fix: Allow multiple resources of the same object grant

[daniepett]

• Filtering grants on read to only return those managed by the resource.
• Updated grantID to contain a list of all the roles in the current grant resource.

These changes allows grants to multiple roles to be done in different resources.

This change comes with the caveat that grants applied OUTSIDE Terraform will not be revoked. This is because the resource won't know if it's maintained by another resource or created elsewhere

Previously the resource id had the structure:
resourceName|schemaName|ObjectName|Privilege|GrantOption
For example: DWH|TEST||USAGE|FALSE

New structure:
resourceName|schemaName|ObjectName|Privilege|Roles|GrantOption

# id = DWH|TEST||USAGE|ROLE_A,ROLE_B|FALSE
resource "snowflake_schema_grant" "grant_a_b" {
  database_name = "DWH"
  schema_name   = "TEST"

  privilege = "USAGE"
  roles     = ["ROLE_A", "ROLE_B"]
  with_grant_option = false
}

# id = DWH|TEST||USAGE|ROLE_C|FALSE
resource "snowflake_schema_grant" "grant_c" {
  database_name = "DWH"
  schema_name   = "TEST"

  privilege = "USAGE"
  roles     = ["ROLE_C"]
  with_grant_option = false
}

Test Plan

• acceptance tests
• unit tests

References

• Feature request: Enable multiple grant resources for the same privilege #210
• snowflake_database_grant and snowflake_account_grant plan change right after a successful deployment, and remove database usage grant to other roles #560
• A grant per role causes changes outside terraform and resources are updated #733

[daniepett]

@alldoami Any idea of if this will be merged in? If not we'll have to plan workarounds for our RBAC solution.

[alldoami]

/ok-to-test sha=7e77feb

[github-actions]

Integration tests success for 7e77feb

[alldoami]

Thanks!

[ChrisIsidora]

@daniepett and @alldoami This change broke my existing Terraform(state) any fix for this or could this be reverted? I keep getting 5 or 6 fields allowed error for my existing snowflake_role_grants resources

[ChrisIsidora]

@alldoami @daniepett We would like to move to version > 0.25.x but this mayor breaking change is blocking, with this change all grant ID's are changed meaning when you run Terraform with has an existing state with the generated ids that predates this commit you can't continue or deploy your resources. Is there an automatic fix for this? If not please revert until there is one

[robbruce]

@alldoami @daniepett @ChrisIsidora - we’re facing the exact same issue. I maybe a state migration function should have been included?

[daniepett]

@ChrisIsidora @robbruce I’ll open a PR for a fix in the next couple of days 👍

[daniepett]

@alldoami @ChrisIsidora @robbruce PR with a fix is available here #923

[alldoami]

@daniepett just merged! I'll create a release today. @robbruce @ChrisIsidora try out the new release and let us know if you have the same issue!

[ChrisIsidora]

@daniepett Thanks for the quick fix waiting for it to be released to test it.

[ChrisIsidora]

@daniepett and @alldoami This change broke my existing Terraform(state) any fix for this or could this be reverted? I keep getting 5 or 6 fields allowed error for my existing snowflake_role_grants resources

@alldoami @robbruce @daniepett The issue that I pointed up previously with role grants is still not solved in 0.28.7 Please solve and release asap, we are blocked for quite some time now because of this.

[alldoami]

@daniepett could you take a further look? If we can't get this fixed, wondering if we should revert the changes and test further before merging.