You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When trying to amend the ROLE for a FUTURE GRANT on a TASK within a schema the plan, on first run, correctly identifies that an update is required
# snowflake_task_grant.full_future_task_ownership_grant will be updated in-place
~ resource "snowflake_task_grant" "full_future_task_ownership_grant" {
id = "BUGFIX|FUTUREGRANTS||OWNERSHIP|false|true|false|SERVICEROLE"
~ roles = [
- "SERVICEROLE",
+ "SERVICEROLE2",
]
# (7 unchanged attributes hidden)
}
The apply then fails with
snowflake_task_grant.full_future_task_ownership_grant: Modifying... [id=BUGFIX|FUTUREGRANTS||OWNERSHIP|false|true|false|SERVICEROLE]
╷
│ Error: 003504 (01000): A future grant with privilege OWNERSHIP on object type TASK already exists in the schema.
│
│ with snowflake_task_grant.full_future_task_ownership_grant,
│ on my_schema.tf line 43, in resource "snowflake_task_grant" "full_future_task_ownership_grant":
│ 43: resource "snowflake_task_grant" "full_future_task_ownership_grant" {
│
╵
Looking at the query history in Snowflake we can see that a REVOKE is being executed
REVOKE OWNERSHIP ON ALL TASKS IN SCHEMA "BUGFIX"."FUTUREGRANTS" FROM ROLE "SERVICEROLE"
followed by
GRANT OWNERSHIP ON FUTURE TASKS IN SCHEMA "BUGFIX"."FUTUREGRANTS" TO ROLE "SERVICEROLE2"
which fails.
On subsequent plan / apply the REVOKE is not executed suggesting it is now not in the state file
Expected Behavior
The previous FUTURE OWNERSHIP GRANT (not current TASK OWNERSHIP) should be removed, any existing TASKS should have their current ownership left as is. I would expect
REVOKE FUTURE OWNERSHIP ON TASKS IN SCHEMA "BUGFIX"."FUTUREGRANTS" FROM ROLE "SERVICEROLE"
Code samples and commands
drop database if exists bugfix;
create database bugfix;
drop role if exists servicerole;
drop role if exists servicerole2;
create role servicerole;
create role servicerole2;
grant role servicerole to role sysadmin;
grant role servicerole2 to role sysadmin;
@WobblyRobbly thank you for reporting this issue and for creating a PR to follow up. It will be available in the next release.
I would suggest caution against using this resource as you have been doing to manage ownership. We intend to create a new resource called snowflake_grant_ownership, which will specifically handle grant ownership to roles. Also if you have not already seen, there is a snowflake_grant_privileges_to_role resource which may be helpful to you.
Thanks for the feedback and approving the PR @sfc-gh-swinkler .
We have some refactoring to do on our terraform modules so will bear these in mind once available...
Provider Version
0.67
Terraform Version
1.4.4
Description
When trying to amend the ROLE for a FUTURE GRANT on a TASK within a schema the plan, on first run, correctly identifies that an update is required
The apply then fails with
Looking at the query history in Snowflake we can see that a REVOKE is being executed
followed by
which fails.
On subsequent plan / apply the REVOKE is not executed suggesting it is now not in the state file
Expected Behavior
The previous FUTURE OWNERSHIP GRANT (not current TASK OWNERSHIP) should be removed, any existing TASKS should have their current ownership left as is. I would expect
Code samples and commands
terraform
codeRun
terraform plan -out tfplan.plan
terraform apply tfplan.plan
terraform plan -out tfplan.plan
terraform apply tfplan.plan
Additional context
This probably affects other FUTURE GRANTS
The text was updated successfully, but these errors were encountered: