[Bug]: Unable to migrate snowflake_role_grants to snowflake_grant_account_role

[jrobison-sb]

Terraform CLI Version

v1.9.1

Terraform Provider Version

v0.96.0

Terraform Configuration

Old resource from version 0.92 of this provider

resource "snowflake_role_grants" "ci" {
  role_name = snowflake_role.ci.name
  roles = [...]
  users = [
    snowflake_user.ci.name,
  ]
}

New resource from version 0.96 of this provider

resource "snowflake_grant_account_role" "grant_role_ci_to_ci_user" {
  role_name = snowflake_role.ci.name
  user_name = snowflake_user.ci.name
}

Category

category:resource

Object type(s)

resource:grant_account_role

Expected Behavior

I should be able to terraform state rm the old resource and terraform import the new resource as generally described here.

Actual Behavior

TF_LOG=DEBUG terraform import module.snowflake_ci.snowflake_grant_account_role.grant_role_ci_to_ci_user "CI_ROLE|USER|CI_USER"

# Debug output snipped for brevity, but I can see this somewhere in the middle of it...

2024-10-10T14:40:28.464-0400 [DEBUG] provider.terraform-provider-snowflake_v0.96.0: 2024/10/10 14:40:28 [DEBUG] sql-conn-query: [query SHOW GRANTS OF ROLE "CI_ROLE" err <nil> duration 210.559375ms args {}] (LOC12345)
2024-10-10T14:40:28.465-0400 [DEBUG] provider.terraform-provider-snowflake_v0.96.0: 2024/10/10 14:40:28 Failed to parse identifier [], err = "incompatible identifier: "; falling back to fully qualified name conversion
2024-10-10T14:40:28.465-0400 [DEBUG] provider.terraform-provider-snowflake_v0.96.0: 2024/10/10 14:40:28 Failed to parse identifier [], err = "incompatible identifier: "; falling back to fully qualified name conversion
2024-10-10T14:40:28.465-0400 [DEBUG] provider.terraform-provider-snowflake_v0.96.0: 2024/10/10 14:40:28 [DEBUG] role grant (CI_ROLE|USER|CI_USER) not found
2024-10-10T14:40:28.465-0400 [WARN]  Provider "registry.terraform.io/snowflake-labs/snowflake" produced an unexpected new value for module.snowflake_ci.snowflake_grant_account_role.grant_role_ci_to_ci_user during refresh.
      - Root object was present, but now absent
2024-10-10T14:40:28.465-0400 [ERROR] vertex "import module.snowflake_ci.snowflake_grant_account_role.grant_role_ci_to_ci_user result" error: Cannot import non-existent remote object
2024-10-10T14:40:28.465-0400 [ERROR] vertex "module.snowflake_ci.snowflake_grant_account_role.grant_role_ci_to_ci_user (import id \"CI_ROLE|USER|CI_USER\")" error: Cannot import non-existent remote object
2024-10-10T14:40:28.465-0400 [ERROR] vertex "module.snowflake_ci.snowflake_grant_account_role.grant_role_ci_to_ci_user (expand)" error: Cannot import non-existent remote object

# Error message all the way at the end:

│ Error: Cannot import non-existent remote object
│ 
│ While attempting to import an existing object to "module.snowflake_ci.snowflake_grant_account_role.grant_role_ci_to_ci_user", the provider
│ detected that no object exists with the given id. Only pre-existing objects can be imported; check that the id is correct and that it is
│ associated with the provider's configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.

Steps to Reproduce

Attempt to migrate from an old snowflake_role_grants resource to a new snowflake_grant_account_role resource by way of terraform state rm ... && terraform import ....

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

$ terraform state show module.snowflake_ci.snowflake_user.ci
# module.snowflake_ci.snowflake_user.ci:
resource "snowflake_user" "ci" {
    comment                        = null
    default_namespace              = null
    default_role                   = "CI_ROLE"
    default_secondary_roles_option = "NONE"
    default_warehouse              = "CI_COMPUTE_WH"
    disabled                       = "false"
    display_name                   = (sensitive value)
    email                          = (sensitive value)
    first_name                     = (sensitive value)
    id                             = "CI_USER"
    last_name                      = (sensitive value)
    login_name                     = (sensitive value)
    must_change_password           = "false"
    name                           = (sensitive value)
    password                       = (sensitive value)
}

$ terraform state show module.snowflake_ci.snowflake_role.ci
# module.snowflake_ci.snowflake_role.ci:
resource "snowflake_role" "ci" {
    comment = "CI_ROLE"
    id      = "CI_ROLE"
    name    = "CI_ROLE"
}

Would you like to implement a fix?

• Yeah, I'll take it 😎

[sfc-gh-asawicki]

Hey @jrobison-sb. Thanks for reaching out to us.

Thank you for the detailed description! I will validate the behavior in the morning, but an idea I have now (and it seems to change the execution slightly) is to have CI_ROLE and CI_USER both wrapped in double quotes in the import statement. The docs for import also suggest this: https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role#import.

The reason lies in these two lines:

terraform-provider-snowflake/pkg/resources/grant_account_role.go

Line 124 in d837341

targetIdentifier := parts[2]

and

terraform-provider-snowflake/pkg/resources/grant_account_role.go

Line 140 in d837341

if grant.GranteeName.FullyQualifiedName() == targetIdentifier {

Can you please check if this makes the import succeed?

[jrobison-sb]

@sfc-gh-asawicki

Slashy escape quotes unblocked me on this. Thanks for your help.