fix: Legacy role grantID to work with new grant functionality

docs/resources/account_grant.md

@@ -25,6 +25,7 @@ resource snowflake_account_grant grant {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **privilege** (String) The privilege to grant on the account.
 - **roles** (Set of String) Grants privilege to these roles.

docs/resources/database_grant.md

@@ -33,6 +33,7 @@ resource snowflake_database_grant grant {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **privilege** (String) The privilege to grant on the database.
 - **roles** (Set of String) Grants privilege to these roles.

docs/resources/external_table_grant.md

@@ -44,6 +44,7 @@ resource snowflake_external_table_grant grant {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **external_table_name** (String) The name of the external table on which to grant privileges immediately (only valid if on_future is false).
 - **id** (String) The ID of this resource.
 - **on_future** (Boolean) When this is set to true and a schema_name is provided, apply this grant on all future external tables in the given schema. When this is true and no schema_name is provided apply this grant on all future external tables in the given database. The external_table_name and shares fields must be unset in order to use on_future.

docs/resources/file_format_grant.md

@@ -39,6 +39,7 @@ resource snowflake_file_format_grant grant {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **file_format_name** (String) The name of the file format on which to grant privileges immediately (only valid if on_future is false).
 - **id** (String) The ID of this resource.
 - **on_future** (Boolean) When this is set to true and a schema_name is provided, apply this grant on all future file formats in the given schema. When this is true and no schema_name is provided apply this grant on all future file formats in the given database. The file_format_name field must be unset in order to use on_future.

docs/resources/function_grant.md

@@ -57,6 +57,7 @@ resource snowflake_function_grant grant {
 ### Optional
 
 - **arguments** (Block List) List of the arguments for the function (must be present if function has arguments and function_name is present) (see [below for nested schema](#nestedblock--arguments))
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **function_name** (String) The name of the function on which to grant privileges immediately (only valid if on_future is false).
 - **id** (String) The ID of this resource.
 - **on_future** (Boolean) When this is set to true and a schema_name is provided, apply this grant on all future functions in the given schema. When this is true and no schema_name is provided apply this grant on all future functions in the given database. The function_name, arguments, return_type, and shares fields must be unset in order to use on_future.

docs/resources/integration_grant.md

@@ -32,6 +32,7 @@ resource snowflake_integration_grant grant {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **privilege** (String) The privilege to grant on the integration.
 - **roles** (Set of String) Grants privilege to these roles.

docs/resources/masking_policy_grant.md

@@ -23,6 +23,7 @@ description: |-
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **privilege** (String) The privilege to grant on the masking policy.
 - **roles** (Set of String) Grants privilege to these roles.

docs/resources/materialized_view_grant.md

@@ -43,6 +43,7 @@ resource "snowflake_materialized_view_grant" "grant" {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **materialized_view_name** (String) The name of the materialized view on which to grant privileges immediately (only valid if on_future is false).
 - **on_future** (Boolean) When this is set to true and a schema_name is provided, apply this grant on all future materialized views in the given schema. When this is true and no schema_name is provided apply this grant on all future materialized views in the given database. The materialized_view_name and shares fields must be unset in order to use on_future.

docs/resources/pipe_grant.md

@@ -39,6 +39,7 @@ resource snowflake_pipe_grant grant {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **on_future** (Boolean) When this is set to true and a schema_name is provided, apply this grant on all future pipes in the given schema. When this is true and no schema_name is provided apply this grant on all future pipes in the given database. The pipe_name field must be unset in order to use on_future.
 - **pipe_name** (String) The name of the pipe on which to grant privileges immediately (only valid if on_future is false).

docs/resources/procedure_grant.md

@@ -57,6 +57,7 @@ resource snowflake_procedure_grant grant {
 ### Optional
 
 - **arguments** (Block List) List of the arguments for the procedure (must be present if procedure has arguments and procedure_name is present) (see [below for nested schema](#nestedblock--arguments))
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **on_future** (Boolean) When this is set to true and a schema_name is provided, apply this grant on all future procedures in the given schema. When this is true and no schema_name is provided apply this grant on all future procedures in the given database. The procedure_name and shares fields must be unset in order to use on_future.
 - **privilege** (String) The privilege to grant on the current or future procedure.

docs/resources/resource_monitor_grant.md

@@ -30,6 +30,7 @@ resource snowflake_monitor_grant grant {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **privilege** (String) The privilege to grant on the resource monitor.
 - **roles** (Set of String) Grants privilege to these roles.

