Destruction of non-account-level network policy attachments unsets any account-level network policy

[adaco]

Provider Version

0.25.36, but AFAICT the issue dates back to the resource's introduction in #271.

Terraform Version

1.1.3

Describe the bug

Destruction of a snowflake_network_policy_attachment resource unconditionally unsets any account-level network policy, even when the snowflake_network_policy_attachment's set_for_account attribute is set to false. This has the effect of unsetting account-level network policies that may have been configured outside of Terraform. snowflake_network_policy renames also trigger snowflake_network_policy_attachment re-creates, which exacerbates the issue.

Expected behavior

Destruction of a snowflake_network_policy_attachment resource with set_for_account = false shouldn't unset account-level network policies (because the resource itself should know that it wasn't set at the account-level).

Code samples and commands

Define some network policy and an attachment:

resource snowflake_network_policy policy {
  name    = "policy"
  comment = "A policy."
  allowed_ip_list = ["192.168.0.100/24"]
  blocked_ip_list = ["192.168.0.101"]
}

resource snowflake_network_policy_attachment attach {
  network_policy_name = snowflake_network_policy.policy.name
  set_for_account     = false  // note it's not account-level here
  users = ["user1", "user2"]
}

Rename snowflake_network_policy.policy to trigger snowflake_network_policy_attachment.attach destroy + re-create:

resource snowflake_network_policy policy {
  name    = "some_new_name"  // changed here.
  comment = "A policy."
  allowed_ip_list = ["192.168.0.100/24"]
  blocked_ip_list = ["192.168.0.101"]
}

resource snowflake_network_policy_attachment attach {
  network_policy_name = snowflake_network_policy.policy.name
  set_for_account     = false
  users = ["user1", "user2"]
}

Check snowflake.account_usage.query_history and see that the user identity ran an ALTER ACCOUNT UNSET NETWORK_POLICY statement.