[Bug]:

[santhoshreddych]

Terraform CLI Version

1.8.5

Terraform Provider Version

1.0.0

Company Name

No response

Terraform Configuration

snowflake_grant_privileges_to_account_role

Category

category:resource

Object type(s)

resource:grant_privileges_to_account_role

Expected Behavior

Terraform should be able to delete/destroy the resources without any issue

Actual Behavior

Terraform apply is failing to delete/destroy the resources with below error for below privileges.

• CREATE STREAMLIT
• CREATE SNOWFLAKE.ML.ANOMALY_DETECTION
• CREATE SNOWFLAKE.ML.FORECAST

An error occurred when revoking privileges from account role�[0m
�[31m│�[0m �[0m
�[31m│�[0m �[0m�[0mId: "_COMP_OPS_DEV_DB_APP_ADMIN_PRIV"|false|false|CREATE
�[31m│�[0m �[0mSTREAMLIT|OnSchema|OnSchema|"COMP_OPS_DEV_DB"."APP"
�[31m│�[0m �[0mAccount role name: "_COMP_OPS_DEV_DB_APP_ADMIN_PRIV"
�[31m│�[0m �[0mError: [grants_validations.go:174] exactly one of
�[31m│�[0m �[0mAccountRoleGrantPrivileges fields [AllPrivileges GlobalPrivileges
�[31m│�[0m �[0mAccountObjectPrivileges SchemaPrivileges SchemaObjectPrivileges] must be
�[31m│�[0m �[0mset

Steps to Reproduce

We are migrating our terraform provider from 0.92 to 1.0.0 . As part of this we are re-structuring our code. We are passing the schema privs and role name as vars.

Since we are are consolidating the privs to single resource instead of for_each, Terraform is trying to destroy the old resources but failing with the error

List of privs

• CREATE STREAMLIT
• CREATE SNOWFLAKE.ML.ANOMALY_DETECTION
• CREATE SNOWFLAKE.ML.FORECAST

FROM

resource "snowflake_grant_privileges_to_account_role" "SCHEMA_GRANTS_NEW" {
  for_each          = toset(var.schema_privs_new)
  privileges        = toset([each.key])
  account_role_name = var.role
  on_schema {
    schema_name = "\"${var.database_name}\".\"${var.schema_name}\""
  }
  depends_on = [
    snowflake_role_grants.SYSADMIN_GRANTS,
    snowflake_schema_grant.SCHEMA_GRANTS,
  ]
}

To

resource "snowflake_grant_privileges_to_account_role" "SCHEMA_GRANTS_NEW" {
  count = length(var.schema_privs_new ) > 0 ? 1 : 0
  privileges      = var.schema_privs_new  
  account_role_name = var.role
  on_schema {
    schema_name = var.schema_fully_qualified_name # note this is a fully qualified name!
  } 
  depends_on = [
    snowflake_grant_ownership.SCHEMA_GRANTS,
    snowflake_grant_privileges_to_account_role.SCHEMA_GRANTS,
  ]

How much impact is this issue causing?

Medium

Logs

�[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1mAn error occurred when revoking privileges from account role�[0m �[31m│�[0m �[0m �[31m│�[0m �[0m�[0mId: "_G1001_ANA_DEV_DB_SIGMA_ADMIN_PRIV"|false|false|CREATE �[31m│�[0m �[0mMODEL|OnSchema|OnSchema|"G1001_ANA_DEV_DB"."SIGMA" �[31m│�[0m �[0mAccount role name: "_G1001_ANA_DEV_DB_SIGMA_ADMIN_PRIV" �[31m│�[0m �[0mError: [grants_validations.go:174] exactly one of �[31m│�[0m �[0mAccountRoleGrantPrivileges fields [AllPrivileges GlobalPrivileges �[31m│�[0m �[0mAccountObjectPrivileges SchemaPrivileges SchemaObjectPrivileges] must be �[31m│�[0m �[0mset �[31m╵�[0m�[0m �[31m╷�[0m�[0m �[31m│�[0m �[0m�[1m�[31mError: �[0m�[0m�[1mAn error occurred when revoking privileges from account role�[0m �[31m│�[0m �[0m �[31m│�[0m �[0m�[0mId: "_G1001_ANA_PROD_DB_DISTRIBUTION_STAGING_RW_PRIV"|false|false|CREATE �[31m│�[0m �[0mSNOWFLAKE.ML.ANOMALY_DETECTION|OnSchema|OnSchema|"G1001_ANA_PROD_DB"."DISTRIBUTION_STAGING" �[31m│�[0m �[0mAccount role name: "_G1001_ANA_PROD_DB_DISTRIBUTION_STAGING_RW_PRIV" �[31m│�[0m �[0mError: [grants_validations.go:174] exactly one of �[31m│�[0m �[0mAccountRoleGrantPrivileges fields [AllPrivileges GlobalPrivileges �[31m│�[0m �[0mAccountObjectPrivileges SchemaPrivileges SchemaObjectPrivileges] must be

Additional Information

No response

Would you like to implement a fix?

