Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Error on snowflake_grant_privileges_to_account_role & snowflake_grant_ownership with procedures #3139

Closed
1 task
filipe-alves-itech opened this issue Oct 16, 2024 · 3 comments
Closed
1 task

[Bug]: Error on snowflake_grant_privileges_to_account_role & snowflake_grant_ownership with procedures #3139

filipe-alves-itech opened this issue Oct 16, 2024 · 3 comments
Assignees
@sfc-gh-jmichalak
Labels
docs Used to mark issues with documentation remark/questions

Comments

@filipe-alves-itech
Copy link

filipe-alves-itech commented Oct 16, 2024
edited
Loading

Terraform CLI Version

0.97.0

Terraform Provider Version

1.9.7

Terraform Configuration

The identifier for functions and procedures described in the documentation (https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/guides/identifiers) doesn't work for the resources snowflake_grant_privileges_to_account_role and snowflake_grant_ownership

According to the documentation, the correct identifier format is:

“\”${snowflake_procedure.database}\”.\”${snowflake_procedure.schema}\”.\”${snowflake_procedure.name}(NUMBER, VARCHAR)\””

The identifier format that actually works:

“\”${snowflake_procedure.database}\”.\”${snowflake_procedure.schema}\”.\”${snowflake_procedure.name}\”(NUMBER, VARCHAR)”

Category

category:resource

Object type(s)

resource:snowflake_grant_privileges_to_account_role
resource:snowflake_grant_ownership

Expected Behavior

The documented identifier

Actual Behavior

The documented identifier format works.

Steps to Reproduce

Terraform code:

terraform {
  required_providers {
    snowflake = {
      source  = "snowflake-labs/snowflake"
      version = "0.97.0"
    }
  }

  required_version = ">= 1.9.7"
}

resource "snowflake_grant_ownership" "example" {
  account_role_name   = "DEV_DEVELOPER"
  outbound_privileges = "REVOKE"
  on {
    object_type = "FUNCTION"
    object_name = "\"DEV_DWH\".\"ADMIN\".\"SAY_HI(VARCHAR)\""
  }
}

resource "snowflake_grant_privileges_to_account_role" "example" {
  account_role_name = "DEV_DEVELOPER"
  privileges        = ["USAGE"]
  with_grant_option = false

  on_schema_object {
    object_type = "FUNCTION"
    object_name = "\"DEV_DWH\".\"ADMIN\".\"SAY_HI(VARCHAR)\""
  }
}

Run terraform apply -auto-approve

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # snowflake_grant_ownership.example will be created
  + resource "snowflake_grant_ownership" "example" {
      + account_role_name   = "DEV_DEVELOPER"
      + id                  = (known after apply)
      + outbound_privileges = "REVOKE"

      + on {
          + object_name = "\"DEV_DWH\".\"ADMIN\".\"SAY_HI(VARCHAR)\""
          + object_type = "FUNCTION"
        }
    }

  # snowflake_grant_privileges_to_account_role.example will be created
  + resource "snowflake_grant_privileges_to_account_role" "example" {
      + account_role_name = "DEV_DEVELOPER"
      + all_privileges    = false
      + always_apply      = false
      + id                = (known after apply)
      + on_account        = false
      + privileges        = [
          + "USAGE",
        ]
      + with_grant_option = false

      + on_schema_object {
          + object_name = "\"DEV_DWH\".\"ADMIN\".\"SAY_HI(VARCHAR)\""
          + object_type = "FUNCTION"
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.
snowflake_grant_ownership.example: Creating...
snowflake_grant_privileges_to_account_role.example: Creating...
╷
│ Error: unable to read identifier: "DEV_DWH"."ADMIN"."SAY_HI, err = parse error on line 1, column 26: extraneous or missing " in quoted-field
│ 
│   with snowflake_grant_ownership.example,
│   on main.tf line 1, in resource "snowflake_grant_ownership" "example":
│    1: resource "snowflake_grant_ownership" "example" {
│ 
╵
╷
│ Error: unable to read identifier: "DEV_DWH"."ADMIN"."SAY_HI, err = parse error on line 1, column 26: extraneous or missing " in quoted-field
│ 
│   with snowflake_grant_privileges_to_account_role.example,
│   on main.tf line 10, in resource "snowflake_grant_privileges_to_account_role" "example":
│   10: resource "snowflake_grant_privileges_to_account_role" "example" {
│ 
╵

How much impact is this issue causing?

Low

Logs

No response

Additional Information

Unsure if the error is with the documentation or the resource behaviour, but surely they should match.

Would you like to implement a fix?

  • Yeah, I'll take it 😎
@filipe-alves-itech filipe-alves-itech added the bug Used to mark issues with provider's incorrect behavior label Oct 16, 2024
@sfc-gh-jmichalak
Copy link
Collaborator

Hi @filipe-alves-itech 👋

This is an error in the documentation, we'll fix it in the next release. The correct format is

“\”${snowflake_procedure.database}\”.\”${snowflake_procedure.schema}\”.\”${snowflake_procedure.name}\”(NUMBER, VARCHAR)”

Keep in mind that we've introduced the fully_qualified_name field, which is a preferred way of referencing other resources. If you manage this procedure in Terraform as well, simply use

resource "snowflake_grant_privileges_to_account_role" "example" {
  account_role_name = "DEV_DEVELOPER"
  privileges        = ["USAGE"]
  with_grant_option = false

  on_schema_object {
    object_type = "FUNCTION"
    object_name = snowflake_procedure.procedure_name.fully_qualified_name
  }
}

@sfc-gh-jmichalak sfc-gh-jmichalak mentioned this issue Oct 21, 2024
Merged
2 tasks
sfc-gh-jmichalak added a commit that referenced this issue Oct 22, 2024
@sfc-gh-jmichalak
feat: Add stream on directory table (#3129)
4391473 
<!-- Feel free to delete comments as you fill this in -->
- add new `snowflake_stream_on_directory_table` resource
- adjust SDK to handle non-qualified names for streams' tables
- address open comments from the previous
[pr](#3122)
- recreate streams when they are stale (ref
#1150)
- change diff suppress on copy_grants
- improve procedure grants documentation (ref
#3139)
<!-- summary of changes -->

## Test Plan
<!-- detail ways in which this PR has been tested or needs to be tested
-->
* [x] acceptance tests
<!-- add more below if you think they are relevant -->
* [ ] …

## References
<!-- issues documentation links, etc  -->
https://docs.snowflake.com/en/sql-reference/sql/create-stream

## TODO
- add streams on views
- add streams data source
@sfc-gh-jmichalak sfc-gh-jmichalak self-assigned this Nov 5, 2024
@sfc-gh-jmichalak sfc-gh-jmichalak added docs Used to mark issues with documentation remark/questions and removed bug Used to mark issues with provider's incorrect behavior labels Nov 12, 2024
@sfc-gh-jmichalak
Copy link
Collaborator

Hi @filipe-alves-itech 👋

We've released a new v0.98.0 version (release, migration guide) with updated documentation.

@sfc-gh-jmichalak
Copy link
Collaborator

Closing due to inactivity. Please create a new issue if the problem persists in the newest version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sfc-gh-jmichalak sfc-gh-jmichalak

Labels
docs Used to mark issues with documentation remark/questions
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@filipe-alves-itech @sfc-gh-jmichalak