search

Snowflake-Labs / terraform-provider-snowflake

Terraform provider for managing Snowflake accounts
https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest
MIT License
552 stars 420 forks source link

[Bug]: Tag masking policy associations not properly registered in the state after import #3060

Closed dlouseiro closed 1 month ago

dlouseiro commented 2 months ago

Terraform CLI Version

1.5.7

Terraform Provider Version

0.92.0

Terraform Configuration

resource "snowflake_tag_masking_policy_association" "authorized_role_mask_date" {
  for_each          = snowflake_tag.authorized_role
  tag_id            = "\"${each.value.database}\".\"${each.value.schema}\".\"${each.value.name}\""
  masking_policy_id = "\"${snowflake_masking_policy.mask_date[each.key].database}\".\"${snowflake_masking_policy.mask_date[each.key].schema}\".\"${snowflake_masking_policy.mask_date[each.key].name}\""
}

Category

category:import

Object type(s)

No response

Expected Behavior

For a recently imported tag masking policy association to be stored as it is in the database.

Example state representation of one instance:

    {
      "mode": "managed",
      "type": "snowflake_tag_masking_policy_association",
      "name": "authorized_role_mask_date",
      "provider": "provider[\"registry.terraform.io/snowflake-labs/snowflake\"]",
      "instances": [
        {
          "index_key": "de-dev",
          "schema_version": 0,
          "attributes": {
            "id": "PICNIC_DE_DEV|PUBLIC|AUTHORIZED_ROLE|PICNIC_DE_DEV|PUBLIC|MASK_DATE",
            "masking_policy_id": "\"PICNIC_DE_DEV\".\"PUBLIC\".\"MASK_DATE\"",
            "tag_id": "\"PICNIC_DE_DEV\".\"PUBLIC\".\"AUTHORIZED_ROLE\""
          },
          "sensitive_attributes": [],
          "private": "bnVsbA==",
          "dependencies": [
            "snowflake_database.market",
            "snowflake_masking_policy.mask_date",
            "snowflake_tag.authorized_role"
          ]
        }
      }

Actual Behavior

Tag masking policy association is stored in the state without a tag_id and masking_policy_id.

Example state representation:

    {
      "mode": "managed",
      "type": "snowflake_tag_masking_policy_association",
      "name": "authorized_role_mask_date",
      "provider": "provider[\"registry.terraform.io/snowflake-labs/snowflake\"]",
      "instances": [
        {
          "index_key": "de-dev",
          "schema_version": 0,
          "attributes": {
            "id": "PICNIC_DE_DEV|PUBLIC|AUTHORIZED_ROLE|PICNIC_DE_DEV|PUBLIC|MASK_DATE",
            "masking_policy_id": null,
            "tag_id": null
          },
          "sensitive_attributes": [],
          "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjAifQ=="
        }
      }

Steps to Reproduce

Assuming that the masking policy was already created via terraform:

  1. terraform state rm 'snowflake_tag_masking_policy_association.authorized_role_mask_date["de-dev"]'
  2. terraform import 'snowflake_tag_masking_policy_association.authorized_role_mask_date["de-dev"]' 'PICNIC_DE_DEV|PUBLIC|AUTHORIZED_ROLE|PICNIC_DE_DEV|PUBLIC|MASK_DATE'
  3. terraform apply

Result:

  # snowflake_tag_masking_policy_association.authorized_role_mask_date["de-dev"] must be replaced
-/+ resource "snowflake_tag_masking_policy_association" "authorized_role_mask_date" {
      ~ id                = "PICNIC_DE_DEV|PUBLIC|AUTHORIZED_ROLE|PICNIC_DE_DEV|PUBLIC|MASK_DATE" -> (known after apply)
      + masking_policy_id = "\"PICNIC_DE_DEV\".\"PUBLIC\".\"MASK_DATE\"" # forces replacement
      + tag_id            = "\"PICNIC_DE_DEV\".\"PUBLIC\".\"AUTHORIZED_ROLE\"" # forces replacement
    }

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

This was quite problematic for me when migrating from version 0.66 to version 0.92 of the provider as the definition of this resource changed so I had to remove the old version from the state and reimport all masking policy tag associations.

Although, the fact that this resource is not properly registered in the state demands replacement, which is not an ideal scenario as I wouldn't want to change this association.

Would you like to implement a fix?

sfc-gh-asawicki commented 2 months ago

Hey @dlouseiro. Thanks for reaching out to us.

These values are stored in the state file but as part of the |- separated id: PICNIC_DE_DEV|PUBLIC|AUTHORIZED_ROLE|PICNIC_DE_DEV|PUBLIC|MASK_DATE (tag database, tag schema, tag name, policy database, policy schema, policy name).

sfc-gh-asawicki commented 1 month ago

Closing the issue due to inactivity. Please create a new one if the issue persists in the newest version of the provider.