Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A grant per role causes changes outside terraform and resources are updated #733

Closed
tekumara opened this issue Oct 26, 2021 · 5 comments
Closed

A grant per role causes changes outside terraform and resources are updated #733

tekumara opened this issue Oct 26, 2021 · 5 comments
Labels
bug Used to mark issues with provider's incorrect behavior

Comments

@tekumara
Copy link

Provider Version

0.25.22

Terraform Version

1.0.9

Describe the bug

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # module.databases["DEV_JAFFLES"].snowflake_database_grant.admin["USAGE"] has been changed
  ~ resource "snowflake_database_grant" "admin" {
        id                = "DEV_JAFFLES|||USAGE|false"
      ~ roles             = [
          - "JAFFLES_ADMIN",
        ]
        # (4 unchanged attributes hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to
undo or respond to these changes.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.databases["DEV_JAFFLES"].snowflake_database_grant.admin["USAGE"] will be updated in-place
  ~ resource "snowflake_database_grant" "admin" {
        id                = "DEV_JAFFLES|||USAGE|false"
      ~ roles             = [
          + "JAFFLES_ADMIN",
        ]
        # (4 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Expected behavior

No changes detected and the grant is not recreated.

Code samples and commands

// reference: https://docs.snowflake.com/en/user-guide/security-access-control-privileges.html

locals {
  reader_privileges = {
    database = ["USAGE"]

  }
  admin_privileges = {
    database = ["USAGE"]
  }
}

// apply reader grants defined above

resource "snowflake_database_grant" "reader" {
  for_each = toset(local.reader_privileges.database)

  database_name = snowflake_database.db.name
  privilege     = each.key
  roles         = var.readers
}

// apply admin grants defined above

resource "snowflake_database_grant" "admin" {
  for_each = toset(local.admin_privileges.database)

  database_name = snowflake_database.db.name
  privilege     = each.key
  roles         = var.admins
}
@tekumara tekumara added the bug Used to mark issues with provider's incorrect behavior label Oct 26, 2021
tekumara added a commit to tekumara/snowflake-terraform-kit that referenced this issue Oct 26, 2021
@tekumara
fix: grants must be mutually exclusive
8f80e62 
ie: you can't have two grants for the same privilege with a different
set of roles otherwise they clobber each other and the terraform state
only reflects the last role applied and so things there are changes
applied outside of terraform.

see Snowflake-Labs/terraform-provider-snowflake#733
@tekumara
Copy link
Author

Seems if you have two grants for the same privilege with a different set of roles they clobber each other, and the terraform state only reflects the last role applied. On the next apply, terraform thinks there are changes applied outside of Terraform.

To resolve, only have one grant for a privilege, eg:

resource "snowflake_database_grant" "reader" {
  for_each = toset(local.reader_privileges.database)

  database_name = snowflake_database.db.name
  privilege     = each.key
  roles         = concat(var.readers, var.admins)
}

@tekumara
Copy link
Author

I do wonder though, could the grants be tracked per role in the state file instead?

@tekumara tekumara reopened this Oct 26, 2021
@deragon deragon mentioned this issue Nov 7, 2021
Closed
@chriscardillo
Copy link

Plus one on this issue.

This means that we can only call the grant once, as if we call it more than once it will create duplicate ids.

@daniepett daniepett mentioned this issue Jan 19, 2022
Merged
2 tasks
@tekumara
Copy link
Author

tekumara commented Apr 3, 2022

Resolved by #824

@tekumara tekumara closed this as completed Apr 3, 2022
@matthewoflynn
Copy link

As of version 0.29.0 the fix is disabled by default. It can be re-enabled using the enable_multiple_grants optional argument on the *_grant resources.

Relevant PRs: #941 has made the fix #824 disabled by default.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to mark issues with provider's incorrect behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tekumara @matthewoflynn @chriscardillo