terraform-provider-snowflake
terraform-provider-snowflake copied to clipboard
Snowflake-Labs
snowflake_grant_privileges_to_account_role to support OWNERSHIP role
Terraform CLI and Provider Versions
v1.5.4
Use Cases or Problem Statement
Usage of snowflake_<resource>_grant is being deprecated in favour of snowflake_grant_privileges_to_account_role as per the deprecation warning.
Warning: Deprecated Resource
│
│ with snowflake_database_grant.grant_db_dev_data_lake,
│ on database.tf line 15, in resource "snowflake_database_grant" "grant_db_dev_data_lake":
│ 15: resource "snowflake_database_grant" "grant_db_dev_data_lake" {
│
│ This resource is deprecated and will be removed in a future major version release. Please use snowflake_grant_privileges_to_account_role instead.
Example snowflake_database_grant accepts the privilege OWNERSHIP however trying to move to the proposed new function throws the error:
Error: Unsupported privilege 'OWNERSHIP'
|
|
|
Granting ownership is only allowed in dedicated resources (snowflake_user_ownership_grant, snowflake_role_ownership_grant)
Proposal
Either the function snowflake_grant_privileges_to_account_role supports the 'OWNERSHIP' role or examples are give of how to port from the deprecated snowflake_<resource>_grant function to the new function
How much impact is this issue causing?
Medium
Additional Information
No response
The same thing is happening with the snowflake_grant_priviliges_to_database_role on attempted OWNERSHIP grants, could we add similar modification of that role as well?
@sfc-gh-jcieslak to be clear there are a number of functions that being deprecated and all have the same behaviour, I've just listed one of them in the example and @lachniej has called out another. Would be amazing to support all deprecated functions
Hey @AndrewKlimovski @lachniej 👋
We wanted to create another resource that will be specialized in granting ownership as already mentioned snowflake_grant_priviliges_to_database_role and snowflake_grant_priviliges_to_account_role are already complex resources. Additionally granting ownership comes with its features and many edge cases that would add to the complexity and maintainability of those resources. That said, we'll add a new resource that will be used only for ownership transfer operations. I should start the work on the implementation this week.
Thanks for the update @sfc-gh-jcieslak
Not sure what you mean by "as already mentioned" can you please clarify?
Would love to avoid double handling my SQL translations if possible.
Thanks
Sure, you mentioned snowflake_grant_priviliges_to_account_role and @lachniej snowflake_grant_priviliges_to_database_role. I just wanted to clarify that in those resources OWNERSHIP won't be an accepted privilege (like right now, we'll error out, but will point you with the message to the new grant ownership resource once it's available). Granting OWNERSHIP will be handled by the newly introduced resource.
@sfc-gh-jcieslak Thanks for clarifying and confirming the approach. The talk about creating a separate resource for handling the specialized ownership grant has been around for about 6 months in various threads I have been on and read. Is there a rough ETA of when we could expect to see a resource like this? More curious than anything because we have some jenky workarounds in place right now for this.
@Bryan-Meier it looks like they are actively working on it https://github.com/Snowflake-Labs/terraform-provider-snowflake/pull/2604
YAY!!! I missed #2604. Thanks for pointing that out @lachniej. I can't tell you how much complexity and maintenance this is going to relieve for us!
Hey 👋 Closing, as the issue was about the deprecated/not allowed functionality. Recently, we released a new grant resource which is capable of granting ownership. Please, give it a try. If there will be any issues with it, create another GitHub issue. Also, please check our technical documentation section where you can find a migration guide that can help you with upgrading to the latest grant resources and our newly added design decision doc (regarding new grant resources).