terraform-provider-snowflake
terraform-provider-snowflake copied to clipboard
Snowflake-Labs
COPY GRANTS option fails on new views
Terraform CLI and Provider Versions
TF v1.5.2 Snowflake TF 0.80.0
Terraform Configuration
resource "snowflake_view" "CustomerView" {
provider = snowflake.READER_ACCOUNTADMIN
for_each = local.customer_views
database = snowflake_database.CustomerDatabase[split(".", each.key)[0]].name
schema = snowflake_schema.CustomerSchema[join(".", [split(".", each.key)[0], split(".", each.key)[1]])].name
name = split(".", each.key)[2]
statement = <<-SQL
-- Force a change to the view so that it is recompiled ${timestamp()}
SELECT * FROM DB_SHARE.${split(".", each.key)[1]}.${split(".", each.key)[2]}
SQL
is_secure = true
copy_grants = true
}
Expected Behavior
View is created successfully
Actual Behavior
verbose TF_LOG shows that the CREATE VIEW statement includes the COPY GRANTS clause since copy_grants = true above. However, since this is a brand new view and NOT a CREATE OR REPLACE, COPY GRANTS is invalid and you get a SQL error of: "Invalid operation COPY GRANTS without specifying source object". Therefore, if the Snowflake provider knows this is a brand new view, then it should omit COPY GRANTS even if copy_grants = true so that valid SQL is produced.
Steps to Reproduce
terraform apply
How much impact is this issue causing?
Medium
Logs
No response
Additional Information
No response
Hey @scastria. Thanks for reaching out to us.
We will visit the topic of COPY GRANTS in general as a part of the upcoming resources redesign. I am not yet convinced which route we should take on this one. Also, the current behavior of the resource is different: when you change the statement, orReplace and copyGrants are added automatically. I think we may even remove these parameters completely from the resource. I will adjust the documentation.
For now, just don't set the copy_grants or set it together with or_replace.
Also, I see you are using "." splitting in your configurations. Snowflake identifiers are a bit more complex; it's possible to have the dot character as part of the identifier if you have a fully qualified part (wrapped in double quotes). We have the identifiers rework incoming. We want to address the issues our users have with identifiers.
This is just a FYI because these identifiers can really hurt sometimes.
Hey @scastria . We have released the fix as part of v0.87.0 release. Please follow the migration guide during the update. Please confirm that the issue is resolved in the newest version. Thanks!
Closing due to inactivity. Please create a new ticket with the newest provider version if the problem is still encountered.