search

Snowflake-Labs / terraform-provider-snowflake

Terraform provider for managing Snowflake accounts
https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest
MIT License
552 stars 420 forks source link

[Feature]: ignore_snowflake_user when using snowflake_users data source #3191

Open yuukiyamanaka opened 1 week ago

yuukiyamanaka commented 1 week ago

Company Name

No response

Use Cases or Problem Statement

I encountered the following error when attempting to fetch all users using the snowflake_users data source:

data "snowflake_users" "all_users" {
  with_describe   = true
  with_parameters = false
}

Error message:

Insufficient privileges to operate on user 'SNOWFLAKE'

This error persists even when using ACCOUNTADMIN role. The issue occurs because ACCOUNTADMIN does not have privileges to execute DESC USER SNOWFLAKE.

Impact This limitation is inconvenient for several use cases:

  1. Validating the total number of users with specific property like default role
  2. Verifying that all users are properly secured with user-level network policies

Example Use Case Here's a sample validation check that's affected:

check "no_user_set_accountadmin_as_default_role" {
  data "snowflake_users" "all_users" {
    with_describe   = true
    with_parameters = false
  }
  assert {
    condition = length([
      for user in data.snowflake_users.all_users.users :
      user
      if user.describe_output[0].default_role == var.default_roles.accountadmin.name
    ]) == 0
    error_message = format(
      "Found users with ACCOUNTADMIN as default_role: %s",
      join(", ", [
        for user in data.snowflake_users.all_users.users :
        user.describe_output[0].name
        if user.describe_output[0].default_role == var.default_roles.accountadmin.name
      ])
    )
  }
}

Environment Details

Is there any workaround or solution for this limitation?

Category

category:data_source

Object type(s)

data_source:users

Proposal

Add ignore_snowflake_user option for snowflake_user data source.

How much impact is this issue causing?

Low

Additional Information

No response

Would you like to implement a fix?

sfc-gh-asawicki commented 1 week ago

Hey @yuukiyamanaka. Thanks for reaching out to us.

That's an interesting error. We also have a SNOWFLAKE user and it did not fail for us on ACCOUNTADMIN. I will run a few manual tests and get back to you.

yuukiyamanaka commented 1 week ago

Thank you for response! I will provide my account information if you need.

I also encountered the same error in snowsight

use role accountadmin;
desc user snowflake;