database_grant for usage to roles and share(s) constantly being recreated

[callumwebb]

When using snowflake_database_grant with privilege = "USAGE", a list of roles and a share, terraform destroys and recreates the grant every time despite the roles and share not changing.

Code

(Showing a relevant stripped down subset from my project, let me know if you need a true minimal reproducible example)

resource "snowflake_database_grant" "db_usage" {
  database_name = snowflake_database.db.name
  privilege     = "USAGE"
  roles = [
    snowflake_role.role1.name,
    snowflake_role.role2.name
  ]
  shares = [
    snowflake_share.data_share.name
  ]
}

resource "snowflake_share" "data_share" {
  name = "DATA_SHARE"   
  accounts = [
    snowflake_managed_account.account.locator
  ]
}

Always results in this plan:

  # snowflake_database_grant.db_usage must be replaced
-/+ resource "snowflake_database_grant" "db_usage" {
        database_name = "DB"
      ~ id            = "DB|||USAGE" -> (known after apply)
        privilege     = "USAGE"
        roles         = [
            "ROLE1",
            "ROLE2",
        ]
      ~ shares        = [ # forces replacement
          + "DATA_SHARE",
        ]
    }

Checking snowflake, both the share and the grant are successfully created, but it seems that terraform thinks the share is missing from the grant every time it runs.

[callumwebb]

An implication of this issue is that we can use the provider to set up grants to shares, but can't revoke them. It's like the share is invisible when it attempts show grants on x to compute the diff. Schema grants are also affected.

[jmak123]

I think the issue is the same as this:
#211

Basically Terraform compiles list/array items with trailing comma which is always different to what it actually writes into tfstate.

@ryanking May be worth consolidating the two issues?

[slocke716]

This poses a serious problem to our organization right now. I'd love to see this fixed.