search

Snowflake-Labs / terraform-provider-snowflake

Terraform provider for managing Snowflake accounts
https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest
MIT License
552 stars 420 forks source link

[Bug]: provider organization_name and account_name when you only have an account locator #3198

Open jrobison-sb opened 1 week ago

jrobison-sb commented 1 week ago

Terraform CLI Version

v1.9.1

Terraform Provider Version

v0.98.0

Company Name

No response

Terraform Configuration

provider "snowflake" {
  account       = "XYZ12345.us-east-1"
  ...
}

Category

category:resource

Object type(s)

Provider connection config, no specific resource.

Expected Behavior

With the account attribute of the provider config now deprecated, and with account locators continuing to be supported, it should be clear how to migrate to the new configuration when the old configuration only uses an account locator and doesn't use the ORGNAME-ACCOUNTNAME convention.

Actual Behavior

With the account attribute of the provider config now deprecated, and with account locators continuing to be supported, it is not clear how to migrate to the new configuration when the old configuration only uses an account locator and doesn't use the ORGNAME-ACCOUNTNAME convention.

Steps to Reproduce

Try to migrate the above HCL to the new provider configuration which requires an organization_name and an account_name, but with an account that only has an account locator.

For us, this happens with reader accounts (which aren't managed as properly named snowflake_account resources). And also with our ORGADMIN account, which, since it's only job is to manage other accounts, it never got a name itself.

How much impact is this issue causing?

Low

Logs

No response

Additional Information

https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#behavior-change-deprecated-fields https://github.com/Snowflake-Labs/terraform-provider-snowflake/pull/3166

Would you like to implement a fix?

sfc-gh-jmichalak commented 1 week ago

Hi @jrobison-sb πŸ‘‹

We'll add the link to the docs in our migration guide. I just want to confirm: are you able to use the new fields with reader and orgadmin accounts? I can't see that they have any limitations with the account name format.

jrobison-sb commented 1 week ago

@sfc-gh-jmichalak thanks for taking a look.

We'll add the link to the docs in our migration guide.

There's already a link here (where it says "Read more in the docs").

are you able to use the new fields with reader and orgadmin accounts?

I have not been able to do so, though I'm not entirely sure if it's user error on my part or something else. I tried it like this:

# The old way before the deprecation
provider "snowflake" {
  account       = "XYZ12345.us-east-1"
  ...
}

# My failed attempt at fixing the deprecation
provider "snowflake" {
    organization_name = "MY_ORG_NAME"
    account_name    = "XYZ12345"
}

My failed attempt at fixing the deprecation crashed a terraform plan like this:

Error: open snowflake connection: 261004 (08004): failed to auth for unknown reason. HTTP: 404, URL: https://MY_ORG_NAME-XYZ12345.snowflakecomputing.com:443/...

If this is a case of user error and I need to try some other format or something, I'm happy to try whatever...

Thanks.

sfc-gh-jmichalak commented 1 week ago

Yup, we have a link, but I think we should be more explicit here and at least mention the other account format.

I think your config is slightly incorrect. In our environments, the account name (in Format 1) does not match the account locator (in Format 2). Please make sure you use values from https://docs.snowflake.com/en/user-guide/admin-account-identifier#finding-the-organization-and-account-name-for-an-account or check them with 

SELECT CURRENT_ORGANIZATION_NAME(), CURRENT_ACCOUNT_NAME();

These values should match organization_name and account_name in the config, respectively.

jrobison-sb commented 1 week ago

Thanks @sfc-gh-jmichalak, that unblocked me and I'm all good now. Thanks for taking the time to set me straight on this.

I'll leave this issue open in case there's a desire to use this issue to update the docs. Or if not, feel free to close this, I have no further questions.

Thanks.

maxnsdia commented 1 day ago

I'm also facing an issue with this, even when using the proper org and account name as derived from above mentioned queries.

Old config (working in 0.97):

provider "snowflake" {
  user                   = "myuser"
  account                = "${myaccount}.${myregion}"
  role                   = "myrole"
  authenticator          = "JWT"
  ...
}

New config:

provider "snowflake" {
  user                   = "myuser"
  organization_name      = "myorg"
  account_name           = "myaccount"
  role                   = "myrole"
  authenticator          = "SNOWFLAKE_JWT"
  ...
}

I also tried to revert back to JWT with the new config but this did not work.

The error I get, after a few minutes, is:

Error: open snowflake connection: Post "https://MYORG-MYACCOUNT.snowflakecomputing.com:443/session/v1/login-request?requestId=[guid]&request_guid=[guid]&roleName=myrole": EOF