From c336abcaebb06ead39f88b09b0d25659fd22a51b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Cie=C5=9Blak?= <jan.cieslak@snowflake.com>
Date: Fri, 12 Apr 2024 13:58:41 +0200
Subject: [PATCH] Fix for granting ownership on database roles

---
 pkg/resources/grant_ownership.go              | 17 ++++---
 .../grant_ownership_acceptance_test.go        | 45 +++++++++++++++++++
 .../test.tf                                   | 20 +++++++++
 .../variables.tf                              | 11 +++++
 4 files changed, 87 insertions(+), 6 deletions(-)
 create mode 100644 pkg/resources/testdata/TestAcc_GrantOwnership/OnObject_DatabaseRole_ToAccountRole/test.tf
 create mode 100644 pkg/resources/testdata/TestAcc_GrantOwnership/OnObject_DatabaseRole_ToAccountRole/variables.tf

diff --git a/pkg/resources/grant_ownership.go b/pkg/resources/grant_ownership.go
index 5253bc84bb..df9e20ed58 100644
--- a/pkg/resources/grant_ownership.go
+++ b/pkg/resources/grant_ownership.go
@@ -334,7 +334,7 @@ func ReadGrantOwnership(ctx context.Context, d *schema.ResourceData, meta any) d
 		}
 	}
 
-	opts, grantedOn := prepareShowGrantsRequestForGrantOwnership(id)
+	opts, expectedGrantedOn := prepareShowGrantsRequestForGrantOwnership(id)
 	if opts == nil {
 		return nil
 	}
@@ -368,7 +368,7 @@ func ReadGrantOwnership(ctx context.Context, d *schema.ResourceData, meta any) d
 
 		// grant_on is for future grants, granted_on is for current grants.
 		// They function the same way though in a test for matching the object type
-		if grantedOn != grant.GrantedOn && grantedOn != grant.GrantOn {
+		if expectedGrantedOn != grant.GrantedOn && expectedGrantedOn != grant.GrantOn {
 			continue
 		}
 
@@ -521,12 +521,17 @@ func getOwnershipGrantOpts(id *GrantOwnershipId) *sdk.GrantOwnershipOptions {
 
 func prepareShowGrantsRequestForGrantOwnership(id *GrantOwnershipId) (*sdk.ShowGrantOptions, sdk.ObjectType) {
 	opts := new(sdk.ShowGrantOptions)
-	var grantedOn sdk.ObjectType
+	var expectedGrantedOn sdk.ObjectType
 
 	switch id.Kind {
 	case OnObjectGrantOwnershipKind:
 		data := id.Data.(*OnObjectGrantOwnershipData)
-		grantedOn = data.ObjectType
+		switch data.ObjectType {
+		case sdk.ObjectTypeDatabaseRole:
+			expectedGrantedOn = sdk.ObjectTypeRole
+		default:
+			expectedGrantedOn = data.ObjectType
+		}
 		opts.On = &sdk.ShowGrantsOn{
 			Object: &sdk.Object{
 				ObjectType: data.ObjectType,
@@ -543,7 +548,7 @@ func prepareShowGrantsRequestForGrantOwnership(id *GrantOwnershipId) (*sdk.ShowG
 		return nil, ""
 	case OnFutureGrantOwnershipKind:
 		data := id.Data.(*BulkOperationGrantData)
-		grantedOn = data.ObjectNamePlural.Singular()
+		expectedGrantedOn = data.ObjectNamePlural.Singular()
 		opts.Future = sdk.Bool(true)
 
 		switch data.Kind {
@@ -558,7 +563,7 @@ func prepareShowGrantsRequestForGrantOwnership(id *GrantOwnershipId) (*sdk.ShowG
 		}
 	}
 
-	return opts, grantedOn
+	return opts, expectedGrantedOn
 }
 
 func createGrantOwnershipIdFromSchema(d *schema.ResourceData) (*GrantOwnershipId, error) {
diff --git a/pkg/resources/grant_ownership_acceptance_test.go b/pkg/resources/grant_ownership_acceptance_test.go
index fcaa054d58..d4f1a482d7 100644
--- a/pkg/resources/grant_ownership_acceptance_test.go
+++ b/pkg/resources/grant_ownership_acceptance_test.go
@@ -1076,6 +1076,51 @@ func TestAcc_GrantOwnership_OnAllTasks(t *testing.T) {
 	})
 }
 