docs/resources/role_grants.md

@@ -55,6 +55,7 @@ resource "snowflake_role_grants" "grants" {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **roles** (Set of String) Grants role to this specified role.
 - **users** (Set of String) Grants role to this specified user.

docs/resources/row_access_policy_grant.md

@@ -39,6 +39,7 @@ resource "snowflake_row_access_policy_grant" "grant" {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **privilege** (String) The privilege to grant on the row access policy.
 - **roles** (Set of String) Grants privilege to these roles.

docs/resources/schema_grant.md

@@ -35,6 +35,7 @@ resource snowflake_schema_grant grant {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **on_future** (Boolean) When this is set to true, apply this grant on all future schemas in the given database. The schema_name and shares fields must be unset in order to use on_future.
 - **privilege** (String) The privilege to grant on the current or future schema. Note that if "OWNERSHIP" is specified, ensure that the role that terraform is using is granted access.

docs/resources/sequence_grant.md

@@ -39,6 +39,7 @@ resource snowflake_sequence_grant grant {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **on_future** (Boolean) When this is set to true and a schema_name is provided, apply this grant on all future sequences in the given schema. When this is true and no schema_name is provided apply this grant on all future sequences in the given database. The sequence_name field must be unset in order to use on_future.
 - **privilege** (String) The privilege to grant on the current or future sequence.

docs/resources/stage_grant.md

@@ -38,6 +38,7 @@ resource snowflake_stage_grant grant {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **on_future** (Boolean) When this is set to true and a schema_name is provided, apply this grant on all future stages in the given schema. When this is true and no schema_name is provided apply this grant on all future stages in the given database. The stage_name field must be unset in order to use on_future.
 - **privilege** (String) The privilege to grant on the stage.

docs/resources/stream_grant.md

@@ -39,6 +39,7 @@ resource snowflake_stream_grant grant {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **on_future** (Boolean) When this is set to true and a schema_name is provided, apply this grant on all future streams in the given schema. When this is true and no schema_name is provided apply this grant on all future streams in the given database. The stream_name field must be unset in order to use on_future.
 - **privilege** (String) The privilege to grant on the current or future stream.

docs/resources/table_grant.md

@@ -36,6 +36,7 @@ resource snowflake_table_grant grant {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **on_future** (Boolean) When this is set to true and a schema_name is provided, apply this grant on all future tables in the given schema. When this is true and no schema_name is provided apply this grant on all future tables in the given database. The table_name and shares fields must be unset in order to use on_future.
 - **privilege** (String) The privilege to grant on the current or future table.

docs/resources/task_grant.md

@@ -39,6 +39,7 @@ resource snowflake_task_grant grant {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **on_future** (Boolean) When this is set to true and a schema_name is provided, apply this grant on all future tasks in the given schema. When this is true and no schema_name is provided apply this grant on all future tasks in the given database. The task_name field must be unset in order to use on_future.
 - **privilege** (String) The privilege to grant on the current or future task.

docs/resources/view_grant.md

@@ -43,6 +43,7 @@ resource snowflake_view_grant grant {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **on_future** (Boolean) When this is set to true and a schema_name is provided, apply this grant on all future views in the given schema. When this is true and no schema_name is provided apply this grant on all future views in the given database. The view_name and shares fields must be unset in order to use on_future.
 - **privilege** (String) The privilege to grant on the current or future view.

docs/resources/warehouse_grant.md

@@ -34,6 +34,7 @@ resource snowflake_warehouse_grant grant {
 
 ### Optional
 
+- **enable_multiple_grants** (Boolean) When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.
 - **id** (String) The ID of this resource.
 - **privilege** (String) The privilege to grant on the warehouse.
 - **roles** (Set of String) Grants privilege to these roles.

pkg/resources/account_grant.go

@@ -50,6 +50,12 @@ var accountGrantSchema = map[string]*schema.Schema{
 		Default:     false,
 		ForceNew:    true,
 	},
+	"enable_multiple_grants": {
+		Type:        schema.TypeBool,
+		Optional:    true,
+		Description: "When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.",
+		Default:     false,
+	},
 }
 
 // AccountGrant returns a pointer to the resource representing an account grant

pkg/resources/database_grant.go

@@ -52,6 +52,12 @@ var databaseGrantSchema = map[string]*schema.Schema{
 		Default:     false,
 		ForceNew:    true,
 	},
+	"enable_multiple_grants": {
+		Type:        schema.TypeBool,
+		Optional:    true,
+		Description: "When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.",
+		Default:     false,
+	},
 }
 
