search

Snowflake-Labs / terraform-provider-snowflake

Terraform provider for managing Snowflake accounts
https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest
MIT License
552 stars 420 forks source link

[Bug]: MODEL grants producing repeated plan after apply #3050

Closed halcarrigan-carvana closed 17 hours ago

halcarrigan-carvana commented 2 months ago

Terraform CLI Version

1.9.2

Terraform Provider Version

0.95.0

Terraform Configuration

resource "snowflake_role" "role_test_models" {
  name    = "ROLE_TEST_MODELS"
  provider = snowflake.useradmin
}

resource "snowflake_grant_account_role" "role_grant" {
  role_name        = snowflake_role.role_test_models.name
  parent_role_name = "SYSADMIN"
  provider = snowflake.securityadmin
}

resource "snowflake_grant_privileges_to_account_role" "grant_schema" {
  account_role_name = snowflake_role.role_test_models.name
  privileges         = ["USAGE"]
  with_grant_option  = false

  on_schema_object {
    future {
      object_type_plural = "MODELS"
      in_database        = "DB_TEST_MODELS"
    }
  }
  provider = snowflake.securityadmin
}

Category

category:grants

Object type(s)

resource:grant_privileges_to_account_role

Expected Behavior

The above configuration creates a role, grants the role to SYSADMIN, and grants USAGE on FUTURE MODELS to that role. After applying USAGE on MODELS to role, subsequent plans should recommend no changes.

Actual Behavior

Plan does not converge. Each run suggests adding the usage privilege again.

Terraform will perform the following actions:

  # snowflake_grant_privileges_to_account_role.grant_schema will be updated in-place
  ~ resource "snowflake_grant_privileges_to_account_role" "grant_schema" {
        id                = "\"_ROLE_TEST_MODELS\"|false|false|USAGE|OnSchemaObject|OnFuture|MODELS|InDatabase|\"SHARED\""
      ~ privileges        = [
          + "USAGE",
        ]
        # (5 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

This may be due to snowflake reporting "grant_on" as 'MODULE' in SHOW FUTURE GRANTS IN DATABASE.

Steps to Reproduce

  1. Copy configuration
  2. Run Terraform apply
  3. Confirm in snowflake future grant was applied. SHOW FUTURE GRANTS TO ROLE ROLE_TEST_MODELS;
  4. Repeat Terraform apply

How much impact is this issue causing?

Low

Logs

No response

Additional Information

No response

Would you like to implement a fix?

sfc-gh-asawicki commented 2 months ago

Hey @halcarrigan-carvana. Thanks for reaching out to us.

It seems like an undocumented Snowflake behavior. We will reproduce the behavior, contact the team responsible for grants, and decide what we will do with it. Ideally, it should be changed on the Snowflake side, but we will probably implement a workaround for the time being.

If we decide to implement the workaround, it will land in one of the next minor versions.

cc: @sfc-gh-jcieslak

jdoldis commented 2 months ago

@sfc-gh-asawicki on version 0.94 we are also having this issue, and when trying to remove these resources we're getting the error - 

Error: [grants_validations.go:173] exactly one of AccountRoleGrantPrivileges fields [AllPrivileges GlobalPrivileges AccountObjectPrivileges SchemaPrivileges SchemaObjectPrivileges] must be set

We haven't seen that for any other type of future grant.

Do you think that's related to this issue, or should I open a separate issue to track that?

sfc-gh-asawicki commented 2 months ago

cc: @sfc-gh-jcieslak

sfc-gh-jcieslak commented 2 months ago

Hey @jdoldis As far as I remember this particular error may be connected to this exact issue. Could you also post what your snowflake_grant_privileges_to_account_role config looks like?

jdoldis commented 2 months ago

Hey yeh sure - 

resource "snowflake_grant_privileges_to_account_role" "usage_on_future_models" {
  privileges        = ["USAGE"]
  account_role_name = <role_name>
  lifecycle {
    ignore_changes = [privileges]
  }
  on_schema_object {
    future {
      object_type_plural = "MODELS"
      in_schema          = <schema_name>
    }
  }
}

We have ignore_changes set to avoid the repeated changes showing up in the plan as discussed in this issue.

sfc-gh-jcieslak commented 2 months ago

Ok, nothing fancy, so most likely the issues are connected to object_type_plural being different in SHOW GRANTS. I'll fix it as soon as I'll have some time (It should be most likely fixed in the next version of the provider).

jdoldis commented 2 months ago

Awesome, thanks @sfc-gh-jcieslak !

sfc-gh-jcieslak commented 2 months ago

Hey, the fix was merged, and it will be available in the next provider version. We're planning to do a release this week.

halcarrigan-carvana commented 2 months ago

Thank you all for the quick response on this.

sfc-gh-jcieslak commented 1 week ago

Hey @halcarrigan-carvana Sorry, for the late response, but the fix was already released as part of the 0.96.0 version. Could you validate if the grants on the model are working properly in your case? Thank You.

sfc-gh-jcieslak commented 17 hours ago

I'm closing due to long inactivity. The fix was provided as requested. Please create another issue if the problem persists. Thanks.

halcarrigan-carvana commented 12 hours ago

Hey @sfc-gh-jcieslak,

Sorry for the late response. We got our provider upgraded, and I successfully tested the changes. Everything is working on our end now. Thank you for all the help.