[Bug]: REVOKE and GRANT executed out of order during migration from `snowflake_grant_privileges_to_role` to `snowflake_grant_privileges_to_account_role` #3187
When migrating from the use of the deprecated snowflake_grant_privileges_to_role resource to the newer snowflake_grant_privileges_to_account_role across many grants simultaneously, we expected to see Terraform execute all of the REVOKE queries in Snowflake corresponding to the old resources, followed by all of the GRANT queries corresponding to the new resource, which together would result in no net change to the privileges in our Snowflake account.
Actual Behavior
When migrating from the use of the deprecated snowflake_grant_privileges_to_role resource to the newer snowflake_grant_privileges_to_account_role, we saw Terraform execute one set of REVOKE and GRANT queries in the wrong order. Specifically the GRANT for the new resource was executed before the REVOKE for the old resource in one case, so the net outcome was that a previously existing granted privileges no longer existed in our Snowflake account following the resource update.
Steps to Reproduce
Define many grants using the resource: "snowflake_grant_privileges_to_role"
Terraform apply
Replace the existing grants with equivalent grants using the "snowflake_grant_privileges_to_account_role" resource
Looking at query history in our Snowflake account, we can see that for just one of the affected grant resources, the GRANT was executed before the REVOKE, resulting in a net loss of the privileges.
Terraform CLI Version
1.9.8
Terraform Provider Version
0.87.2
Company Name
No response
Terraform Configuration
Category
category:grants
Object type(s)
resource:grant_privileges_to_account_role
Expected Behavior
When migrating from the use of the deprecated
snowflake_grant_privileges_to_role
resource to the newersnowflake_grant_privileges_to_account_role
across many grants simultaneously, we expected to see Terraform execute all of theREVOKE
queries in Snowflake corresponding to the old resources, followed by all of theGRANT
queries corresponding to the new resource, which together would result in no net change to the privileges in our Snowflake account.Actual Behavior
When migrating from the use of the deprecated
snowflake_grant_privileges_to_role
resource to the newersnowflake_grant_privileges_to_account_role
, we saw Terraform execute one set ofREVOKE
andGRANT
queries in the wrong order. Specifically theGRANT
for the new resource was executed before theREVOKE
for the old resource in one case, so the net outcome was that a previously existing granted privileges no longer existed in our Snowflake account following the resource update.Steps to Reproduce
How much impact is this issue causing?
Low
Logs
No response
Additional Information
No response
Would you like to implement a fix?