terraform-provider-snowflake icon indicating copy to clipboard operation
terraform-provider-snowflake copied to clipboard

Published 20 hours ago verified publisher icon Snowflake-Labs

Provider revoke grants created outside terraform.

Open gal-pal opened this issue 2 years ago • 4 comments

Provider Version

0.30.0

Terraform Version

1.1.7

Describe the bug

Granting resources no longer working properly. For example, I had a resource snowflake_account_grant created in an earlier version of provider 0.28.8

resource "snowflake_account_grant" "grantCreateDatabase"  {
    roles               = ["SANDBOX_SYSADMIN_ROLE"]
    privilege           = "CREATE DATABASE"
}

I upgraded snowflake provider to version 0.30.0 I modified the resource to compatibly with existing environment:

 resource "snowflake_account_grant" "grantCreateDatabase"  {
    roles               = ["SANDBOX_SYSADMIN_ROLE"]
    privilege           = "CREATE DATABASE"
    enable_multiple_grants = true
}

Unfortunately, regardless of what value I give for the parameter "enable_multiple_grants", each time resources created outside the terraform are selected for deletion.

13:57:23  Note: Objects have changed outside of Terraform
13:57:23  
13:57:23  Terraform detected the following changes made outside of Terraform since the
13:57:23  last "terraform apply":
13:57:23  
13:57:23    # module.snowflake.snowflake_account_grant.grantCreateDatabase has changed
13:57:23    ~ resource "snowflake_account_grant" "grantCreateDatabase" {
13:57:23          id                = "ACCOUNT|||CREATE DATABASE|SANDBOX_SYSADMIN_ROLE|false"
13:57:23        ~ roles             = [
13:57:23            + "DEVEL_ROLE",
13:57:23            + "DEVEL_SYSADMIN_ROLE",
13:57:23              # (1 unchanged element hidden)
13:57:23          ]
13:57:23          # (2 unchanged attributes hidden)
13:57:23      }

13:57:23    # module.snowflake.snowflake_account_grant.grantCreateDatabase will be updated in-place
13:57:23    ~ resource "snowflake_account_grant" "grantCreateDatabase" {
13:57:23        + enable_multiple_grants = false
13:57:23          id                     = "ACCOUNT|||CREATE DATABASE|SANDBOX_SYSADMIN_ROLE|false"
13:57:23        ~ roles                  = [
13:57:23            - "DEVEL_ROLE",
13:57:23            - "DEVEL_SYSADMIN_ROLE",
13:57:23              # (1 unchanged element hidden)
13:57:23          ]
13:57:23          # (2 unchanged attributes hidden)
13:57:23      }

gal-pal avatar Apr 08 '22 12:04 gal-pal

I came across this too. Looks like the provider is unable to properly map from Terraform state to Snowflake state. Would be happy to pick this up as a first time contributor.

kietay avatar Apr 20 '22 18:04 kietay

This is interesting; I'm on Terraform version 1.0.11 and Provider version 0.31.0 and running into a very similar problem, but it runs in the opposite direction – no matter what value I pass to enable_multiple_grants, it seems that Terraform will not revoke grants that took place outside of Terraform.

As a test, I:

  1. Created a role through Terraform called TEST_TERRAFORM_MANAGED_ROLE
  2. Manually granted the role to USER_A and USER_B in the Snowflake web console
  3. Created a Terraform resource block that looks like:
resource "snowflake_role_grants" "test_terraform_managed_role" {
  role_name = "TEST_TERRAFORM_MANAGED_ROLE"
  users = ["USER_C"]
  enable_multiple_grants = false
}

I then apply this change, at which point I would expect Terraform to have revoked the grant of TEST_TERRAFORM_MANAGED_ROLE from USER_A and USER_B. But when I run:

SHOW GRANTS OF ROLE TEST_TERRAFORM_MANAGED_ROLE;

it shows me that all grants have been left fully intact, i.e. USER_A, USER_B, and USER_C all still have been granted the role.

The only thing that I'm wondering is if this has something to do with the fact that USER_A and USER_B are not actually resources that we manage through Terraform (user accounts are created via an external mechanism), so maybe this is causing the resource to behave unexpectedly? Either way, it seems to me like the provider is not properly respecting the enable_multiple_grants flag.

TaliaSRTR avatar Apr 29 '22 14:04 TaliaSRTR

Came here for the issue described by @TaliaSRTR. As far as I can tell, the current ressource implementation seems to ignore the value of enable_multiple_grants.

Instead the ressource only considers the granted role/users specified in the ressource, and ignores any other GRANT found. I expected enable_multiple_grants=false to enable the opposite behaviour and drop any GRANT that isn't specified in the ressource.

godric avatar May 18 '22 09:05 godric

I also ran into this issue. For security's sake, I expect that if a user/role is granted a role outside of the terraform, then applying the terraform again will revoke grants as necessary to bring Snowflake into alignment with the code.

As of version 0.32.0 of this provider, no matter what I specify for enable_multiple_grants, it refuses to revoke grants given outside of terraform.

wesleyhillyext avatar May 23 '22 20:05 wesleyhillyext

We are closing this issue as part of a cleanup described in announcement. If you believe that the issue is still valid in v0.89.0, please open a new ticket.

sfc-gh-asawicki avatar Apr 30 '24 16:04 sfc-gh-asawicki