecting it to work since it is an example just like the one in the provider docs: 

##################################
### account object privileges
##################################

# list of privileges
resource "snowflake_grant_privileges_to_role" "g3" {
  privileges = ["CREATE", "MONITOR"]
  role_name  = snowflake_role.r.name
  on_account_object {
    object_type = "DATABASE"
    object_name = snowflake_database.d.name
  }
}

Ref: https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_role

I would expect to have to provide a fully qualifier if I were granting the create table permission, not the create schema, which wouldn't make much sense to grant at a schema level, since well, I want the user to be able to create new schemas.

Thanks for the help.

sfc-gh-jcieslak commented 10 months ago

@adrian-montero-hkkd Hey, so maybe what I wrote is unclear, but the example and the code you provided look correct and they should work. What I was saying is that it looks like the error is pointing to another resource, not to the one you provided. The error looks to reference a "snowflake_grant_privileges_to_role" resource that uses on_schema instead of on_account_object like in your example.

adrian-montero-hkkd commented 10 months ago

Thanks. You are right, that was not the problematic block. Changed it for the fully qualified schema name and it worked.