search

pulumi / pulumi-snowflake

Apache License 2.0
17 stars 5 forks source link

pulumi preview not providing correct output for privilege revokes on schema #640

Closed anitalySuper closed 6 days ago

anitalySuper commented 3 months ago

Describe what happened

Revoking privileges on a schema, while keeping 1 privilege that is currently granted. When running pulumi preview after the code change, output states all privileges will be revoked.

Sample program

I have a pulumi.yaml file with the following resource:

name: snowflake-schema-grants
runtime: yaml
description: A Snowflake YAML Pulumi stack for schema object to role grants.
config: {'pulumi:tags': {value: {'pulumi:template': yaml}}}
options:
  refresh: always

resources:
  snowflake-analyst--false--onschema--onschema--db-staging-accounts-public--without-grant-option--schema-to-role--grant:
    type: snowflake:GrantPrivilegesToAccountRole
    properties:
      accountRoleName: '"SNOWFLAKE_ANALYST"'
      onSchema:
        schemaName: '"DB_STAGING"."ACCOUNTS_PUBLIC"'
      privileges:
        - CREATE EXTERNAL TABLE
        - CREATE TABLE
        - CREATE VIEW
        - CREATE TEMPORARY TABLE
        - USAGE
        - CREATE MATERIALIZED VIEW

I then remove 5 of the privileges (CREATE EXTERNAL TABLE, CREATE TABLE, CREATE VIEW, CREATE TEMPORARY TABLE, CREATE MATERIALIZED VIEW)

name: snowflake-schema-grants
runtime: yaml
description: A Snowflake YAML Pulumi stack for schema object to role grants.
config: {'pulumi:tags': {value: {'pulumi:template': yaml}}}
options:
  refresh: always

resources:
  snowflake-analyst--false--onschema--onschema--db-staging-accounts-public--without-grant-option--schema-to-role--grant:
    type: snowflake:GrantPrivilegesToAccountRole
    properties:
      accountRoleName: '"SNOWFLAKE_ANALYST"'
      onSchema:
        schemaName: '"DB_STAGING"."ACCOUNTS_PUBLIC"'
      privileges:
        - USAGE

Then I run pulumi preview --stack prod --diff --refresh=false.

Preview says all privileges will be revoked.

Log output

Previewing update (prod):
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:prod::snowflake-schema-grants::pulumi:pulumi:Stack::snowflake-schema-grants-prod]
warning: provider config warning: Use `user` instead of `username`
    ~ snowflake:index/grantPrivilegesToAccountRole:GrantPrivilegesToAccountRole: (update)
        [id=SNOWFLAKE_ANALYST|false|false|CREATE TABLE,CREATE VIEW,CREATE EXTERNAL TABLE,CREATE TEMPORARY TABLE,USAGE,CREATE MATERIALIZED VIEW|OnSchema|OnSchema|"DB_STAGING"."ACCOUNTS_PUBLIC"]
        [urn=urn:pulumi:prod::snowflake-schema-grants::snowflake:index/grantPrivilegesToAccountRole:GrantPrivilegesToAccountRole::snowflake-analyst--false--onschema--onschema--db-staging-accounts-public--without-grant-option--schema-to-role--grant]
      ~ privileges: [
          - [0]: "CREATE EXTERNAL TABLE"
          - [1]: "CREATE TABLE"
          - [2]: "CREATE VIEW"
          - [3]: "CREATE TEMPORARY TABLE"
          - [4]: "USAGE"
          - [5]: "CREATE MATERIALIZED VIEW"
        ]

Affected Resource(s)

snowflake:GrantPrivilegesToAccountRole

Output of pulumi about

CLI
Version 3.119.0 Go Version go1.22.3 Go Compiler gc

Plugins KIND NAME VERSION resource snowflake unknown language yaml unknown

Host
OS ubuntu Version 22.04 Arch x86_64

This project is written in yaml

Backend
Name coder-anitaly-coder-dev URL file:///workspace/snowflake-infra/infrastructure User coder Organizations
Token type personal

No dependencies found

Pulumi locates its logs in /tmp by default warning: Failed to get information about the current stack: No current stack

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

VenelinMartinov commented 3 months ago

Hey @anitalySuper, thanks for reporting the issue here and sorry you had trouble with this.

We'll have a look as soon as possible.

As a workaround, is the issue fixed by refresh / running pulumi up again?

anitalySuper commented 3 months ago

Hi @VenelinMartinov running with refresh produces the same issue. I haven't attempted to run pulumi up given that pulumi preview is suggesting it is going to revoke a privilege I need to retain.

VenelinMartinov commented 3 months ago

Confirmed this reproes with the following program:

Program ```yaml name: privilege_revoke runtime: yaml description: "" resources: myDatabase: type: snowflake:Database properties: name: my_database comment: This is my Snowflake database mySchema: type: snowflake:Schema properties: name: my_custom_schema comment: This is a custom schema in Snowflake database: ${myDatabase.name} myRole: type: snowflake:Role properties: name: SNOWFLAKE_ANALYST comment: This is a custom role in Snowflake snowflake-privileges: type: snowflake:GrantPrivilegesToAccountRole properties: accountRoleName: ${myRole.name} onSchema: schemaName: "${myDatabase.name}.${mySchema.name}" privileges: # - CREATE EXTERNAL TABLE # - CREATE TABLE # - CREATE VIEW # - CREATE TEMPORARY TABLE - USAGE ```

