Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Granting a database role to a share fails with "Root object was present, but now absent." #2410

Closed
kingalban opened this issue Jan 24, 2024 · 5 comments · Fixed by #2508
Closed

Granting a database role to a share fails with "Root object was present, but now absent." #2410

kingalban opened this issue Jan 24, 2024 · 5 comments · Fixed by #2508
Assignees
@sfc-gh-jcieslak
Labels
bug Used to mark issues with provider's incorrect behavior

Comments

@kingalban
Copy link

Terraform CLI and Provider Versions

Terraform v1.7.0
on linux_amd64

  • provider registry.terraform.io/hashicorp/aws v4.67.0
  • provider registry.terraform.io/hashicorp/http v3.4.0
  • provider registry.terraform.io/hashicorp/random v3.6.0
  • provider registry.terraform.io/snowflake-labs/snowflake v0.84.1

Terraform Configuration

resource "snowflake_database" "example_database" {
  name = "EXAMPLE"
}

resource "snowflake_database_role" "exampled_database_role" {
  database = snowflake_database.example_database.name
  name = "EXAMPLE"
}

resource "snowflake_share" "example_share" {
  name     = "EXAMPLE_SHARE"
  accounts = ["<another>.<account>"]
}

resource "snowflake_database_grant" "share_use_database" {
  database_name = snowflake_database.example_database.name
  shares = [snowflake_share.example_share.name]
}

resource "snowflake_grant_database_role" "share_use_database_role" {
  database_role_name = "${snowflake_database_role.exampled_database_role.database}.${snowflake_database_role.exampled_database_role.name}"
  share_name         = snowflake_share.example_share.name
  depends_on = [snowflake_database_grant.share_use_database] # neglecting this results in a separate error
}

Expected Behavior

The share snowflake_share.example_share should be granted the privilege USAGE on the database snowflake_database.example_database and database role snowflake_database_role.exampled_database_role.

Actual Behavior

terraform apply produces a reasonable plan, but when it goes to apply it gives this error:

╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to snowflake_grant_database_role.share_use_database_role, provider "provider[\"registry.terraform.io/snowflake-labs/snowflake\"]" produced an unexpected new value: Root object was present, but
│ now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵

Checking Snowflake, the share wasn't granted any privileges on the database role.

Repeating terraform apply, it shows that the snowflake_grant_database_role.share_use_database_role needs to be created. Trying to do that gives the same error.

Steps to Reproduce

  1. terraform apply

How much impact is this issue causing?

High

Logs

No response

Additional Information

because of the depreciation of grants like snowflake_database_grant, and the fact that snowflake_grant_privileges_to_share doesn't exist yet, I don't see how I can use the provider to manage shares.

Specifically, I am already managing privileges on the database of interest using the snowflake_grant_privileges_to_role resource, and combining that resource with snowflake_database_grant results in nasty conflicts
@kingalban kingalban added the bug Used to mark issues with provider's incorrect behavior label Jan 24, 2024
@kingalban
Copy link
Author

I found these related issues, 2209, 1683 , 1674 , and 754.
Looks like they are either related to schemas and schema grants, using an older version of the provider.

I forgot to note: the role terraform is using is ACCOUNTADMIN

@sfc-gh-asawicki
Copy link
Collaborator

Hey @kingalban . Thanks for reporting the issue.

As this is a new resource we will analyze it shortly.

@sfc-gh-jcieslak sfc-gh-jcieslak self-assigned this Feb 15, 2024
@sfc-gh-jcieslak
Copy link
Collaborator

sfc-gh-jcieslak commented Feb 15, 2024
edited
Loading

Hey @kingalban,
I found the root cause of the issue (wrong mapping of SHOW GRANTS result for shares). Here's the pr for it (it may be released today v0.86.0 or with the next version). Oh, and FYI snowflake_grant_privileges_to_share exists in 0.85.0 (docs). In use with your example:

resource "snowflake_database" "test" {
  name     = var.database
}

resource "snowflake_database_role" "test" {
  database = snowflake_database.test.name
  name     = var.database_role_name
}

resource "snowflake_share" "test" {
  name = var.share_name
}

resource "snowflake_grant_privileges_to_share" "test" {
  privileges = ["USAGE"]
  on_database = snowflake_database.test.name
  to_share = snowflake_share.test.name
}

resource "snowflake_grant_database_role" "test" {
  database_role_name = "\"${snowflake_database.test.name}\".\"${snowflake_database_role.test.name}\""
  share_name         = snowflake_share.test.name
}

@sfc-gh-jcieslak sfc-gh-jcieslak mentioned this issue Feb 15, 2024
Merged
sfc-gh-jcieslak added a commit that referenced this issue Feb 15, 2024
@sfc-gh-jcieslak
fix: SHOW GRANTS mapping for share data type (#2508)
feb4d44 
Fixes:
#2410
The root cause of the issue was that in SHOW GRANTS conversion from row
representation to SDK object representation, we had a special case for
shares that would split it on dot. Share may have only one part and this
change adds support for such a situation. Additionally, it was covered
by an existing test that was commented out and was waiting for the
`snowflake_grant_privileges_to_share` resource.
@sfc-gh-jcieslak
Copy link
Collaborator

Hey @kingalban
Yesterday we released 0.86.0 which should fix the issue, could you confirm ?

@kingalban
Copy link
Author

Yes, this resolved my issues!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sfc-gh-jcieslak sfc-gh-jcieslak

Labels
bug Used to mark issues with provider's incorrect behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: SHOW GRANTS mapping for share data type Snowflake-Labs/terraform-provider-snowflake
3 participants
@kingalban @sfc-gh-jcieslak @sfc-gh-asawicki