Snowflake-Labs
[Bug]: grant_ownership does not work on procedure
Terraform CLI Version
1.8.3
Terraform Provider Version
0.89.0
Terraform Configuration
resource "snowflake_database" "test" {
name = "DB"
}
resource "snowflake_schema" "test" {
name = "SCHEMA"
database = snowflake_database.test.name
}
resource "snowflake_role" "test" {
name = "TEST"
}
resource "snowflake_grant_account_role" "test" {
role_name = snowflake_role.test.name
parent_role_name = "SYSADMIN"
}
resource "snowflake_procedure" "test" {
name = "PROCEDURE"
database = snowflake_database.test.name
schema = snowflake_schema.test.name
language = "JAVASCRIPT"
return_type = "VARCHAR"
statement = "return 'Hi'"
}
resource "snowflake_grant_ownership" "test" {
account_role_name = snowflake_role.test.name
on {
object_type = "PROCEDURE"
object_name = "${snowflake_database.test.name}.${snowflake_schema.test.name}.${snowflake_procedure.test.name}()"
}
}
Category
category:identifiers
Object type(s)
resource:grant_ownership
Expected Behavior
expected fully qualified name is "DB"."SCHEMA"."PROCEDURE"()
Actual Behavior
but actual is "DB"."SCHEMA"."PROCEDURE()"
│ Id: ToAccountRole|"TEST"||OnObject|PROCEDURE|"DB"."SCHEMA"."PROCEDURE()"
│ Error: 090208 (42601): Argument types of function 'PROCEDURE()' must be specified.
Steps to Reproduce
- copy the following configuration
- terraform apply
How much impact is this issue causing?
Medium
Logs
No response
Additional Information
The workaround for grant_privileges_to_account_role does not work because of the different parse logic of IDs.
- grant_ownership - https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/57ee66bf76590da389b3343b5b6a0fd7d0e4836e/pkg/resources/grant_ownership.go#L403
- grant_privileges_to_account_role - https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/57ee66bf76590da389b3343b5b6a0fd7d0e4836e/pkg/resources/grant_privileges_to_account_role_identifier.go#L145
Even if parse logic is the same, it does not work in a empty arguments because the () is removed.
The following error should occur
Error: 090208 (42601): Argument types of function 'SOME_PROCEDURE' must be specified.
Would you like to implement a fix?
- [ ] Yeah, I'll take it 😎
Hey 👋 Thanks for creating an issue for this. The identifiers rework will happen this quarter, but we haven't started it yet. We have to analyze all the cases where we feel the identifiers are lacking and provide a proposal we can all agree on. Without the proposal, we cannot give any instructions, but I will link this issue to do it as part of the identifiers rework.
Hi @sfc-gh-jcieslak :)
Thank you for releasing version 0.93.0!
I am eager to use this version, but unfortunately, I cannot upgrade until the issue with the identifiers rework is resolved. Depending on when this will be addressed, we are considering excluding non-functioning grant resources from Terraform management.
Could you please provide an update on the current status of the identifiers rework?
Thank you for your assistance!
Hey @YAhiru. @sfc-gh-jcieslak is on a short vacation. He will come back on Monday and the identifiers rework will be his first focus. I will let him know about your request, so he can provide you with a better timeline.
Hey @YAhiru, I'm back 😎 and I'll be working on identifiers this week, but the identifiers for functions/procedures can only be done after some other work that will be a base for other identifier improvements. That being said this issue should be resolved in this or next week (I'll notify you here when it will be waiting for the release).
Thank you!
I appreciate the quick response and am looking forward to the release :)
We are also stuck on version 0.92 now, because the deprecated resource "snowflake_procedure_grant" has been removed in version 0.93. The new resource "snowflake_grant_privileges_to_account_role" does not work with procedures that do not have arguments. The old resource worked with it. Maybe you could leave the old resource available until the new resource is able to cover this case?
Thanks and kind regards Susanne
Hey @susanneauxmoney, we are currently fixing the identifiers, including this case. It should be a part of the next release (Wednesday/Thursday next week).
@sfc-gh-asawicki great news and thanks a lot for your quick reply 👍 .
Hey @susanneauxmoney, we are currently fixing the identifiers, including this case. It should be a part of the next release (Wednesday/Thursday next week).
Any update when the fix will be released?
Hey @rahulgoyal01 👋 (cc: @YAhiru @susanneauxmoney) This will be my next task after introducing a new identifier representation for functions/procedures/external functions in our SDK. Hopefully, the fix for this (and other privilege-granting resources) will land in the next release (and if not the next one, it should certainly be fixed in the one after).
Hi @YAhiru @susanneauxmoney @rahulgoyal01 👋 The fix was released in a new provider version (v0.95.0). Please upgrade using the migration guide.
@sfc-gh-jmichalak Thank you!
In my environment, I was able to migrate without any problems!