snowflake_account_grant unable to grant MONITOR privilege

[marcincuber]

Provider Version

0.47

Terraform Version

1.3

Describe the bug

Failing to create resource:

resource "snowflake_account_grant" "data_platform_monitor" {
  roles     = [snowflake_role.data_platform.name]
  privilege = "MONITOR"

  with_grant_option = false
}

Expected behavior

Should work and grant Monitor permission to a role

Additional context

Error shown:

│ Error: expected privilege to be one of [MONITOR EXECUTION EXECUTE MANAGED TASK MANAGE ORGANIZATION SUPPORT CASES APPLY TAG CREATE ACCOUNT CREATE DATABASE EXECUTE TASK MONITOR USAGE MANAGE USER SUPPORT CASES APPLY MASKING POLICY CREATE WAREHOUSE IMPORT SHARE MANAGE GRANTS MANAGE ACCOUNT SUPPORT CASES APPLY ROW ACCESS POLICY CREATE DATA EXCHANGE LISTING CREATE INTEGRATION CREATE SHARE CREATE USER ATTACH POLICY CREATE NETWORK POLICY CREATE ROLE OVERRIDE SHARE RESTRICTIONS], got MONITOR
│
│   with snowflake_account_grant.data_platform_monitor,
│   on roles.tf line 28, in resource "snowflake_account_grant" "data_platform_monitor":
│   28:   privilege = "MONITOR"

Looks like provider issue as I can grant that permission just fine in the UI.

[mlorek]

this one is confusing. while you can issue the following grant statement, the documentation does not mention MONITOR privlige that can be granted on an account.
https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html (MONITOR { EXECUTION | USAGE })

this works: grant monitor on account to role some_role;

[sfc-gh-swinkler]

@marcincuber hello and thank you for your patience in receiving your request. In the Snowflake documentation MONITOR is not a valid permission for account grants, which is confusing because it is for schemas and account level objects { USER | RESOURCE MONITOR | WAREHOUSE | DATABASE | INTEGRATION }. For Accounts, valid permissions are:

  {
     CREATE {
               ACCOUNT | DATA EXCHANGE LISTING | DATABASE | INTEGRATION
               | NETWORK POLICY | ROLE | SHARE | USER | WAREHOUSE
     }
     | APPLY MASKING POLICY | APPLY PASSWORD POLICY | APPLY ROW ACCESS POLICY | APPLY SESSION POLICY | APPLY TAG | ATTACH POLICY
     | EXECUTE TASK | IMPORT SHARE | MANAGE GRANTS | MONITOR { EXECUTION | USAGE } | OVERRIDE SHARE RESTRICTIONS
  }

So the permission you are looking for would either be MONITOR EXECUTION or MONITOR USAGE, or perhaps both. I will admit this is unclear, so I will update the documentation to include a list of allowable permissions. Upon closer inspection, the provider does validate that permissions are on this set, although it does appear like two permissions (unrelated to your inquiry) are missing. Below is a table of the permissions allowed by Snowflake for account grants, and the ones supported by provider. I will fix this in a subsequent PR.

Please let me know if there is anything else I can help you with, otherwise I will close this Issue.

<style> </style>

PERMISSION NAME	ALLOWED BY PROVIDER
APPLY MASKING POLICY	yes
APPLY PASSWORD POLICY	no
APPLY ROW ACCESS POLICY	yes
APPLY SESSION POLICY	no
APPLY TAG	yes
ATTACH POLICY	yes
EXECUTE TASK	yes
IMPORT SHARE	yes
MANAGE GRANTS	yes
MONITOR EXECUTION	yes
MONITOR USAGE	yes
OVERRIDE SHARE RESTRICTIONS	yes
CREATE ACCOUNT	yes
CREATE DATA EXCHANGE LISTING	yes
CREATE DATABASE	yes
CREATE INTEGRATION	yes
CREATE NETWORK POLICY	yes
CREATE ROLE	yes
CREATE SHARE	yes
CREATE USER	yes
CREATE WAREHOUSE	yes

[marcincuber]

@sfc-gh-swinkler thanks for providing all the information. However, this is still not answering MONITOR global privilege which I checked again and it is definitely available in the UI. Please set the image

If all the information you provided above are correct then that is fine. But how do I attach MONITOR privilege to a snowflake role using Terraform provider?

Apologies as I should have provided this image when creating this issue to speed up the process.

[sfc-gh-swinkler]

I was surprised to find out that you are correct, there does appear to be undocumented global account privileges. Including the monitor privilege there are also:

• Create credential
• create failover group
• audit
• execute managed task
• manage account support cases
• manage organization support cases
• manage user support cases
• monitor security
• provision application
• purchase data exchange listing

I will make the requisite changes and get this fixed by the next release. I have also reached out to our documentation specialist to update the Snowflake documentation. Thank you for bringing this to our attention.

[marcincuber]

@sfc-gh-swinkler thanks for confirming. It would be great to get a snowflake provider able to handle all the values and only make terraform apply fail when snowflake sdk (sql command fails). Right now it looks as if the provider is validating values that can be passed as a privilege.

[sfc-gh-swinkler]

Just letting you know that the fix was released as part of 0.55 #1464

[marcincuber]

Hi @sfc-gh-swinkler
I have given it another try with 0.55.1 provider version and MONITOR grant still doesn't assign global permission to a role.

Block I used

resource "snowflake_account_grant" "monitor" {
  roles     = [snowflake_role.platform.name]
  privilege = "MONITOR"

  with_grant_option = false
}

[sfc-gh-swinkler]

Hello @marcincuber. I was not able to replicate your issue.

Code block:

resource "snowflake_role" "my_role" {
  name = "MY_ROLE"
}

resource "snowflake_account_grant" "monitor" {
  roles     = [snowflake_role.my_role.name]
  privilege = "MONITOR"

  with_grant_option = false
}

In the verbose logs i see that the role was correctly given access:

[DEBUG] exec stmt GRANT MONITOR ON ACCOUNT  TO ROLE "MY_ROLE": timestamp=2023-02-06T10:01:10.027-0800

And then when i do a SHOW GRANTS TO ROLE MY_ROLE I see that it shows up correctly. Can you please let me know what you are seeing? Perhaps we can setup a meeting to discuss.

[sfc-gh-jcieslak]

Hey 👋
Closing the issue as it's referring to the deprecated resource and we're not supporting them. Please, try to use the latest provider version with the non-deprecated resources (e.g. snowflake_grant_privileges_to_account_role). If the issue persists on the non-deprecated resource (or the feature is present in Snowflake, but not in the provider), please create a new GitHub issue. The migration guide may help during migration to the latest resources. Here's a list of the latest, non-deprecated, grant resources:

Resources
snowflake_grant_privileges_to_database_role
snowflake_grant_privileges_to_account_role
snowflake_grant_account_role
snowflake_grant_database_role
snowflake_grant_application_role (coming soon)
snowflake_grant_privileges_to_share
snowflake_grant_ownership (coming soon)

Data sources
snowflake_grants