Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: snowflake_user: default_role attribute breaks the apply #2942

Closed
1 task
denzhel opened this issue Jul 17, 2024 · 11 comments
Closed
1 task

[Bug]: snowflake_user: default_role attribute breaks the apply #2942

denzhel opened this issue Jul 17, 2024 · 11 comments
Assignees
@sfc-gh-jmichalak
Labels
bug Used to mark issues with provider's incorrect behavior resource:user Issue connected to the snowflake_user resource

Comments

@denzhel
Copy link

denzhel commented Jul 17, 2024
edited
Loading

Terraform CLI Version

1.5.5

Terraform Provider Version

0.92.0

Terraform Configuration

resource "snowflake_user" "service_account" {
  depends_on = [snowflake_role.service_account_role, random_password.service_account]
  # parameters
  name                 = "SA-TEST"
  login_name           = "SA-TEST"
  password             = random_password.service_account[each.key].result
  default_role         = "SA-TEST"
  must_change_password = true
}

Category

category:resource

Object type(s)

resource:user

Expected Behavior

Users to be created with a default_role that contains a hyphen as we created up until the upgrade from 0.56.1 to 0.92.0

Actual Behavior

╷
│ Error: 001003 (42000): SQL compilation error:
│ syntax error line 1 at position 179 unexpected '-'.
│ syntax error line 1 at position 179 unexpected '-'.
│ syntax error line 1 at position 184 unexpected '<EOF>'.
│ 
│   with module.snowflake.snowflake_user.service_account["SA-TEST"],
│   on modules/snowflake/main.tf line 376, in resource "snowflake_user" "service_account":
│  376: resource "snowflake_user" "service_account" {
│ 
╵

Query from Snowflake's UI:

CREATE USER "SA-TEST" PASSWORD = '☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺☺' LOGIN_NAME = 'SA-TEST' DISPLAY_NAME = 'SA-TEST' DEFAULT_ROLE = SA-TEST

Steps to Reproduce

  1. Create a new snowflake_user resource and add a default_role attribute that contains a hyphen, e.g "SA-TEST"
  2. Apply
  3. See how it fails
  4. Remove the default_role field and the apply will be successful

How much impact is this issue causing?

High

Logs

No response

Additional Information

No response

Would you like to implement a fix?

  • Yeah, I'll take it 😎
@denzhel denzhel added the bug Used to mark issues with provider's incorrect behavior label Jul 17, 2024
@sfc-gh-jmichalak
Copy link
Collaborator

Hey @denzhel . Thanks for reaching out to us.

The user resource is currently being redesigned as part of https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/ROADMAP.md#preparing-essential-ga-objects-for-the-provider-v1. This happens because DEFAULT_ROLE is not wrapped in '. As a workaround, you can use roles without - or use unsafe_execute. cc @sfc-gh-asawicki

@denzhel
Copy link
Author

denzhel commented Jul 17, 2024

Hi @sfc-gh-jmichalak ,

Either of those are not an option for us, we have dozens of users that were created with the previous provider we had.
We use - through out all of our users.

We're unable to create new users.

When will the redesign happen ?

@sfc-gh-jmichalak
Copy link
Collaborator

@sfc-gh-asawicki is currently working on user redesign and this should be fixed in v0.94 in the next few weeks.

@sfc-gh-asawicki
Copy link
Collaborator

Hey @denzhel.

First of all, please do not do 40+ versions migrations, it's recommended to do versions-by-version migration iteratively, following our guidelines: https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#migration-guide.

You can use provider aliasing to manage users with the older version of the provider (https://developer.hashicorp.com/terraform/language/providers/configuration#alias-multiple-provider-configurations).

@denzhel
Copy link
Author

denzhel commented Jul 17, 2024

Hey @denzhel.

First of all, please do not do 40+ versions migrations, it's recommended to do versions-by-version migration iteratively, following our guidelines: https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#migration-guide.

You can use provider aliasing to manage users with the older version of the provider (https://developer.hashicorp.com/terraform/language/providers/configuration#alias-multiple-provider-configurations).

You are right, it was a mistake on our end that we've waited for so long before upgrading the provider.
I will take your tip into a consideration and will try to implement the unsafe_execute - will see what are the implications.

Thanks for your honest and quick reply !

@denzhel
Copy link
Author

denzhel commented Jul 17, 2024

Can you please suggest what to set on the revert command ?

resource "snowflake_unsafe_execute" "default_role" {
  for_each   = try(!var.first_time_setup && var.config.enabled ? local.service_accounts : tomap(false), {})
  depends_on = [snowflake_user.service_account]
  execute    = "ALTER USER ${each.key} SET DEFAULT_ROLE = ${each.value.default_role != "" ? upper(each.value.default_role) : each.key}"
  revert     = "???"
}```

@sfc-gh-jmichalak
Copy link
Collaborator

You can either do ALTER USER ${each.key} UNSET DEFAULT_ROLE to unset this field (will be NULL after), or do a no-op with SELECT 1, it's up to you.

@denzhel
Copy link
Author

denzhel commented Jul 17, 2024

I'm just thinking of a scenario of deleting the user, once it happens the revert command will fail due to the missing user.

@sfc-gh-asawicki sfc-gh-asawicki added the resource:user Issue connected to the snowflake_user resource label Jul 31, 2024
@sfc-gh-asawicki
Copy link
Collaborator

Fixed in #2947 (not released yet).

sfc-gh-asawicki added a commit that referenced this issue Aug 23, 2024
@sfc-gh-asawicki
Update the migration guide
bbf9a93 
References #2938 #2942
@sfc-gh-asawicki sfc-gh-asawicki mentioned this issue Aug 23, 2024
Merged
sfc-gh-asawicki added a commit that referenced this issue Aug 28, 2024
@sfc-gh-asawicki
fix: Fix known user resource issues (#3013)
a5dfeac 
Fix known user resource-connected issues:
- Change the sensitiveness of name and login_name (References: #2662
#2668)
- Handle "null" properly for the nullable bool text attributes in user
(References: #2817)
- Fix diff suppression for default_x in user resource (References:
#2836)
- Update the migration guide (References #2938 #2942)
- Fix incorrect state after failed to alter (References #2970)
- Confirm the problem with the computed disabled attribute (References
#1572)
- Confirm that the problem with the null-out password was already solved
(References #1535)
- Add TODO to handle days to expiry in user (References #1155)

The next 2 PRs will contain:
- adjusting user resource to our rework conventions (also adding
additional fields and handling #1155 and #1572)
- adjusting user datasource (will handle #2902)

User rework will not include handling new types of users (service,
legacy service); this will be done a bit later.
@sfc-gh-asawicki
Copy link
Collaborator

Hey @denzhel.
We have just released v0.95.0 of the provider. It contains a reworked snowflake_user resource. Please consult the migration guide.

@sfc-gh-asawicki
Copy link
Collaborator

Closing the issue due to inactivity. Please create a new one if the issue persists in the newest version of the provider.

@sfc-gh-jmichalak sfc-gh-jmichalak self-assigned this Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sfc-gh-jmichalak sfc-gh-jmichalak

Labels
bug Used to mark issues with provider's incorrect behavior resource:user Issue connected to the snowflake_user resource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@denzhel @sfc-gh-asawicki @sfc-gh-jmichalak