Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External Volume - Terraform not reading privileges properly #2533

Closed
caseywhoop opened this issue Feb 20, 2024 · 5 comments · Fixed by #2538
Closed

External Volume - Terraform not reading privileges properly #2533

caseywhoop opened this issue Feb 20, 2024 · 5 comments · Fixed by #2538
Assignees
@sfc-gh-jcieslak
Labels
bug Used to mark issues with provider's incorrect behavior

Comments

@caseywhoop
Copy link

caseywhoop commented Feb 20, 2024
edited

Terraform CLI and Provider Versions

Terraform v1.7.3
on darwin_arm64
+ provider registry.terraform.io/snowflake-labs/snowflake v0.85.0

Terraform Configuration

resource "snowflake_grant_privileges_to_account_role" "grant_external_volume_iceberg_prod_external_volume" {
  privileges = ["USAGE"]
  account_role_name  = "ACCOUNTING_ROLE"

  on_account_object {
    object_type = "EXTERNAL VOLUME"
    object_name = "ICEBERG_PROD_EXTERNAL_VOLUME"
  }
}

Expected Behavior

1 - We expect there to be no diff after applying changes, confirming resource is properly configured in state file, and running a terraform plan.

2 - We expect terraform to delete the resource after removing the code from the repo and re-applying.

Actual Behavior

Running terraform plan still shows:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.roles.module.roles.module.accounting_role.snowflake_grant_privileges_to_account_role.grant_external_volume_iceberg_prod_external_volume will be updated in-place
  ~ resource "snowflake_grant_privileges_to_account_role" "grant_external_volume_iceberg_prod_external_volume" {
        id                = "\"ACCOUNTING_ROLE\"|false|false|USAGE|OnAccountObject|EXTERNAL VOLUME|\"ICEBERG_PROD_EXTERNAL_VOLUME\""
      ~ privileges        = [
          + "USAGE",
        ]
        # (5 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Re-applying this will not fix resolve the diff; It will always try to re-add "USAGE"

Removing the resource from the repo shows the incorrect changes to be applied (note, USAGE privilege is missing:

Terraform will perform the following actions:

  # module.roles.module.roles.module.accounting_role.snowflake_grant_privileges_to_account_role.grant_external_volume_iceberg_prod_external_volume will be destroyed
  # (because snowflake_grant_privileges_to_account_role.grant_external_volume_iceberg_prod_external_volume is not in configuration)
  - resource "snowflake_grant_privileges_to_account_role" "grant_external_volume_iceberg_prod_external_volume" {
      - account_role_name = "ACCOUNTING_ROLE" -> null
      - all_privileges    = false -> null
      - always_apply      = false -> null
      - id                = "\"ACCOUNTING_ROLE\"|false|false|USAGE|OnAccountObject|EXTERNAL VOLUME|\"ICEBERG_PROD_EXTERNAL_VOLUME\"" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - with_grant_option = false -> null

      - on_account_object {
          - object_name = "ICEBERG_PROD_EXTERNAL_VOLUME" -> null
          - object_type = "EXTERNAL VOLUME" -> null
        }
    }

If you try to apply these changes, you get an error:

│ Error: An error occurred when revoking privileges from account role
│ 
│ Id: "ACCOUNTING_ROLE"|false|false|USAGE|OnAccountObject|EXTERNAL VOLUME|"ICEBERG_PROD_EXTERNAL_VOLUME"
│ Account role name: "ACCOUNTING_ROLE"
│ Error: [grants_validations.go:44] exactly one of AccountRoleGrantPrivileges fields [AllPrivileges GlobalPrivileges AccountObjectPrivileges SchemaPrivileges SchemaObjectPrivileges] must be set

Steps to Reproduce

To replicate the first bug:

  1. terraform apply
  2. yes apply changes
  3. terraform plan
  4. We will see that terraform still wants to add USAGE privilege

To replicate the second bug:

  1. terraform apply
  2. yes apply changes
  3. remove resource config from code
  4. terraform apply
  5. yes apply changes
  6. We will see that terraform throws an error requesting that privileges be set

How much impact is this issue causing?

High

Logs

No response

Additional Information

This is a huge blocker as we have external volume grants as part of a permissions module, and it means we cannot ever remove any permissions once granted to users.

