search

Snowflake-Labs / terraform-provider-snowflake

Terraform provider for managing Snowflake accounts
https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest
MIT License
549 stars 420 forks source link

[Bug]: snowflake_grant_account_role with role name PUBLIC fails on apply #3001

Open AaronCoquet-Easypark opened 3 months ago

AaronCoquet-Easypark commented 3 months ago

Terraform CLI Version

1.9.4

Terraform Provider Version

0.94.1

Terraform Configuration

provider "snowflake" {
  account       = local.tf_snowflake_account
  role          = "SECURITYADMIN"
  warehouse     = local.tf_snowflake_warehouse
  authenticator = local.tf_snowflake_authenticator
}

resource "snowflake_account_role" "any_role" {
  name = "ANY_ROLE"
}

resource "snowflake_grant_account_role" "this_is_a_bug" {
  parent_role_name = snowflake_account_role.any_role.name
  role_name        = "PUBLIC"
}

Category

category:grants

Object type(s)

resource:grant_account_role

Expected Behavior

This should be a no-op, since "Granting role PUBLIC has no effect. Every user and role has role PUBLIC implicitly granted."

Actual Behavior

╷ │ Error: Provider produced inconsistent result after apply │ │ When applying changes to snowflake_grant_account_role.this_is_a_bug, provider "provider[\"registry.terraform.io/snowflake-labs/snowflake\"]" produced an │ unexpected new value: Root object was present, but now absent. │ │ This is a bug in the provider, which should be reported in the provider's own issue tracker. ╵

Steps to Reproduce

  1. Configure a Terraform project with access to a Snowflake account, with privileges high enough to create a role and grant it another role.
  2. Create a role, and grant it access to the role "PUBLIC" (as above, in the Terraform Configuration section)
  3. Apply the change

How much impact is this issue causing?

Low

Logs

https://gist.github.com/AaronCoquet-Easypark/37704cc31601bcb095a144a7d14f8602

Additional Information

No response

Would you like to implement a fix?

sfc-gh-jmichalak commented 3 months ago

Hi @AaronCoquet-Easypark I think this is a duplicate of https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/2848. Please read our answer here.

AaronCoquet-Easypark commented 2 months ago

It's definitely related. The workaround I found is to use a local that explicitly removes "PUBLIC" from any list of roles that is set to be assigned. I feel like this could be resolved by having the provider ignore the "PUBLIC" role, but I'm not sure if that can be done.

sfc-gh-jmichalak commented 2 months ago

As stated in the docs, PUBLIC role is automatically granted to every user and there's no need to grant it through terraform. Probably we will handle this case to return a better error message before V1. We will consider ignoring the PUBLIC role after V1. For now, please use the workaround you provided.