search

Snowflake-Labs / terraform-provider-snowflake

Terraform provider for managing Snowflake accounts
https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest
MIT License
521 stars 407 forks source link

[Bug]: snowflake_network_rule are not deleted #2858

Open daniepett opened 2 months ago

daniepett commented 2 months ago

Terraform CLI Version

1.5.6

Terraform Provider Version

0.92.0

Terraform Configuration

resource "snowflake_network_rule" "this" {
  for_each   = var.rules
  name       = upper(each.key)
  database   = var.database
  schema     = var.schema
  comment    = "Network rule to allow access from ${each.key}"
  type       = var.type
  mode       = var.mode
  value_list = each.value
}

resource "snowflake_network_policy" "all" {
  name    = "IP_VPCEID_ALLOW_ALL_KNOWN"
  comment = "Network policy to allow all known IPs"

  allowed_network_rule_list = snowflake_network_rule.this.*.qualified_name
}

Category

category:resource

Object type(s)

No response

Expected Behavior

Either error being raised or rule being dropped

Actual Behavior

Terraform apply succeeds on destroy, but rule isn't dropped

snowflake_network_rule.this["xxxx"]: Destruction complete after 0s

The query history shows this query failing with the following error: Cannot drop Network rule xxxx as it is associated with some network policies.

Steps to Reproduce

  1. Create network rule
  2. Associate with a network policy
  3. Drop the network rule

How much impact is this issue causing?

Low

Logs

No response

Additional Information

No response

Would you like to implement a fix?

sfc-gh-jcieslak commented 2 months ago

Hey @daniepett 👋 Thanks for reporting this issue. Would it be possible for you to include exact logs with the TF_LOG=DEBUG environment variable enabled, so I would be able to possibly spot the root cause?

sfc-gh-jcieslak commented 2 months ago

Hey @daniepett After reading the steps to reproduce and your config, I noticed an issue with the usage of Terraform (and Snowflake in some sense). The error most likely happens because firstly you are supposed to remove the association between the objects (remove the association between network rule and network policy) and then remove the un-linked object from the configuration. It should be done in two steps (terraform applies), because Terraform does not provide any guarantees of execution order. Because in your case it's done in one step, for some of the objects (or all) it may result in an error from Snowflake indicating you cannot drop the network rule when it's still associated with some network policy. I tested it in Snowflake and indeed when I wanted to drop the network rule (with association with some network policy) I got: Cannot drop Network rule TEST_NETWORK_RULE as it is associated with some network policies.. For now, the only option would be to remove network rules in two steps:

  1. Remove the association with any network policy.
  2. Remove the network rule itself.