Importing resources does not honor the role used in that resource's provider

[davehowell]

When importing a resource, for example by running $ terraform import snowflake_user.<username> <USERNAME> , it does not appear to honor the role used in the resource's provider.

Steps to Reproduce

1. Create a user in Snowflake:

USE ROLE "SECURITYADMIN";
CREATE USER CANNOTIMPORTME PASSWORD = '<password goes here>';

2. Create a terraform file with a provider alias using the appropriate role

# main.tf
provider "snowflake" {
  version = "~> 0.10"
  account = "<account name here>"
  role    = "SYSADMIN"
}

provider "snowflake" {
  alias   = "securityadmin"
  version = "~> 0.10"
  account = "<account name here>"
  role    = "SECURITYADMIN"
}


resource "snowflake_user" "cannot_import_me" {
  provider          = "snowflake.securityadmin"
  name              = "CANNOTIMPORTME"
  default_role      = "${snowflake_role.<role resource>.name}"
  default_warehouse = "${snowflake_warehouse.<warehouse resource>.name}"
  default_namespace = "${snowflake_database.<database resource>.name}"
  comment           = "something something"
}

( do the usual terraform setup, install the provider plugin, terraform init etc)

3. Import the user

$ terraform import snowflake_user.cannot_import_me CANNOTIMPORTME
snowflake_user.cannot_import_me: Importing from ID "CANNOTIMPORTME"...
snowflake_user.cannot_import_me: Import complete!
  Imported snowflake_user (ID: CANNOTIMPORTME)
snowflake_user.cannot_import_me: Refreshing state... (ID: CANNOTIMPORTME)

Error: snowflake_user.cannot_import_me (import id: CANNOTIMPORTME): 1 error occurred:
	* import snowflake_user.cannot_import_me result: CANNOTIMPORTME: snowflake_user.cannot_import_me: 003001 (42501): SQL access control error:
Insufficient privileges to operate on account '<account name goes here>'

Attempts to Resolve

• The error Insufficient privileges to operate on account occurs because the user is owned by SECURITYADMIN, and terraform import is using the main snowflake provider, not the aliased provider snowflake.securityadmin

• I tried setting the environment variable export SNOWFLAKE_ROLE=SECURITYADMIN but it made no difference

• I tried changing my snowsql config role to SECURITYADMIN and it made no difference

• I tried changing the role of the main provider, and it imported successfully:

provider "snowflake" {
  version = "~> 0.10"
  account = "<account name here>"
  role    = "SECURITYADMIN"
}

Next Steps

Given the way Snowflake provider encapsulates the role used to connect, it is something unique to the Snowflake provider and not Terraform generally.

What Role do you recommend using in the main provider? It feels like ACCOUNTADMIN is too privileged for Terraform use.

[ryanking]

@davehowell As far as I can tell, this is a limitation of Terraform itself. This issue seems to indicate this is true and that you should supply the -provider argument to terraform import to work around it.

[thenaturalist]

Hi @ryanking this is still an issue, just by now, the solution you proposed does not work anymore.

The provider flag has been deprecated, see https://www.terraform.io/cli/commands/import

[thenaturalist]

@davehowell did you ever get around this? If so, what's your current approach to this given the deprecation of the provider flag?