Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature]: Add the newly introduced privilege "MANAGE SHARE TARGET" #3153

Open
1 task
arjungk1992 opened this issue Oct 23, 2024 · 7 comments
Open
1 task
Labels
feature-request Used to mark issues with provider's missing functionalities

Comments

@arjungk1992
Copy link

Use Cases or Problem Statement

A new privilege MANAGE SHARE TARGET was added to Snowflake. Trying to manage this through terraform results in

Error: expected privilege to be one of ["IMPORT SHARE" "APPLY PASSWORD POLICY" "APPLY TAG" "ATTACH POLICY" "CREATE USER" "EXECUTE TASK" "OVERRIDE SHARE RESTRICTIONS" "PURCHASE DATA EXCHANGE LISTING" "APPLY MASKING POLICY" "APPLY ROW ACCESS POLICY" "APPLY SESSION POLICY" "CREATE ROLE" "MONITOR SECURITY" "CREATE FAILOVER GROUP" "MONITOR" "MANAGE WAREHOUSES" "MONITOR EXECUTION" "PROVISION APPLICATION" "MANAGE USER SUPPORT CASES" "RESOLVE ALL" "CREATE INTEGRATION" "CREATE WAREHOUSE" "MANAGE GRANTS" "EXECUTE MANAGED TASK" "MANAGE ORGANIZATION SUPPORT CASES" "ALL PRIVILEGES" "CREATE CREDENTIAL" "CREATE DATA EXCHANGE LISTING" "CREATE NETWORK POLICY" "MONITOR USAGE" "MANAGE ACCOUNT SUPPORT CASES" "AUDIT" "CREATE ACCOUNT" "CREATE DATABASE" "CREATE SHARE"], got MANAGE SHARE TARGET

Checking the privilege list here looks like this new privilege is indeed missing. I can open a PR with this privilege added in if that's all it takes to get this added.

Category

category:grants

Object type(s)

No response

Proposal

I propose adding this missing privilege in.

How much impact is this issue causing?

Low

Additional Information

No response

Would you like to implement a fix?

  • Yeah, I'll take it 😎
@arjungk1992 arjungk1992 added the feature-request Used to mark issues with provider's missing functionalities label Oct 23, 2024
@sfc-gh-asawicki
Copy link
Collaborator

Hey @arjungk1992. Thanks for reaching out to us.

We will add this privilege soon.

@jgrobbel
Copy link

jgrobbel commented Nov 5, 2024

Hey @arjungk1992. Thanks for reaching out to us.

We will add this privilege soon.

This has hit us too, now that the 2024_07 is now the default for new accounts. We have disabled the bundle for now but look forward to MANAGE SHARE TARGET getting added to the list of privileges. Is there an ETA?

@sfc-gh-asawicki
Copy link
Collaborator

Hey @arjungk1992 @jgrobbel.

Which resources and versions of the provider you are using? I have just tested the newest provider version and this new privilege works after bundle enable with snowflake_grant_privileges_to_account_role resource.

@jgrobbel
Copy link

jgrobbel commented Nov 6, 2024

Hey @arjungk1992 @jgrobbel.

Which resources and versions of the provider you are using? I have just tested the newest provider version and this new privilege works after bundle enable with snowflake_grant_privileges_to_account_role resource.

Error: expected privilege to be one of ["APPLY MASKING POLICY" "APPLY SESSION POLICY" "CREATE FAILOVER GROUP" "EXECUTE TASK" "IMPORT SHARE" "MONITOR EXECUTION" "CREATE ROLE" "CREATE SHARE" "PURCHASE DATA EXCHANGE LISTING" "APPLY PASSWORD POLICY" "CREATE DATA EXCHANGE LISTING" "MONITOR SECURITY" "MANAGE ACCOUNT SUPPORT CASES" "CREATE CREDENTIAL" "CREATE DATABASE" "MANAGE GRANTS" "MONITOR" "OVERRIDE SHARE RESTRICTIONS" "RESOLVE ALL" "APPLY ROW ACCESS POLICY" "ATTACH POLICY" "CREATE ACCOUNT" "MANAGE ORGANIZATION SUPPORT CASES" "MANAGE USER SUPPORT CASES" "PROVISION APPLICATION" "ALL PRIVILEGES" "APPLY TAG" "AUDIT" "CREATE USER" "MANAGE WAREHOUSES" "MONITOR USAGE" "EXECUTE MANAGED TASK" "CREATE INTEGRATION" "CREATE WAREHOUSE" "CREATE NETWORK POLICY"], got MANAGE SHARE TARGET

with snowflake_account_grant.snowflakeonawstfstack_datareconcileroidc_accountCreator_XX["MANAGE SHARE TARGET"],

Here is the resource + version.

https://registry.terraform.io/providers/Snowflake-Labs/snowflake/0.90.0/docs/resources/account_grant

@sfc-gh-asawicki
Copy link
Collaborator

Hey @jgrobbel. This is the old grant resource that is no longer supported. Check https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#old-grant-resources-removal.

sfc-gh-asawicki added a commit that referenced this issue Nov 7, 2024
sfc-gh-asawicki added a commit that referenced this issue Nov 7, 2024
sfc-gh-asawicki added a commit that referenced this issue Nov 8, 2024
Apply various fixes:
- Fix handling compute pool privileges (#2717)
- Fail to reproduce the problem with password policy user attachment
(#3005)
- Adapt user to BCR Bundle 2024_08 (#3125)
- Loosen identifier validations - parentheses (#3127) - check below
- Prove MANAGE SHARE TARGET works correctly (#3153)

