search

Snowflake-Labs / terraform-provider-snowflake

Terraform provider for managing Snowflake accounts
https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest
MIT License
545 stars 418 forks source link

2 resources of snowflake_table_grant with same privileges deletes each other. #564

Closed avifreege closed 5 months ago

avifreege commented 3 years ago

Provider Version 0.25.4

Terraform Version

0.15.4 and 0.13.0

Describe the bug

At first i worked with sets of permission to grant to different roles different privileges but some will obviously be the same, so i narrowed it down to this problem, incase granting a privilege i.e SELECT to 2 roles in different snowflake_table_grant they will be created but in the second apply they will get deleted

Expected behavior

Nothing should be changed.

Code samples and commands

snowflake_table_grant.bigbrain_dev_raw_grant_full will be updated in-place
  ~ resource "snowflake_table_grant" "bigbrain_dev_raw_grant_full" {
        database_name     = "bigbrain_dev"

        id                = "bigbrain_dev|raw||SELECT|false"
        on_future         = true
        privilege         = "SELECT"
      ~ roles             = [
          + "SFULL_BIGBRAIN_DEV",
        ]
        schema_name       = "raw"
        with_grant_option = false
    }

  snowflake_table_grant.bigbrain_dev_raw_grant_read_only will be updated in-place
  ~ resource "snowflake_table_grant" "bigbrain_dev_raw_grant_read_only" {
        database_name     = "bigbrain_dev"
        id                = "bigbrain_dev|raw||SELECT|false"
        on_future         = true
        privilege         = "SELECT"
      ~ roles             = [
          + "SR_BIGBRAIN_DEV",
        ]
        schema_name       = "raw"
        with_grant_option = false
    }

Plan: 0 to add, 2 to change, 0 to destroy.

After the second apply:

snowflake_table_grant.bigbrain_dev_raw_grant_full will be updated in-place
  ~ resource "snowflake_table_grant" "bigbrain_dev_raw_grant_full" {
        database_name     = "bigbrain_dev"
        id                = "bigbrain_dev|raw||SELECT|false"
        on_future         = true
        privilege         = "SELECT"
      ~ roles             = [
            "SFULL_BIGBRAIN_DEV",
          - "SR_BIGBRAIN_DEV",
        ]
        schema_name       = "raw"
        with_grant_option = false
    }

  snowflake_table_grant.bigbrain_dev_raw_grant_read_only will be updated in-place
  ~ resource "snowflake_table_grant" "bigbrain_dev_raw_grant_read_only" {
        database_name     = "bigbrain_dev"
        id                = "bigbrain_dev|raw||SELECT|false"
        on_future         = true
        privilege         = "SELECT"
      ~ roles             = [
          - "SFULL_BIGBRAIN_DEV",
            "SR_BIGBRAIN_DEV",
        ]
        schema_name       = "raw"
        with_grant_option = false
    }

Plan: 0 to add, 2 to change, 0 to destroy.

Could be related to the fact that the ID is the same?

Additional context

The use case here is to create for example 1 role with read privileges (SELECT) and another role with read write (SELECT and UPDATE)

alldoami commented 3 years ago

The way you use grants is to define one privilege per resource (table/database/schema/etc) and grant it to a list of roles. If you want to create a role with read privileges and another role with read write privileges you would do:

resource snowflake_table_grant read_grant {
  database_name = "database"
  schema_name   = "schema"
  table_name    = "table"

  privilege = "SELECT"
  roles     = ["read_priv_role", "read_write_priv_role" ]
}

resource snowflake_table_grant write_grant {
  database_name = "database"
  schema_name   = "schema"
  table_name    = "table"

  privilege = "UPDATE"
  roles     = ["read_write_priv_role"]
}
ajwootto commented 3 years ago

Related to #210

sfc-gh-asawicki commented 5 months ago

We are closing this issue as part of a cleanup described in announcement. If you believe that the issue is still valid in v0.89.0, please open a new ticket.