terraform-provider-snowflake icon indicating copy to clipboard operation
terraform-provider-snowflake copied to clipboard

Published 20 hours ago verified publisher icon Snowflake-Labs

Sharing is not allowed from an account on BUSINESS CRITICAL edition to an account on a lower edition.

Open BoAustin opened this issue 4 years ago • 3 comments

When creating a share resource, for example:

resource snowflake_share share {
  name     = "share"
  accounts = "ABC12345"
}

This will end up issuing the following statement:

ALTER SHARE "SHARE" SET ACCOUNTS=ABC12345;

If the account running the command is on BUSINESS CRITICAL edition and ABC12345 is a lower edition you'll get the following error:

SQL execution error: Sharing is not allowed from an account on BUSINESS CRITICAL edition to an account on a lower edition. The following account(s) are on editions lower than BUSINESS CRITICAL: ABC12345. You can override this check for this share by using the OVERRIDE SHARE RESTRICTIONS privilege and the SHARE_RESTRICTIONS flag. Before overriding this check, confirm that the target account has appropriate security controls and is compliant for the data being shared. For example, editions lower than BUSINESS CRITICAL are not PCI-DSS certified.

Here's snowflakes documentation for reference.

The solution is to issue this statement as ACCOUNTADMIN (or with a role that has been granted the OVERRIDE SHARE RESTRICTIONS privilege):

ALTER SHARE "SHARE" SET ACCOUNTS=ABC12345 SHARE_RESTRICTIONS=FALSE;

Ideally we would be able to specify the resource like so:

resource snowflake_share share {
  name     = "share"
  accounts = "ABC12345"
  share_restrictions = false
}

or perhaps to support a mix of account types and still wanting to keep the restriction for some:

resource snowflake_share share {
  name     = "share"
  accounts = {
    locator = "ABC12345"
    share_restrictions = false
  }
}

BoAustin avatar Aug 02 '21 23:08 BoAustin

It is rather irritating that this has to be bypassed via provisioner or managed outside of Terraform entirely. We run only Business Critical accounts in my company due to non-HIPAA related reasons, and sharing between them is a pain (as they are not HIPAA compliant and won't be, it does not matter that they are all Business Critical)

foresterr avatar Apr 22 '24 10:04 foresterr

Moving to manage shares via Terraform this is the first issue I ran into. Any ETA on this?

Nilsas avatar Jun 19 '25 07:06 Nilsas

Hey @Nilsas. We don't have ETA for shares rework atm. You can check our current roadmap here: https://github.com/snowflakedb/terraform-provider-snowflake/blob/main/ROADMAP.md#our-roadmap.

sfc-gh-asawicki avatar Jun 20 '25 07:06 sfc-gh-asawicki