On the identifier validation topic:
ParseIdentifierString should generally allow parentheses. It should
validate them for the identifiers for functions, procedures, etc.
Because of that:
- this validation was removed
- method usages were analyzed to check what consequences it has
throughout the provider
  - DecodeSnowflakeAccountIdentifier - OK, account level identifier
  - DecodeSnowflakeParameterID
- buildOptsForGrantsOn (grants datasource) - NOK, had to fix the logic
- ContainsIdentifierIgnoringQuotes - OK, transitively used only in
network policies
    - TestDecodeSnowflakeParameterID - OK
    - IsValidIdentifier - OK, used for other identifier types
- pkg/resource - OK, used in streams, table constraints and tag masking
policy associations
  - suppressIdentifierQuoting
- used in non-grant resources with non-argument identifier types - OK
- used in grant resources - OK, the validation will be relaxed for now,
diff suppression won't work correctly for the identifiers with
arguments, will be addressed with functions/procedures rework
(multi-field validation could be handled for such cases, issue added;
references:
hashicorp/terraform-plugin-sdk#354,
hashicorp/terraform-plugin-sdk#233)
- suppressIdentifierQuotingPartiallyQualifiedName - as above; currently
used only for streams
- parseIdentifier - used by other identifier types (type constraints
added)
- ParseObjectIdentifierString - OK, used for other identifier types
(ParseSchemaObjectIdentifierWithArguments is dedicated for identifier
with arguments)
- ParseSchemaObjectIdentifierWithArguments - OK, we split the input
string on first opening paren (so there are no other opening parens
there)
- Test_ParseIdentifierString - tests adjusted for the removed validation

Others:
- Remove unused privileges.go file
- Fix preview resources list for V1

References:
-
#2717
-
#3005
-
#3125
-
#3127
-
#3153
sfc-gh-jmichalak pushed a commit that referenced this issue Nov 8, 2024
##
[0.98.0](v0.97.0...v0.98.0)
(2024-11-08)

Feature scope readiness for V1:
[link](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/ESSENTIAL_GA_OBJECTS.MD)
([Roadmap
reference](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/ROADMAP.md#wrap-up-the-functional-scope)).
:exclamation: Migration guide: [v0.97.0 ->
v0.98.0](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0970--v0980)

### 🎉 What's new
- New resources:
- authentication_policy
([#3098](#3098)),
references
[#2880](#2880)
- external_volume
([#3106](#3106)),
partially references
[#2980](#2980)
- stream_on_directory_table
([#3129](#3129))
- stream_on_view
([#3150](#3150))
- primary_connection, secondary_connection
([#3162](#3162))
- secret_with_basic_authentication, secret_with_generic_string,
secret_with_oauth_authorization_code_grant,
secret_with_oauth_client_credentials
([#3110](#3110)),
([#3141](#3141))
- New data sources:
- connections
([#3155](#3155)),
([#3173](#3173))
- secrets
([#3131](#3131))
- Reworked:
- provider configuration hierarchy
([#3166](#3166)),
references
[#1881](#1881),
[#2145](#2145),
[#2925](#2925),
[#2983](#2983),
[#3104](#3104)
- provider configuration fields
([#3152](#3152))
streams data source
([#3151](#3151))
- SDK upgrades:
- Upgrade tag SDK
([#3126](#3126))
- Recreate streams when they are stale
([#3129](#3129))
### 🔧  Misc
- Add object renaming research summary
([#3172](#3172))
- Test support for object renaming
([#3130](#3130)),
([#3147](#3147)),
([#3154](#3154))
- Add tests to issue
[#3117](#3117)
([#3133](#3133))
- New roadmap entry
([#3158](#3158))
- Test more authentication methods
([#3178](#3178))
- Minor fixes
([#3174](#3174))
### 🐛  Bug fixes
- Apply various fixes
([#3176](#3176)),
this addresses BCR 2024_08, references
[#2717](#2717),
[#3005](#3005),
[#3125](#3125),
[#3127](#3127),
[#3153](#3153)
- Connection and secret data sources tests
([#3177](#3177))
- Fix grant import docs
([#3183](#3183)),
resolves
[#3179](https://github.com/Snowflake-Labs/terraform-provider-snowflake/discussions/3179)
- Fix user resource import
([#3181](#3181))
- Handle external type changes in stream resources
([#3164](#3164))
- Do not use OR REPLACE on initial creation in resources with
copy_grants
([#3129](#3129))
- Address issue
[#2201](#2201)
by introducing new stream resources

Co-authored-by: snowflake-release-please[bot] <105954990+snowflake-release-please[bot]@users.noreply.github.com>
@sfc-gh-asawicki
Copy link
Collaborator

Hey @jgrobbel. Were you able to verify that the new grant resource works for you?

@jgrobbel
Copy link

Hey @jgrobbel. Were you able to verify that the new grant resource works for you?

Hey @sfc-gh-asawicki, I only managed to confirm that the resource we are using in our current provider is indeed deprecated and that we need to move to the new one. I have not managed to do that yet - instead we have disabled the 2024_07 bundle in Snowflake, but time is running out as it will go to Generally Enabled in Jan 2025.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request Used to mark issues with provider's missing functionalities
Projects
None yet
Development

No branches or pull requests

3 participants