terraform-provider-snowflake
terraform-provider-snowflake copied to clipboard
Snowflake-Labs
Unable to manage a privilege with and without `with_grant_option`
Provider Version
terraform {
required_providers {
snowflake = {
source = "chanzuckerberg/snowflake"
version = "0.18.0"
}
}
}
Terraform Version
terraform --version
Terraform v0.13.5
Describe the bug
Unable to manage a privilege on a database to give grant option to some roles but not others. If I try to specify two different snowflake_database_grant resources, one with with_grant_option set to true, and the other without it being set, there is a permanent difference when running terraform plan.
Expected behavior
I would expect to be able to manage the same privilege on a database with and without with_grant_option. This would result in the MY_ADMIN role being granted the CREATE SCHEMA privilege with grant option and the MY_SCHEMA role being granted the privilege without grant option.
Code samples and commands
resource "snowflake_database_grant" "create_schema" {
database_name = "MY_DB"
privilege = "CREATE SCHEMA"
roles = ["MY_SCHEMA"]
}
resource "snowflake_database_grant" "create_schema_with_grant_option" {
database_name = "MY_DB"
privilege = "CREATE SCHEMA"
roles = ["MY_ADMIN"]
with_grant_option = true
}
Additional context
Add any other context about the problem here.
Seems like we can workaround this a bit if you use different roles to manage the "with_grant_option = true". For example, here is what I have for grants on a WH_ADMIN role:
| row | created_on | privilege | granted_on | name | granted_to | grantee_name | grant_option | granted_by |
|---|---|---|---|---|---|---|---|---|
| 1 | 2020-11-20 08:38:13.000 -0800 | CREATE WAREHOUSE | ACCOUNT | XXXX | ROLE | WH_ADMIN | true | SYSADMIN |
| 2 | 2020-11-20 10:03:18.000 -0800 | CREATE WAREHOUSE | ACCOUNT | XXXX | ROLE | WH_ADMIN | false | WH_ADMIN |
Using this terraform
resource "snowflake_account_grant" "create_warehouse_no_grant" {
privilege = "CREATE WAREHOUSE"
roles = ["WH_ADMIN", "Some other role"]
with_grant_option = false
}
Row 2 gets added, so the role still maintains its grant_option, and terraform does not constantly show changes. No ideal, but will work until we can get a proper fix in.
Why have two separate grants here, isn't the second one a superset of the first?
Why have two separate grants here, isn't the second one a superset of the first?
What do you mean? In my example I showed that the module only cares about grants that the currently assumed role can see/manage. So yes, I essentially granted the permission twice to WH_ADMIN, but we see that WH_ADMIN grant option is not affected, allowing us to easily manage other roles we want to grant the create warehouse permission to.
This is important to note because you would expect the module to try and remove the grant option that the WH_ADMIN has, but it does not, allowing you to work around the limitation described in the original bug.
Also run in to this issue - appears as if the with_grant_option was not taken into snowflake_account_grant key (however plans says it is). Each time Terraform runs it tries to exchange roles assign to account grant with ones from account grant with grant option, and other way around. Using version 0.22.0 of the provider and terraform 13.5.
terraform {
required_providers {
snowflake = {
source = "chanzuckerberg/snowflake"
version = "0.29.0"
}
}
}
I have 2 roles granted with USAGE on a database, one is with grant options, the other is not. So I would assume that the following resource would only detect the role with grant option, but it detects both roles, which means it wants to remove second role that's not specified.
resource snowflake_database_grant sandbox_usage {
provider = snowflake.securityadmin
database_name = "SANDBOX"
privilege = "USAGE"
roles = ["SANDBOX_ADMIN"]
with_grant_option = true
}
I don't want to keep track of roles that were given usage without grant option, but I do want to control the roles that have grant option.
resource snowflake_database_grant sandbox_usage_without_grant {
provider = snowflake.securityadmin
database_name = "SANDBOX"
privilege = "USAGE"
roles = []
with_grant_option = false
lifecycle {
ignore_changes = [
roles
]
}
}
We are closing this issue as part of a cleanup described in announcement. If you believe that the issue is still valid in v0.89.0, please open a new ticket.