This does not repro in TF, so it seems like a bridge bug related to sets

TF program ```terraform terraform { required_providers { snowflake = { source = "Snowflake-Labs/snowflake" version = "0.92.0" } } } resource "snowflake_database" "myDatabase" { name = "my_database1" comment = "This is my Snowflake database" } resource "snowflake_schema" "mySchema" { name = "my_custom_schema1" comment = "This is a custom schema in Snowflake" database = snowflake_database.myDatabase.name } resource "snowflake_role" "myRole" { name = "SNOWFLAKE_ANALYST1" comment = "This is a custom role in Snowflake" } resource "snowflake_grant_privileges_to_account_role" "snowflake_privileges" { privileges = [ # "CREATE EXTERNAL TABLE", # "CREATE TABLE", # "CREATE VIEW", # "CREATE TEMPORARY TABLE", "USAGE", ] account_role_name = snowflake_role.myRole.name on_schema { schema_name = "my_database1.my_custom_schema1" } } ```

~I just went to apply the change and it seems the bug only affects preview:~

~preview:~

      ~ privileges: [
          - [0]: "CREATE EXTERNAL TABLE"
          - [1]: "CREATE TABLE"
          - [2]: "CREATE VIEW"
          - [3]: "CREATE TEMPORARY TABLE"
          - [4]: "USAGE"
        ]

~but running pulumi up produces:~

      ~ privileges: [
          ~ [0]: "CREATE EXTERNAL TABLE" => "USAGE"
          - [1]: "CREATE TABLE"
          - [2]: "CREATE VIEW"
          - [3]: "CREATE TEMPORARY TABLE"
          - [4]: "USAGE"
        ]

I can no longer repro the correct diff above but I certainly got that once.

VenelinMartinov commented 3 months ago

Ok, this seems to be an issue with the way we present diffs in the CLI.

For any user experiencing this, it should be safe to ignore the diff here while we get it fixed. I've verified that the state after running pulumi up is correct and the privilege is retained as expected.

For maintainers, here is the GRPC call:

GRPC Diff ```json { "method": "/pulumirpc.ResourceProvider/Diff", "request": { "id": "\"SNOWFLAKE_ANALYST\"|false|false|CREATE EXTERNAL TABLE,CREATE TABLE,CREATE VIEW,CREATE TEMPORARY TABLE,USAGE|OnSchema|OnSchema|\"my_database\".\"my_custom_schema\"", "urn": "urn:pulumi:dev::privilege_revoke::snowflake:index/grantPrivilegesToAccountRole:GrantPrivilegesToAccountRole::snowflake-privileges", "olds": { "accountRoleName": "SNOWFLAKE_ANALYST", "allPrivileges": false, "alwaysApply": false, "id": "\"SNOWFLAKE_ANALYST\"|false|false|CREATE EXTERNAL TABLE,CREATE TABLE,CREATE VIEW,CREATE TEMPORARY TABLE,USAGE|OnSchema|OnSchema|\"my_database\".\"my_custom_schema\"", "onAccount": false, "onSchema": { "allSchemasInDatabase": "", "futureSchemasInDatabase": "", "schemaName": "my_database.my_custom_schema" }, "privileges": [ "CREATE EXTERNAL TABLE", "CREATE TABLE", "CREATE VIEW", "CREATE TEMPORARY TABLE", "USAGE" ], "withGrantOption": false }, "news": { "__defaults": [ "alwaysApply", "alwaysApplyTrigger", "withGrantOption" ], "accountRoleName": "SNOWFLAKE_ANALYST", "alwaysApply": false, "alwaysApplyTrigger": "", "onSchema": { "__defaults": [], "schemaName": "my_database.my_custom_schema" }, "privileges": [ "USAGE" ], "withGrantOption": false }, "oldInputs": { "__defaults": [ "alwaysApply", "alwaysApplyTrigger", "withGrantOption" ], "accountRoleName": "SNOWFLAKE_ANALYST", "alwaysApply": false, "alwaysApplyTrigger": "", "onSchema": { "__defaults": [], "schemaName": "my_database.my_custom_schema" }, "privileges": [ "CREATE EXTERNAL TABLE", "CREATE TABLE", "CREATE VIEW", "CREATE TEMPORARY TABLE", "USAGE" ], "withGrantOption": false } }, "response": { "stables": [ "accountRoleName", "onAccount", "onAccountObject", "onSchema", "onSchemaObject", "withGrantOption" ], "changes": "DIFF_SOME", "diffs": [ "privileges", "privileges", "privileges", "privileges", "privileges" ], "detailedDiff": { "privileges": { "kind": "UPDATE" }, "privileges[0]": { "kind": "DELETE" }, "privileges[1]": { "kind": "DELETE" }, "privileges[2]": { "kind": "DELETE" }, "privileges[3]": { "kind": "DELETE" } }, "hasDetailedDiff": true }, "metadata": { "kind": "resource", "mode": "client", "name": "snowflake" } } ```

@iwahbe noticed the repeated entry in diffs and it does indeed seem to be the culprit here - I've manually hacked the code to verify that having a single entry there yields the correct result.

This seems to both be an issue in the bridge (we return multiple entries there) and in the engine, which seems to misinterpret the repeated entries in some way.

VenelinMartinov commented 3 months ago

Raised https://github.com/pulumi/pulumi-terraform-bridge/issues/2103 for the bridge bug

VenelinMartinov commented 3 months ago

Raised https://github.com/pulumi/pulumi/issues/16466 for the pu/pu bug