Grant resources report perpetual diff #1514
Comments
|
I am sorry @bennylu2 but i am not able to reproduce this. If i try to create a grant right now then i do not get any changes in the plan. Can you please provide more information? Sample code snippet, and maybe some json data from state file? |
|
@sfc-gh-swinkler here's some sample code terraform plan diff for single view grant # module.tdm_demo.module.public_schemas["CLEANSED"].snowflake_view_grant.this["SELECT"] will be updated in-place
~ resource "snowflake_view_grant" "this" {
id = "TDM_DEMO|CLEANSED||SELECT|false"
~ roles = [
+ "TDM_DEMO__CLEANSED__READ",
]
# (6 unchanged attributes hidden)
}terraform state which shows it already has grant $ tf state show 'module.tdm_demo.module.public_schemas["CLEANSED"].snowflake_view_grant.this["SELECT"]'
# module.tdm_demo.module.public_schemas["CLEANSED"].snowflake_view_grant.this["SELECT"]:
resource "snowflake_view_grant" "this" {
database_name = "TDM_DEMO"
enable_multiple_grants = true
id = "TDM_DEMO|CLEANSED||SELECT|false"
on_future = true
privilege = "SELECT"
roles = [
"TDM_DEMO__CLEANSED__READ",
]
schema_name = "CLEANSED"
with_grant_option = false
}Associated terraform view grant in module resource "snowflake_view_grant" "this" {
for_each = transpose(local.grants_view)
database_name = snowflake_schema.this.database
schema_name = snowflake_schema.this.name
privilege = each.key
roles = each.value
on_future = true
with_grant_option = false
enable_multiple_grants = true # needed until we sunset database migrations
} |
|
When will it be released? Or I can test against the main branch but likely won't be able to get to till later this week |
|
Currently trying to fix a related issue, having to do with import id for misc grants. Once i fix this, then i will create a new release. Next day or so. |
|
Hoping this is still on track! |
|
Is this supposed to be fixed in |
|
Any news on this? This is more serious than it sounds when coupled with FUTURE OWNERSHIP grants. |
|
Why do we need a resource id. It seems to me that it's being used inappropriately to generate the plan, instead of the actual attributes themselves. For example, Given a database grant is applied as so resource "snowflake_database_grant" "this" {
database_name = "MY_DATABASE"
privilege = "REFERENCE_USAGE"
roles = [
"OLD_ROLE"
]
}
This creates a resource in the state with the id of Then the resource arguments change to resource "snowflake_database_grant" "this" {
database_name = "MY_DATABASE"
privilege = "REFERENCE_USAGE"
roles = [
"NEW_ROLE"
]
}This then shows a perpetual diff of ~ resource "snowflake_database_grant" "this" {
id = "MY_DATABASE❄️REFERENCE_USAGE❄️false❄️OLD_ROLE❄️"
~ roles = [
+ "NEW_ROLE",
]
# (5 unchanged attributes hidden)
}I'm not entirely sure on the logic happening, but it's obvious it's using the static attribute of From my understanding, we should be using the actual arguments to calculate the plan, not a write once id attribute. |
|
Downgrading to 0.55.1 has allowed me to avoid the issue for the time being until this is resolved. |
|
@bennylu2 can i close this issue? |
|
This seems to be fixed for me on 0.60.0 |
|
This has been resolved in 0.60.0, thanks for the work on this! |
Provider Version
0.56.3Terraform Version
1.3.4Describe the bug
Any plans with grant resources will show a perpetual diff that it wants to add the grant to the roles.
Running and applying the same code over and over wants to add grants to roles
Expected behavior
Once grants have been granted, there should be no diff
Additional context
I've identified this happened with release
0.56.3in #1511 and #1510It appears a line was removed that checks the privs
NOTE: as a workaround for anyone that comes across this, we will be using
.terraform.lock.hclfile and setrequired_providersversionconstraint to use a prior version that does not have this bugThe text was updated successfully, but these errors were encountered: