Open cdnedlik opened 1 week ago
Looking at query history in our Snowflake account, we can see that for just one of the affected grant resources, the GRANT was executed before the REVOKE, resulting in a net loss of the privileges.
Hey @cdnedlik. Thanks for reaching out to us.
The one-step change that you described will result in such non-deterministic ordering. Please follow our migration guidelines: https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/resource_migration.md#resource-migration.
More references:
Terraform CLI Version
1.9.8
Terraform Provider Version
0.87.2
Company Name
No response
Terraform Configuration
Category
category:grants
Object type(s)
resource:grant_privileges_to_account_role
Expected Behavior
When migrating from the use of the deprecated
snowflake_grant_privileges_to_role
resource to the newersnowflake_grant_privileges_to_account_role
across many grants simultaneously, we expected to see Terraform execute all of theREVOKE
queries in Snowflake corresponding to the old resources, followed by all of theGRANT
queries corresponding to the new resource, which together would result in no net change to the privileges in our Snowflake account.Actual Behavior
When migrating from the use of the deprecated
snowflake_grant_privileges_to_role
resource to the newersnowflake_grant_privileges_to_account_role
, we saw Terraform execute one set ofREVOKE
andGRANT
queries in the wrong order. Specifically theGRANT
for the new resource was executed before theREVOKE
for the old resource in one case, so the net outcome was that a previously existing granted privileges no longer existed in our Snowflake account following the resource update.Steps to Reproduce
How much impact is this issue causing?
Low
Logs
No response
Additional Information
No response
Would you like to implement a fix?