Changing snowflake_grant_privileges_to_role resource involving ownership fails due to dependent grants #1942
Comments
|
I'm seeing related problems on clean applies as well when the ownership grant comes later in the DAG sort: |
|
I'm having issues as well, but the plugin doesn't respond. VersionsTerraformlocals {
consolidated_schema_grants = {
"ownership" = {
privileges = ["OWNERSHIP"]
role = "SYSADMIN"
}
"read_only" = {
privileges = ["USAGE", "MONITOR"]
role = local.access_roles.read_only.name
}
}
resource "snowflake_grant_privileges_to_role" "consolidated_cdc__schema_grants" {
for_each = local.consolidated_schema_grants
privileges = each.value.privileges
role_name = each.value.role
on_schema {
schema_name = snowflake_schema.consolidated_cdc.name
}
depends_on = [ snowflake_role.access_role ]
}OutputStack trace |
|
@emancu I'm not pronouncing it a solution yet but initial results have been promising -- I've split up the The specific problem you're having though is because the |
|
@dmfay Thanks for your hint! |
the exact same thing happened to me earlier this week after I upgraded to 0.68 and missed updating in a couple of places 😄 |
|
I ran into the same issue, but it seems to have been caused by a mistake of mine: I applied grants to a database without first removing all grants granted by the old Ownership and usage grant were already separate resources and adding the |
|
Splitting the schema grants works well for setup, but teardown fails to unroll them during execution: resource "snowflake_grant_privileges_to_role" "admin_schema_ownership" {
for_each = toset(["PUBLIC", snowflake_schema.raw.name, snowflake_schema.security.name, snowflake_schema.mart.name])
role_name = local.role_admin
privileges = ["OWNERSHIP"]
with_grant_option = false
on_schema { schema_name = "${snowflake_database.db.name}.${each.value}" }
lifecycle { ignore_changes = [ privileges ] }
}
resource "snowflake_grant_privileges_to_role" "admin_schema" {
for_each = toset(["PUBLIC", snowflake_schema.raw.name, snowflake_schema.security.name]) # no mart here!
role_name = local.role_admin
privileges = ["CREATE TABLE", "USAGE"]
with_grant_option = false
depends_on = [snowflake_grant_privileges_to_role.admin_schema_ownership]
on_schema { schema_name = "${snowflake_database.db.name}.${each.value}" }
lifecycle { ignore_changes = [ privileges ] }
}terraform planned things in the correct order -- wind down the usage and create-table grants in the Other grants are removed correctly: all-tables-in-schema, future-tables-in-schema, database usage. Most of those do have explicit The last thing I see in the query log is I did upgrade to 0.68.2 on seeing #1953, but while that should fix the |
|
This |
|
Is there a workaround here I'm not seeing? I'm not setting @sfc-gh-swinkler you comment seems to imply that using what @dmfay mentioned would fix the ownership issue but @dmfay mentioned in the last paragraph the
|
|
I'm getting the same teardown error and am only using |
|
I'm so confused by these errors on "destroy" and wish this Snowflake Terraform provider was easier to use 😰 |
|
Hey @dmfay @emancu @ceik @jasonicarter @trabianmatt @chrisweis |
The first part of the implementation of the `snowflake_grant_ownership` resource. This is a "basic" version of this resource providing baseline functionalities needed to transfer ownership in Terraform. In the next pull request, I'll add all of the edge cases we have to cover (most of them are described [here](https://docs.snowflake.com/en/sql-reference/sql/grant-ownership#usage-notes)). Changes made: - Created a new `snowflake_grant_ownership` resource with CRUD operations implemented (still there are TODOs left for discussion) - Added examples and documentation needed for the resource and its identifier Things to do before the merge: - remove `snowflake_grant_ownership` from the provider.go TODO in the next pr(s): - Add deprecation messages to old grant resources specifically made for granting ownership - Add edge cases and test them (and if needed describe them in the documentation and add examples) - Add `setId("")` in read and forcefully grant ownership in Create operation - Referring to [comment](#2604 (comment)), test different cases where the Delete operation may struggle with - Test outside of Terraform interactions to see how it behaves in different situations ## Test Plan * [x] acceptance tests * [x] unit tests for the resource identifier conversions from/to String representation * [x] unit tests for the helper functions needed by resource CRUD operations ## References * [GRANT OWNERSHIP](https://docs.snowflake.com/en/sql-reference/sql/grant-ownership) ## Mentioned in A list of issues requesting this resource (a big probability there's more); notify after part 2 will be done. - #2549 - #2199 - #2084 - #1942 - #1875