+func TestAcc_GrantOwnership_OnDatabaseRole(t *testing.T) {
+	databaseName := strings.ToUpper(acctest.RandStringFromCharSet(10, acctest.CharSetAlpha))
+
+	databaseRoleName := strings.ToUpper(acctest.RandStringFromCharSet(10, acctest.CharSetAlpha))
+	databaseRoleFullyQualifiedName := sdk.NewDatabaseObjectIdentifier(databaseName, databaseRoleName).FullyQualifiedName()
+
+	accountRoleName := strings.ToUpper(acctest.RandStringFromCharSet(10, acctest.CharSetAlpha))
+	accountRoleFullyQualifiedName := sdk.NewAccountObjectIdentifier(accountRoleName).FullyQualifiedName()
+
+	configVariables := config.Variables{
+		"account_role_name":  config.StringVariable(accountRoleName),
+		"database_name":      config.StringVariable(databaseName),
+		"database_role_name": config.StringVariable(databaseRoleName),
+	}
+	resourceName := "snowflake_grant_ownership.test"
+
+	resource.Test(t, resource.TestCase{
+		ProtoV6ProviderFactories: acc.TestAccProtoV6ProviderFactories,
+		PreCheck:                 func() { acc.TestAccPreCheck(t) },
+		TerraformVersionChecks: []tfversion.TerraformVersionCheck{
+			tfversion.RequireAbove(tfversion.Version1_5_0),
+		},
+		Steps: []resource.TestStep{
+			{
+				ConfigDirectory: acc.ConfigurationDirectory("TestAcc_GrantOwnership/OnObject_DatabaseRole_ToAccountRole"),
+				ConfigVariables: configVariables,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "account_role_name", accountRoleName),
+					resource.TestCheckResourceAttr(resourceName, "on.0.object_type", "DATABASE ROLE"),
+					resource.TestCheckResourceAttr(resourceName, "on.0.object_name", databaseRoleFullyQualifiedName),
+					resource.TestCheckResourceAttr(resourceName, "id", fmt.Sprintf("ToAccountRole|%s||OnObject|DATABASE ROLE|%s", accountRoleFullyQualifiedName, databaseRoleFullyQualifiedName)),
+					checkResourceOwnershipIsGranted(&sdk.ShowGrantOptions{
+						On: &sdk.ShowGrantsOn{
+							Object: &sdk.Object{
+								ObjectType: sdk.ObjectTypeDatabaseRole,
+								Name:       sdk.NewDatabaseObjectIdentifierFromFullyQualifiedName(databaseRoleFullyQualifiedName),
+							},
+						},
+					}, sdk.ObjectTypeRole, accountRoleName, fmt.Sprintf("%s.%s", databaseName, databaseRoleName)),
+				),
+			},
+		},
+	})
+}
+
 func createDatabaseWithRoleAsOwner(t *testing.T, roleName string, databaseName string) func() {
 	t.Helper()
 	client, err := sdk.NewDefaultClient()
diff --git a/pkg/resources/testdata/TestAcc_GrantOwnership/OnObject_DatabaseRole_ToAccountRole/test.tf b/pkg/resources/testdata/TestAcc_GrantOwnership/OnObject_DatabaseRole_ToAccountRole/test.tf
new file mode 100644
index 0000000000..c9e860f881
--- /dev/null
+++ b/pkg/resources/testdata/TestAcc_GrantOwnership/OnObject_DatabaseRole_ToAccountRole/test.tf
@@ -0,0 +1,20 @@
+resource "snowflake_role" "test" {
+  name = var.account_role_name
+}
+
+resource "snowflake_database" "test" {
+  name = var.database_name
+}
+
+resource "snowflake_database_role" "test" {
+  name = var.database_role_name
+  database = snowflake_database.test.name
+}
+
+resource "snowflake_grant_ownership" "test" {
+  account_role_name = snowflake_role.test.name
+  on {
+    object_type = "DATABASE ROLE"
+    object_name = "\"${snowflake_database_role.test.database}\".\"${snowflake_database_role.test.name}\""
+  }
+}
diff --git a/pkg/resources/testdata/TestAcc_GrantOwnership/OnObject_DatabaseRole_ToAccountRole/variables.tf b/pkg/resources/testdata/TestAcc_GrantOwnership/OnObject_DatabaseRole_ToAccountRole/variables.tf
new file mode 100644
index 0000000000..16b3c8ca23
--- /dev/null
+++ b/pkg/resources/testdata/TestAcc_GrantOwnership/OnObject_DatabaseRole_ToAccountRole/variables.tf
@@ -0,0 +1,11 @@
+variable "account_role_name" {
+  type = string
+}
+
+variable "database_name" {
+  type = string
+}
+
+variable "database_role_name" {
+  type = string
+}