Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: snowflake_grant_account_role with role name PUBLIC fails on apply #3001

Open
1 task
AaronCoquet-Easypark opened this issue Aug 16, 2024 · 3 comments
Open
1 task
Labels
bug Used to mark issues with provider's incorrect behavior resource:grant_account_role Issue connected to the snowflake_grant_account_role resource

Comments

@AaronCoquet-Easypark
Copy link

Terraform CLI Version

1.9.4

Terraform Provider Version

0.94.1

Terraform Configuration

provider "snowflake" {
  account       = local.tf_snowflake_account
  role          = "SECURITYADMIN"
  warehouse     = local.tf_snowflake_warehouse
  authenticator = local.tf_snowflake_authenticator
}

resource "snowflake_account_role" "any_role" {
  name = "ANY_ROLE"
}

resource "snowflake_grant_account_role" "this_is_a_bug" {
  parent_role_name = snowflake_account_role.any_role.name
  role_name        = "PUBLIC"
}

Category

category:grants

Object type(s)

resource:grant_account_role

Expected Behavior

This should be a no-op, since "Granting role PUBLIC has no effect. Every user and role has role PUBLIC implicitly granted."

Actual Behavior


│ Error: Provider produced inconsistent result after apply

│ When applying changes to snowflake_grant_account_role.this_is_a_bug, provider "provider["registry.terraform.io/snowflake-labs/snowflake"]" produced an
│ unexpected new value: Root object was present, but now absent.

│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Steps to Reproduce

  1. Configure a Terraform project with access to a Snowflake account, with privileges high enough to create a role and grant it another role.
  2. Create a role, and grant it access to the role "PUBLIC" (as above, in the Terraform Configuration section)
  3. Apply the change

How much impact is this issue causing?

Low

Logs

https://gist.github.com/AaronCoquet-Easypark/37704cc31601bcb095a144a7d14f8602

Additional Information

No response

Would you like to implement a fix?

  • Yeah, I'll take it 😎
@AaronCoquet-Easypark AaronCoquet-Easypark added the bug Used to mark issues with provider's incorrect behavior label Aug 16, 2024
@sfc-gh-jmichalak
Copy link
Collaborator

Hi @AaronCoquet-Easypark I think this is a duplicate of #2848. Please read our answer here.

@sfc-gh-jmichalak sfc-gh-jmichalak changed the title [Bug]: [Bug]: snowflake_grant_account_role with role name PUBLIC fails on apply Aug 16, 2024
@AaronCoquet-Easypark
Copy link
Author

It's definitely related. The workaround I found is to use a local that explicitly removes "PUBLIC" from any list of roles that is set to be assigned.
I feel like this could be resolved by having the provider ignore the "PUBLIC" role, but I'm not sure if that can be done.

@sfc-gh-jmichalak sfc-gh-jmichalak added the resource:grant_account_role Issue connected to the snowflake_grant_account_role resource label Aug 19, 2024
@sfc-gh-jmichalak
Copy link
Collaborator

sfc-gh-jmichalak commented Aug 19, 2024

As stated in the docs, PUBLIC role is automatically granted to every user and there's no need to grant it through terraform. Probably we will handle this case to return a better error message before V1. We will consider ignoring the PUBLIC role after V1. For now, please use the workaround you provided.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Used to mark issues with provider's incorrect behavior resource:grant_account_role Issue connected to the snowflake_grant_account_role resource
Projects
None yet
Development

No branches or pull requests

2 participants