Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to amend FUTURE TASK OWNERSHIP GRANT ROLEs #1954

Closed
WobblyRobbly opened this issue Jul 15, 2023 · 2 comments · Fixed by #1955
Closed

Unable to amend FUTURE TASK OWNERSHIP GRANT ROLEs #1954

WobblyRobbly opened this issue Jul 15, 2023 · 2 comments · Fixed by #1955
Labels
bug Used to mark issues with provider's incorrect behavior

Comments

@WobblyRobbly
Copy link
Contributor

Provider Version

0.67

Terraform Version

1.4.4

Description

When trying to amend the ROLE for a FUTURE GRANT on a TASK within a schema the plan, on first run, correctly identifies that an update is required

  # snowflake_task_grant.full_future_task_ownership_grant will be updated in-place
  ~ resource "snowflake_task_grant" "full_future_task_ownership_grant" {
        id                     = "BUGFIX|FUTUREGRANTS||OWNERSHIP|false|true|false|SERVICEROLE"
      ~ roles                  = [
          - "SERVICEROLE",
          + "SERVICEROLE2",
        ]
        # (7 unchanged attributes hidden)
    }

The apply then fails with

snowflake_task_grant.full_future_task_ownership_grant: Modifying... [id=BUGFIX|FUTUREGRANTS||OWNERSHIP|false|true|false|SERVICEROLE]
╷
│ Error: 003504 (01000): A future grant with privilege OWNERSHIP on object type TASK already exists in the schema.
│ 
│   with snowflake_task_grant.full_future_task_ownership_grant,
│   on my_schema.tf line 43, in resource "snowflake_task_grant" "full_future_task_ownership_grant":
│   43: resource "snowflake_task_grant" "full_future_task_ownership_grant" {
│ 
╵

Looking at the query history in Snowflake we can see that a REVOKE is being executed

REVOKE OWNERSHIP ON ALL TASKS IN SCHEMA "BUGFIX"."FUTUREGRANTS" FROM ROLE "SERVICEROLE"

followed by

GRANT OWNERSHIP ON FUTURE TASKS IN SCHEMA "BUGFIX"."FUTUREGRANTS" TO ROLE "SERVICEROLE2"

which fails.

On subsequent plan / apply the REVOKE is not executed suggesting it is now not in the state file

Expected Behavior

The previous FUTURE OWNERSHIP GRANT (not current TASK OWNERSHIP) should be removed, any existing TASKS should have their current ownership left as is. I would expect

REVOKE FUTURE OWNERSHIP ON TASKS IN SCHEMA "BUGFIX"."FUTUREGRANTS" FROM ROLE "SERVICEROLE"

Code samples and commands

drop database if exists bugfix;
create database bugfix;
drop role if exists servicerole;
drop role if exists servicerole2;

create role servicerole;
create role servicerole2;

grant role servicerole to role sysadmin;
grant role servicerole2 to role sysadmin;

terraform code

terraform {
  required_providers {
    snowflake = {
      source  = "snowflake-labs/snowflake"
      version = "0.67.0"
    }
  }
}

provider "snowflake" {
  username = var.username
  account  = var.account
  region   = var.region
  password = var.snowflake_password
  role     = var.role
}

# Create Schema
resource "snowflake_schema" "schema" {
  database            = "BUGFIX"
  name                = "FUTUREGRANTS"
  comment             = "Terraform-managed Schema"
  is_transient        = false
  is_managed          = true
  data_retention_days = 5
}

resource "snowflake_schema_grant" "full_schema_grant" {
  database_name     = var.database_name
  schema_name       = snowflake_schema.schema.name
  privilege         = "OWNERSHIP"
  roles             = ["ACCOUNTADMIN"]
  with_grant_option = false
}


resource "snowflake_task_grant" "full_future_task_ownership_grant" {
  database_name     = var.database_name
  schema_name       = snowflake_schema.schema.name
  privilege         = "OWNERSHIP"
  roles             = [ "SERVICEROLE" ]
  on_future         = true
  with_grant_option = false
  depends_on        = [
    snowflake_schema_grant.full_schema_grant
  ]
}

Run

  1. terraform plan -out tfplan.plan
  2. terraform apply tfplan.plan
  3. Amend SERVICEROLE to SERVICEROLE2
  4. terraform plan -out tfplan.plan
  5. terraform apply tfplan.plan

Additional context

This probably affects other FUTURE GRANTS
@WobblyRobbly WobblyRobbly added the bug Used to mark issues with provider's incorrect behavior label Jul 15, 2023
@WobblyRobbly WobblyRobbly mentioned this issue Jul 16, 2023
Merged
@WobblyRobbly WobblyRobbly changed the title Unable to amend FUTURE GRANT ROLEs Unable to amend FUTURE TASK OWNERSHIP GRANT ROLEs Jul 18, 2023
sfc-gh-swinkler pushed a commit that referenced this issue Jul 25, 2023
@WobblyRobbly
fix: future ownership task grant (#1954) (#1955)
81ac1a3
@snowflake-release-please snowflake-release-please bot mentioned this issue Jul 24, 2023
Merged
@sfc-gh-swinkler
Copy link
Collaborator

@WobblyRobbly thank you for reporting this issue and for creating a PR to follow up. It will be available in the next release.

I would suggest caution against using this resource as you have been doing to manage ownership. We intend to create a new resource called snowflake_grant_ownership, which will specifically handle grant ownership to roles. Also if you have not already seen, there is a snowflake_grant_privileges_to_role resource which may be helpful to you.

@WobblyRobbly
Copy link
Contributor Author

Thanks for the feedback and approving the PR @sfc-gh-swinkler .
We have some refactoring to do on our terraform modules so will bear these in mind once available...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to mark issues with provider's incorrect behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: future ownership task grant (#1954)
2 participants
@WobblyRobbly @sfc-gh-swinkler