It also means we cannot have any CI/CD or developer PR checks as there will always be a diff in the Terraform plan
@caseywhoop caseywhoop added the bug Used to mark issues with provider's incorrect behavior label Feb 20, 2024
@caseywhoop caseywhoop mentioned this issue Feb 20, 2024
Open
@bjornm82
Copy link

@caseywhoop , I experienced the same issue (see comment in my part), however for our use-case we don't have a need to limit privileges on EXTERNAL VOLUMES yet and therefor never bothered to look into it.

# TODO: With only PRIVILEGE on USAGE won't infer the change in state and as well can't be deleted.
resource "snowflake_grant_privileges_to_account_role" "all_privileges_to_volume" {
  all_privileges = true
  account_role_name = snowflake_role.service_full.name
  always_apply = false
  on_account_object {
    object_name = "${upper(local.project_name)}_${upper(local.environment)}_${upper(local.domain_short)}_${upper(local.bounded_context_short)}_VOLUME"
    object_type = "EXTERNAL VOLUME"
  }
  
  depends_on = [snowflake_unsafe_execute.external_volume]
}

@sfc-gh-jcieslak created the part on grants due to issue 2248 created by @danu165 .

@sfc-gh-jcieslak sfc-gh-jcieslak self-assigned this Feb 21, 2024
@sfc-gh-jcieslak
Copy link
Collaborator

Hey @caseywhoop 👋
Thanks for filing an issue. This seems like an issue with the fact we're expecting a grant on EXTERNAL VOLUME and Snowflake returns VOLUME in this case for the SHOW GRANTS command, which leads to the reported issue. I'll work on it and let you know when the fix will be available.

@sfc-gh-jcieslak sfc-gh-jcieslak mentioned this issue Feb 21, 2024
Merged
1 task
sfc-gh-jcieslak added a commit that referenced this issue Feb 28, 2024
@sfc-gh-jcieslak
fix: grants on external volumes (#2538)
1de9a29 
Fixes:
#2533
Terraform couldn't read privileges for External volumes, because
Snowflake returns a shorter `VOLUME` name where we expect `EXTERNAL
VOLUME` to be returned. The proposed fix relies on replacing `EXTERNAL
VOLUME` with `VOLUME` in the prepare read request function so that the
Read operation will be untouched and will work for external volumes.

## Test Plan
<!-- detail ways in which this PR has been tested or needs to be tested
-->
* [x] acceptance tests to show the fix works (didn't pass without the
fix)
<!-- add more below if you think they are relevant -->

## Other
Wrote to the docs team to add this case to the SHOW GRANTS page.

**Update**: added missing privileges (CREATE MODEL needed for
#2563)
@sfc-gh-jcieslak
Copy link
Collaborator

Hey @caseywhoop. We have released the fix as part of v0.87.0 release. Please follow the migration guide during the update. Please confirm that the issue is resolved in the newest version. Thanks!

@caseywhoop
Copy link
Author

caseywhoop commented Feb 28, 2024
edited

Hey @caseywhoop. We have released the fix as part of v0.87.0 release. Please follow the migration guide during the update. Please confirm that the issue is resolved in the newest version. Thanks!

External Volume stuff looks great now, thank you! Now that my diff isn't as cluttered, I can see that I am having a similar issue with the "apply tag" permission. No matter how many times I apply these changes, they keep popping up in the diff. Please let me know if I should open a new ticket. Thank you!

Terraform will perform the following actions:

  # module.permissions.module.roles.module.service_roles.module.transformer_role.snowflake_account_grant.grant will be updated in-place
  ~ resource "snowflake_account_grant" "grant" {
        id                     = "apply tag|false|TRANSFORMER_ROLE"
      ~ roles                  = [
          + "TRANSFORMER_ROLE",
        ]
        # (3 unchanged attributes hidden)
    }

@sfc-gh-jcieslak
Copy link
Collaborator

Great to hear EXTERNAL VOLUMES are working for you! Yes, please open another ticket, but before that please try to use the latest grant resource (this one is deprecated and we're not planning on supporting deprecated resources). For this kind of grant, it should be snowflake_grant_privileges_to_account_role. Try to use that one and if the error persists, create a ticket.

@nick-amplify nick-amplify mentioned this issue Mar 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sfc-gh-jcieslak sfc-gh-jcieslak

Labels
bug Used to mark issues with provider's incorrect behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: grants on external volumes Snowflake-Labs/terraform-provider-snowflake
3 participants
@bjornm82 @caseywhoop @sfc-gh-jcieslak