New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Imported privileges on SNOWFLAKE database not registered in state #1998
Comments
I'm seeing this in provider version 0.68.0 as well with database grants:
|
So happy to see this issue raised again, it's been driving me nuts. I've needed to manually comment/uncomment this line in my snowflake_database_grant resource to work around it:
Related: #1573 |
Do you know if anyone is looking into this? I got the same error :(. After |
We had been facing the same issue, wherein snowflake.account_usage grant would show up on each terraform plan. We would ignore it and apply the changes and nothing would change. But from past few days apply has been failing for this resource with insufficient privileges error. Can you please help to check this? |
We are facing the same issue with a
It will still yield the following changes when using plan:
|
Any update on this issue. Our terraform apply keep getting failed because of this issue. |
I am also observing this bug and documented it in #1981 |
We are having this error with the new
The grant is in the state, visible with |
I am also getting this error. Any updates on a fix? |
I am seeing this behavior as well. Is anyone looking into this? |
This issue is still present on 0.75.0 |
I'm still observing this in 0.79.1. It occurs with both the |
Hi all,
We will be working soon on a workaround that will work for now. It won't be a final fix and we will come back to it sooner or later, but it should fix the infinite plan issue everyone is mentioning. |
…ting resources (#2471) IMPORTED PRIVILEGES privilege is a special case where returned (IMPORTED PRIVILEGES) privilege from SHOW GRANTS shows up as a USAGE privilege. Thus, I had to create a logic that would swap those two in the Read operation. As IMPORTED PRIVILEGES is a privilege that can only be applied to the database created from share, I had to create a test with share and the database created on the second account. References - #1890 (comment) - #1998
Hi again 👋 |
@sfc-gh-jcieslak, I upgrded the provider to v0.87.0, but still have the same issue. And I tried both ways snowflake_grant_privileges_to_role and snowflake_database_grant
And got change on plan after apply.
Did I miss something? |
Fix for: #1998 and #2366 Changes - Because it's the default database it fulfills our `if` checks for futures, so added a check for `name != SNOWFLAKE` - The second check was added to make it possible to grant privileges on applications by setting object_type to DATABASE - Those cases were added to the documentation for the `snowflake_grant_privilege_to_account_role` resource - Added acceptance test that would check if SNOWFLAKE database could be made with `object_type = DATABASE` - I also added a follow-up ticket to add additional tests for applications when they are available.
Hi again @dlouseiro @dstuck @attrivivekFF @jacobcbeaudin @merlixo @ryan-pip @georgeb-accelins @LukasSandm @qbatten @chrisweis @Tideorz 👋 |
@sfc-gh-jcieslak, I still got the same error. |
@Tideorz Interesting, could you share more details? Terraform CLI version, Snowflake provider version, configuration that's causing the issue? The latest resource to grant privileges to account role is |
@sfc-gh-jcieslak, thanks for your information. I didn't use the And I tried on the v0.87.2
But I got the error:
Do you know how I could fix this? |
@Tideorz Since it's an error from "revoking" privileges, I'm guessing that's the error from the old resource you just removed and not the one you're trying to add. Because old resources didn't support IMPORTED PRIVILEGES it may be hard to remove it properly. Please, follow the guide and remove the old privilege granting resource from the state and "replace" it with the new one. The whole process of removing old resource and adding a new one is described in the guide. After resolving the issue with the old resource, the new one should be working just fine. |
@sfc-gh-jcieslak, thanks a lot. And I've another question, the terraform-provider-snowflake has changed a lot recently. And I found my Terraform code has a lot of deprecated resources. Do you know whether we'll remove these deprecated resources from the provider someday? I want to know how urgent I should take care of this resource migration work if you can give me some information. Thanks |
We won't be removing resources any time soon, but it's always recommended to use the latest TF provider versions/resources because they're the most complete (like in this example the newer grant resource has more edge cases covered). The deprecated resources will be probably removed with the v1.0.0 version, but it will still take some time until we get there (cannot say when) because there's still a lot to do. |
Closing, as the fix was confirmed in other threads and gh issues. If the issue persists, please create another gh issue. Remember, we're not supporting the deprecated resources and before creating an issue, please check the latest provider version with non-deprecated resources to see if the issue is still present. |
Provider Version
0.69.0
Terraform Version
1.5.4
Describe the bug
The
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE X
is not properly registered in the state file, which causes everyterraform plan
to consider these privileges as non-existent privileges every time.Expected behavior
For these privileges to be registered in the state file.
Code samples and commands
The text was updated successfully, but these errors were encountered: