Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: snowflake_grant_privileges_to_account_role unable to revoke grants #3239

Closed
1 task done
onerishabh opened this issue Nov 29, 2024 · 4 comments
Closed
1 task done

[Bug]: snowflake_grant_privileges_to_account_role unable to revoke grants #3239

onerishabh opened this issue Nov 29, 2024 · 4 comments
Assignees
@sfc-gh-jmichalak
Labels
bug Used to mark issues with provider's incorrect behavior

Comments

@onerishabh
Copy link

Terraform CLI Version

1.5.7

Terraform Provider Version

0.99

Company Name

No response

Terraform Configuration

resource "snowflake_grant_privileges_to_account_role" "account_privileges" {
  
  account_role_name = snowflake_account_role.this.name
  privileges        = [
    "execute task",
    "apply masking policy"
  ]

  on_account = true

  provider = snowflake.accountadmin
}

Category

category:resource

Object type(s)

resource:grant_privileges_to_account_role

Expected Behavior

If a particular privilege is removed from privileges, the providers should perform a revoke but it is not doing so.

Actual Behavior

Error: [grants_validations.go:174] exactly one of AccountRoleGrantPrivileges fields [AllPrivileges GlobalPrivileges AccountObjectPrivileges SchemaPrivileges
│ SchemaObjectPrivileges] must be set

Steps to Reproduce

Remove one of the privileges to reproduce this error. Adding new privileges work fine, but not removing existing privileges.

How much impact is this issue causing?

High

Logs

No response

Additional Information

No response

Would you like to implement a fix?

  • Yeah, I'll take it 😎
@onerishabh onerishabh added the bug Used to mark issues with provider's incorrect behavior label Nov 29, 2024
@sfc-gh-jmichalak
Copy link
Collaborator

Hi @onerishabh 👋

This looks like a bug on our side, but I observed a different behavior: We use case-sensitive privileges here, and I can see the lowercase privileges are added in each plan. I tried running it with uppercase privileges, and it seems to be working correctly. Please adjust your config to

resource "snowflake_grant_privileges_to_account_role" "account_privileges" {
  
  account_role_name = snowflake_account_role.this.name
  privileges        = [
    "APPLY MASKING POLICY",
    "EXECUTE TASK"
  ]

  on_account = true

  provider = snowflake.accountadmin
}

We will support lowercase privileges on our side. This is a general tip as well - when you see some errors, try using uppercase values, because they are "default".

@onerishabh
Copy link
Author

@sfc-gh-jmichalak thanks for the tip regarding case of the privilege.

However, the revoke of grant is still limited, correct? I'm happy to give it a shot with guidance on how it can be resolved.

@sfc-gh-jmichalak
Copy link
Collaborator

It should be revoked after removing from the list. Please paste logs with TF_LOG=DEBUG.

@onerishabh
Copy link
Author

You are right, after I made the privilges to upper case it is revoking them safely as well. Thanks for your help!

I will close this issue as it is no longer a blocker.

@sfc-gh-jmichalak sfc-gh-jmichalak self-assigned this Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sfc-gh-jmichalak sfc-gh-jmichalak

Labels
bug Used to mark issues with provider's incorrect behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@onerishabh @sfc-gh-jmichalak