Imported privileges on SNOWFLAKE database not registered in state

[dlouseiro]

Provider Version

0.69.0

Terraform Version

1.5.4

Describe the bug

The GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE X is not properly registered in the state file, which causes every terraform plan to consider these privileges as non-existent privileges every time.

Expected behavior

For these privileges to be registered in the state file.

Code samples and commands

resource "snowflake_grant_privileges_to_role" "snowflake_imported_privileges_usage_monitoring" {
  privileges = ["IMPORTED PRIVILEGES"]
  role_name  = snowflake_role.usage_monitoring.name
  on_account_object {
    object_type = "DATABASE"
    object_name = "SNOWFLAKE"
  }
}

[dstuck]

I'm seeing this in provider version 0.68.0 as well with database grants:

resource "snowflake_database_grant" "import_privileges_account_info" {
  database_name = "SNOWFLAKE"

  privilege = "IMPORTED PRIVILEGES"
  roles     = [snowflake_role.account_info_admin.name]

  with_grant_option      = false
  enable_multiple_grants = true
}

[chrisweis]

So happy to see this issue raised again, it's been driving me nuts. I've needed to manually comment/uncomment this line in my snowflake_database_grant resource to work around it:

  lifecycle {
    ignore_changes = all
  }

Related: https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/1573

[Tideorz]

Do you know if anyone is looking into this? I got the same error :(. After terraform apply and running the terraform plan again will still show the same changes that need to apply.

[attrivivekFF]

We had been facing the same issue, wherein snowflake.account_usage grant would show up on each terraform plan. We would ignore it and apply the changes and nothing would change. But from past few days apply has been failing for this resource with insufficient privileges error. Can you please help to check this?

[wh-k-klemens]

We are facing the same issue with a USAGE grant on version 0.70.0 of the provider. It is not properly recoded in the state. For example applying following resource:

resource "snowflake_grant_privileges_to_role" "<some_grant_name>" {
  for_each   = var.schemas
  privileges = ["USAGE"]
  role_name  = snowflake_role.<some-role>.name
  on_schema {
    schema_name = "${snowflake_database.<some-db>.name}.${snowflake_schema.<some-schema>[each.key].name}"
  }
}

It will still yield the following changes when using plan:

# snowflake_grant_privileges_to_role.<some_grant_name>["<some-key>"] will be updated in-place
~ resource "snowflake_grant_privileges_to_role" "<some_grant_name>" {
      id                = "<generated-id>"
    ~ privileges        = [
        + "USAGE",
      ]
      # (4 unchanged attributes hidden)
      # (1 unchanged block hidden)
  }

[attrivivekFF]

Any update on this issue. Our terraform apply keep getting failed because of this issue.

[jacobcbeaudin]

I am also observing this bug and documented it in #1981

[merlixo]

We are having this error with the new snowflake_grant_privileges_to_role grant resources of v0.70.1

resource "snowflake_grant_privileges_to_role" "role1" {
  provider          = snowflake.accountadmin
  privileges        = ["IMPORTED PRIVILEGES"]
  role_name         = "ROLE1"
  on_account_object {
    object_type = "DATABASE"
    object_name = "SNOWFLAKE"
  }
} 

The grant is in the state, visible with terraform state show, but terraform still detects changes in the Terraform plan.

[ryan-pip]

I am also getting this error. Any updates on a fix?

[georgeb-accelins]

I am seeing this behavior as well. Is anyone looking into this?

[LukasSandm]

This issue is still present on 0.75.0

[qbatten]

I'm still observing this in 0.79.1. It occurs with both the snowflake_database_grant resource and the snowflake_grant_privileges_to_role resource. Anything we can do to get some eyes on this from the Snowflake team?

[sfc-gh-jcieslak]

Hi all,

IMPORTED PRIVILEGES is one of the problematic privileges to handle in the Terraform. Mainly, because it's more of an "abstract" privilege. It cannot be queried and that's the main reason behind the infinite plan.

We will be working soon on a workaround that will work for now. It won't be a final fix and we will come back to it sooner or later, but it should fix the infinite plan issue everyone is mentioning.

[sfc-gh-jcieslak]

Hi again 👋 Yesterday we released a new version (v0.86.0) containing the fix for this issue. @dlouseiro Could you and others confirm the issue has been resolved and the ticket can be closed? Thanks :)

[Tideorz]

@sfc-gh-jcieslak, I upgrded the provider to v0.87.0, but still have the same issue. And I tried both ways snowflake_grant_privileges_to_role and snowflake_database_grant

resource "snowflake_grant_privileges_to_role" "database_grant_usage" {
  provider   = snowflake.security
  privileges = ["IMPORTED PRIVILEGES"]
  role_name  = module.read_role.name
  on_account_object {
    object_type = "DATABASE"
    object_name = local.name
  }
}

And got change on plan after apply.

