terraform-provider-snowflake icon indicating copy to clipboard operation
terraform-provider-snowflake copied to clipboard

Published 20 hours ago verified publisher icon Snowflake-Labs

perpetual diff when adding a share to a snowflake_view_grant

Open jrobison-sb opened this issue 3 years ago • 1 comments

Provider Version

$ terraform version
Terraform v0.14.11
+ provider registry.terraform.io/chanzuckerberg/snowflake v0.25.36

Describe the bug

When you create a snowflake_view_grant resource with a share, you'll get a perpetual diff in your terraform plan's. Terraform will propose adding the grant over and over.

Expected behavior

Terraform should create the desired grant without a perpetual diff.

Code samples and commands

resource "snowflake_database" "a" {
  name                        = "TESTDB"
  data_retention_time_in_days = 3
}

resource "snowflake_database_grant" "a" {
  for_each = toset([
    "USAGE",
    "REFERENCE_USAGE",
  ])
  database_name     = snowflake_database.a.name
  privilege         = each.key
  roles             = []
  shares            = [snowflake_share.a.name]
  with_grant_option = false
}

resource "snowflake_schema" "a" {
  database = snowflake_database.a.name
  name     = "TESTSCHEMA"
  comment  = "A schema."

  is_transient        = false
  is_managed          = false
  data_retention_days = 1
}

resource "snowflake_schema_grant" "a" {
  database_name     = snowflake_database.a.name
  schema_name       = snowflake_schema.a.name
  privilege         = "USAGE"
  roles             = []
  shares            = [snowflake_share.a.name]
  with_grant_option = false
}

resource "snowflake_table" "a" {
  database = snowflake_schema.a.database
  schema   = snowflake_schema.a.name
  name     = "SOME_TABLE"
  comment  = "A table."
  column {
    name     = "id"
    type     = "NUMBER(38,0)"
    nullable = true
  }
}

resource "snowflake_share" "a" {
  name    = "JUSTTESTING"
  comment = "JUSTTESTING"
}

resource "snowflake_view" "a" {
  database   = snowflake_database.a.name
  schema     = snowflake_schema.a.name
  name       = "JUSTTESTINGSVW"
  statement  = "select * from ${snowflake_schema.a.name}.SOME_TABLE"
  or_replace = true
  is_secure  = true
}

resource "snowflake_view_grant" "a" {
  database_name     = snowflake_view.a.database
  schema_name       = snowflake_view.a.schema
  view_name         = snowflake_view.a.name
  privilege         = "select"
  roles             = []
  shares            = [snowflake_share.a.name]
  with_grant_option = false
  depends_on = [
    snowflake_share.a,
    snowflake_view.a,
  ]
}
  1. Apply the above infrastructure.
  2. Go into the console and do SHOW GRANTS ON VIEW TESTDB.TESTSCHEMA.JUSTTESTINGSVW;, you'll see that the desired grant to the share exists.
  3. Run terraform apply and see that Terraform will propose the following change:
  ~ resource "snowflake_view_grant" "a" {
        id                = "TESTDB|TESTSCHEMA|JUSTTESTINGSVW|select|false"
      ~ shares            = [
          + "JUSTTESTING",
        ]
        # (7 unchanged attributes hidden)
    }
  1. You can apply the change over and over and the diff never resolves, even though the grant was created as expected.

jrobison-sb avatar Apr 15 '22 14:04 jrobison-sb

Any update on this?

hanss0n avatar Jul 18 '22 14:07 hanss0n

We are closing this issue as part of a cleanup described in announcement. If you believe that the issue is still valid in v0.89.0, please open a new ticket.

sfc-gh-asawicki avatar Apr 30 '24 16:04 sfc-gh-asawicki