• Yeah, I'll take it 😎

[sfc-gh-jmichalak]

Hi @santhoshreddych 👋

The privileges field seems to be empty during the grant revoking. Please send the plan with terraform plan, and the values of the variables you're using (var.schema_privs_new).

[santhoshreddych]

Thank you @sfc-gh-jmichalak. Please find the attached plan and apply logs. FYI, Plan is successful. The process fails during apply.

schema_privs_new variable values - In the apply logs error, I see that these privilege values are being sent

  "schema_privs" = [],
      "schema_privs_new"= [
        "CREATE SNOWFLAKE.ML.FORECAST",
        "CREATE SNOWFLAKE.ML.ANOMALY_DETECTION",
        "CREATE MODEL",
        "CREATE STREAMLIT",
      ],

plan-dev.log
apply-dev.log

[sfc-gh-jmichalak]

I found something like this in plan-dev.log

^[[1m  # module.DATABASES["WIZ_DB"].module.SCHEMA["AUDIT"].module.PRIVILEGES["RW"].snowflake_grant_privileges_to_account_role.SCHEMA_GRANTS_NEW[0]^[[0m will be created
^[[0m  ^[[32m+^[[0m^[[0m resource "snowflake_grant_privileges_to_account_role" "SCHEMA_GRANTS_NEW" {
      ^[[32m+^[[0m^[[0m account_role_name = "_WIZ_DB_AUDIT_RW_PRIV"
      ^[[32m+^[[0m^[[0m all_privileges    = false
      ^[[32m+^[[0m^[[0m always_apply      = false
      ^[[32m+^[[0m^[[0m id                = (known after apply)
      ^[[32m+^[[0m^[[0m on_account        = false
      ^[[32m+^[[0m^[[0m privileges        = [
          ^[[32m+^[[0m^[[0m "CREATE MODEL",
          ^[[32m+^[[0m^[[0m "CREATE SNOWFLAKE.ML.ANOMALY_DETECTION",
          ^[[32m+^[[0m^[[0m "CREATE SNOWFLAKE.ML.FORECAST",
        ]
      ^[[32m+^[[0m^[[0m with_grant_option = false

      ^[[32m+^[[0m^[[0m on_schema {
          ^[[32m+^[[0m^[[0m schema_name = "\"WIZ_DB\".\"AUDIT\""
        }
    }
^[[1m  # module.DATABASES["WIZ_DB"].module.SCHEMA["AUDIT"].module.PRIVILEGES["RW"].snowflake_grant_privileges_to_account_role.SCHEMA_GRANTS_NEW["CREATE MODEL"]^[[0m will be ^[[1m^[[31mdestroyed^[[0m
  # (because resource does not use for_each)
^[[0m  ^[[31m-^[[0m^[[0m resource "snowflake_grant_privileges_to_account_role" "SCHEMA_GRANTS_NEW" {
      ^[[31m-^[[0m^[[0m account_role_name = "_WIZ_DB_AUDIT_RW_PRIV" ^[[90m-> null^[[0m^[[0m
      ^[[31m-^[[0m^[[0m all_privileges    = false ^[[90m-> null^[[0m^[[0m
      ^[[31m-^[[0m^[[0m always_apply      = false ^[[90m-> null^[[0m^[[0m
      ^[[31m-^[[0m^[[0m id                = "\"_WIZ_DB_AUDIT_RW_PRIV\"|false|false|CREATE MODEL|OnSchema|OnSchema|\"WIZ_DB\".\"AUDIT\"" ^[[90m-> null^[[0m^[[0m
      ^[[31m-^[[0m^[[0m on_account        = false ^[[90m-> null^[[0m^[[0m
      ^[[31m-^[[0m^[[0m privileges        = [] ^[[90m-> null^[[0m^[[0m
      ^[[31m-^[[0m^[[0m with_grant_option = false ^[[90m-> null^[[0m^[[0m

      ^[[31m-^[[0m^[[0m on_schema {
          ^[[31m-^[[0m^[[0m schema_name                = "\"WIZ_DB\".\"AUDIT\"" ^[[90m-> null^[[0m^[[0m
            ^[[90m# (2 unchanged attributes hidden)^[[0m^[[0m
        }
    }

This shows that the resource is being destroyed (meaning the grants are being revoked) with empty privileges. The reason is that the key/index is now different (module.DATABASES["WIZ_DB"].module.SCHEMA["AUDIT"].module.PRIVILEGES["RW"].snowflake_grant_privileges_to_account_role.SCHEMA_GRANTS_NEW["CREATE MODEL"] -> module.DATABASES["WIZ_DB"].module.SCHEMA["AUDIT"].module.PRIVILEGES["RW"].snowflake_grant_privileges_to_account_role.SCHEMA_GRANTS_NEW[0]).

This results from the change from for_each to count. Please either continue using for_each, or migrate to the new resources according to our Resource migration guide.