Terraform will perform the following actions:

  # module.snowflake_database.snowflake_grant_privileges_to_role.database_grant_usage will be updated in-place
  ~ resource "snowflake_grant_privileges_to_role" "database_grant_usage" {
        id                = "SNOWFLAKE_READ|IMPORTED PRIVILEGES|false|false|false|true|false|false|false|false|DATABASE|SNOWFLAKE||false||false|"
      ~ privileges        = [
          + "IMPORTED PRIVILEGES",
        ]
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

resource "snowflake_database_grant" "database_grant_usage" {
  provider      = snowflake.security
  database_name = local.name
  privilege     = "IMPORTED PRIVILEGES"
  roles         = [module.read_role.name]

Terraform will perform the following actions:

  # module.snowflake_database.snowflake_database_grant.database_grant_usage will be updated in-place
  ~ resource "snowflake_database_grant" "database_grant_usage" {
        id                     = "SNOWFLAKE|IMPORTED PRIVILEGES|false|SNOWFLAKE_READ|"
      ~ roles                  = [
          + "SNOWFLAKE_READ",
        ]
        # (5 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Did I miss something?

[sfc-gh-jcieslak]

@Tideorz Please see this thread - https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/2459 We need to take additional steps to make it work, but I'm working on it right now.

[sfc-gh-jcieslak]

Hi again @dlouseiro @dstuck @attrivivekFF @jacobcbeaudin @merlixo @ryan-pip @georgeb-accelins @LukasSandm @qbatten @chrisweis @Tideorz 👋 Today we released a bugfix version 0.87.1. Please give it a go and see if the issue persists with the snowflake_grant_privileges_to_account_role resource.

[Tideorz]

@sfc-gh-jcieslak, I still got the same error.

[sfc-gh-jcieslak]

@Tideorz Interesting, could you share more details? Terraform CLI version, Snowflake provider version, configuration that's causing the issue? The latest resource to grant privileges to account role is snowflake_grant_privileges_to_account_role and that's the most updated version. Other deprecated resources are not supported, so if you are still using deprecated resources, please migrate to the newest ones. Here's a list of currently deprecated resources and here's a guide on migrating resources with no downtime with grants as an example.

[Tideorz]

@sfc-gh-jcieslak, thanks for your information. I didn't use the snowflake_grant_privileges_to_account_role before.

And I tried on the v0.87.2

resource "snowflake_grant_privileges_to_account_role" "database_grant_usage" {
  provider          = snowflake.admin
  privileges        = ["IMPORTED PRIVILEGES"]
  account_role_name = module.read_role.name
  on_account_object {
    object_type = "DATABASE"
    object_name = local.name
  }
}

But I got the error:

╷
│ Error: error revoking privileges from account role: [grants_validations.go:44] exactly one of AccountRoleGrantPrivileges fields [AllPrivileges GlobalPrivileges AccountObjectPrivileges SchemaPrivileges SchemaObjectPrivileges] must be set
│

Do you know how I could fix this?

[sfc-gh-jcieslak]

@Tideorz Since it's an error from "revoking" privileges, I'm guessing that's the error from the old resource you just removed and not the one you're trying to add. Because old resources didn't support IMPORTED PRIVILEGES it may be hard to remove it properly. Please, follow the guide and remove the old privilege granting resource from the state and "replace" it with the new one. The whole process of removing old resource and adding a new one is described in the guide. After resolving the issue with the old resource, the new one should be working just fine.

[Tideorz]

@sfc-gh-jcieslak, thanks a lot.

And I've another question, the terraform-provider-snowflake has changed a lot recently. And I found my Terraform code has a lot of deprecated resources. Do you know whether we'll remove these deprecated resources from the provider someday? I want to know how urgent I should take care of this resource migration work if you can give me some information.

Thanks

[sfc-gh-jcieslak]

We won't be removing resources any time soon, but it's always recommended to use the latest TF provider versions/resources because they're the most complete (like in this example the newer grant resource has more edge cases covered). The deprecated resources will be probably removed with the v1.0.0 version, but it will still take some time until we get there (cannot say when) because there's still a lot to do.

[sfc-gh-jcieslak]

Closing, as the fix was confirmed in other threads and gh issues. If the issue persists, please create another gh issue. Remember, we're not supporting the deprecated resources and before creating an issue, please check the latest provider version with non-deprecated resources to see if the issue is still present.