 // DatabaseGrant returns a pointer to the resource representing a database grant

pkg/resources/database_grant_acceptance_test.go

@@ -56,6 +56,9 @@ func TestAccDatabaseGrant_basic(t *testing.T) {
 				ResourceName:      "snowflake_database_grant.test",
 				ImportState:       true,
 				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{
+					"enable_multiple_grants", // feature flag attribute not defined in Snowflake, can't be imported
+				},
 			},
 		},
 	})

pkg/resources/external_table_grant.go

@@ -68,6 +68,13 @@ var externalTableGrantSchema = map[string]*schema.Schema{
 		Default:     false,
 		ForceNew:    true,
 	},
+	"enable_multiple_grants": {
+		Type:        schema.TypeBool,
+		Optional:    true,
+		Description: "When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.",
+		Default:     false,
+		ForceNew:    true,
+	},
 }
 
 // ExternalTableGrant returns a pointer to the resource representing a external table grant

pkg/resources/file_format_grant.go

@@ -60,6 +60,13 @@ var fileFormatGrantSchema = map[string]*schema.Schema{
 		Default:     false,
 		ForceNew:    true,
 	},
+	"enable_multiple_grants": {
+		Type:        schema.TypeBool,
+		Optional:    true,
+		Description: "When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.",
+		Default:     false,
+		ForceNew:    true,
+	},
 }
 
 // FileFormatGrant returns a pointer to the resource representing a file format grant

pkg/resources/function_grant.go

@@ -95,6 +95,13 @@ var functionGrantSchema = map[string]*schema.Schema{
 		Default:     false,
 		ForceNew:    true,
 	},
+	"enable_multiple_grants": {
+		Type:        schema.TypeBool,
+		Optional:    true,
+		Description: "When this is set to true, multiple grants of the same type can be created. This will cause Terraform to not revoke grants applied to roles and objects outside Terraform.",
+		Default:     false,
+		ForceNew:    true,
+	},
 }
 
 // FunctionGrant returns a pointer to the resource representing a function grant

pkg/resources/grant_helpers.go

@@ -116,9 +116,9 @@ func grantIDFromString(stringID string) (*grantID, error) {
 		return nil, fmt.Errorf("1 line per grant")
 	}
 
-	// Len 4 is allowing for legacy IDs where role names are not included
-	if len(lines[0]) < 4 || len(lines[0]) > 6 {
-		return nil, fmt.Errorf("4 to 6 fields allowed in ID")
+	// Len 1 is allowing for legacy IDs where role names are not included
+	if len(lines[0]) < 1 || len(lines[0]) > 6 {
+		return nil, fmt.Errorf("1 to 6 fields allowed in ID")
 	}
 
 	// Splitting string list if new ID structure, will cause issues if roles names passed are "true" or "false".
@@ -137,12 +137,22 @@ func grantIDFromString(stringID string) (*grantID, error) {
 	} else if len(lines[0]) == 5 && lines[0][4] == "true" {
 		grantOption = true
 	}
+
+	schemaName := ""
+	objectName := ""
+	privilege := ""
+
+	if len(lines[0]) > 3 {
+		schemaName = lines[0][1]
+		objectName = lines[0][2]
+		privilege = lines[0][3]
+	}
 
 	grantResult := &grantID{
 		ResourceName: lines[0][0],
-		SchemaName:   lines[0][1],
-		ObjectName:   lines[0][2],
-		Privilege:    lines[0][3],
+		SchemaName:   schemaName,
+		ObjectName:   objectName,
+		Privilege:    privilege,
 		Roles:        roles,
 		GrantOption:  grantOption,
 	}
@@ -261,12 +271,15 @@ func readGenericGrant(
 	}
 
 	existingRoles := d.Get("roles").(*schema.Set)
+	multipleGrantFeatureFlag := d.Get("enable_multiple_grants").(bool)
 	var roles, shares []string
 	// Now see which roles have our privilege
 	for roleName, privileges := range rolePrivileges {
 		// Where priv is not all so it should match exactly
 		// Match to currently assigned roles or let everything through if no specific role grants
-		if privileges.hasString(priv) && (existingRoles.Contains(roleName) || existingRoles.Len() == 0) {
+		if privileges.hasString(priv) && !multipleGrantFeatureFlag {
+			roles = append(roles, roleName)
+		} else if privileges.hasString(priv) && (existingRoles.Contains(roleName) || existingRoles.Len() == 0) && multipleGrantFeatureFlag {
 			roles = append(roles, roleName)
 		}
 	}