🤖 I have created a release *beep* *boop* --- ## [0.87.3-pre](v0.87.2...v0.87.3-pre) (2024-03-18) ### 🎉 **What's new:** * Add snowflake grant ownership resource ([#2604](#2604)) ([bfadd24](bfadd24)), closes [#2549](#2549) [#2199](#2199) [#2084](#2084) [#1942](#1942) [#1875](#1875) ### 🔧 **Misc** * Fix env variables for tests ([#2603](#2603)) ([8bc2437](8bc2437)) * release 0.87.3-pre ([a2be7b9](a2be7b9)) ### 🐛 **Bug fixes:** * alter table column data type ([#2607](#2607)) ([538b6dc](538b6dc)) * cgo goreleaser alt solution ([#2613](#2613)) ([5d31856](5d31856)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: snowflake-release-please[bot] <105954990+snowflake-release-please[bot]@users.noreply.github.com>
A follow-up for #2604. Done in this pr: - Add setId("") in Read (when ownership is not found on the target object) and forcefully grant ownership in Create (this was already present, but added test cases for it). - Edge cases - Granting `ON PIPE` and `ON ALL PIPES` is handled (pipes are paused before and resumed after ownership transfer) Full list of things that still need to be done: - Deprecation messages - More documentation (explain how grant_ownership resource handles edge cases) and examples that would show simple usage, edge cases, cases where the resource may cause trouble - Referring to #2604 (comment), test different cases where the Delete operation may struggle with - Test outside of Terraform interactions to see how it behaves in different situations - A test where used role is not privileged enough to transfer ownership - Also cases within Terraform to see how grant_ownership will act with other grant resources within certain configurations - Edge cases - Granting `ON TASK` - Use `VIEW` when granting on `MATERIALIZED VIEW` - Granting `ON EXTERNAL TABLES` ## References [GRANT OWNERSHIP](https://docs.snowflake.com/en/sql-reference/sql/grant-ownership) ## Mentioned in A list of issues requesting this resource: #2549 #2199 #2084 #1942 #1875
A follow-up for #2604. Done in this pr: - All of the edge cases handled and tested (except of tasks that are done in the separate pr): - Materialized views (already handled by Snowflake no changes needed) - RBAC hierarchy (test case added) - Delete dependent resource (role or granted object) and remove grant resource from the state (test case added) Won't do: - External tables (cannot handle this edge case, because we have to know the auto_refresh state of the external table; it's not retrievable by SHOW or DESC commands. It will be still possible to grant ownership of the external table, but there may be additional manual work to do afterward. Everything is documented.) ## Test Plan <!-- detail ways in which this PR has been tested or needs to be tested --> * [x] acceptance tests that show how the resource is handling certain edge cases + RBAC use case ## References [GRANT OWNERSHIP](https://docs.snowflake.com/en/sql-reference/sql/grant-ownership) ## Mentioned in A list of issues requesting this resource: #2549 #2199 #2084 #1942 #1875
|
Hey 👋 |
Provider 0.68.1
Here's my
snowflake_grant_privileges_to_roleresource:This applied successfully once, but then I needed to modify the schema list in the
for_each(specifically, I hardcodedPUBLICas you see here instead of defining it as a resource). The plan shows all additions even though each grant already exists and is already managed by terraform. For example, here's one of the three schemata referenced in the resource declaration:Application then fails due to dependent grant errors even though ownership has not actually been changed:
(note a different role
READER_PRODUCTIONis affected in the second error!)The text was updated successfully, but these errors were encountered: