snowflake_grant_ownership fails to operate on database roles

[sgrzemski]

Terraform CLI and Provider Versions

terraform cli:

Terraform v1.6.0
on darwin_arm64

provider versions: 0.88.0

Terraform Configuration

resource "snowflake_grant_ownership" "ownership" {
  provider = snowflake.SYSADMIN_ER

  for_each = { for key, role in snowflake_database_role.this : key => role }

  account_role_name   = data.snowflake_current_role.USERADMIN_ER.name
  outbound_privileges = "COPY"

  on {
    object_type = "DATABASE ROLE"
    object_name = "\"${each.value.database}\".\"${each.value.name}\""
  }
}

Expected Behavior

Ownership of a database role is properly changed.

Actual Behavior

The ownership of a database role is in fact changed, but then the provider fails to verify the ownership:

module.existing_raw_schemas["REDACTED"].snowflake_grant_ownership.read_ownership: Creating...
╷
│ Warning: Applied changes may be incomplete
│ 
│ The plan was created with the -target option in effect, so some changes requested in the configuration may have been ignored and the output values may not be fully
│ updated. Run the following command to verify that no other changes are pending:
│     terraform plan
│       
│ Note that the -target option is not suitable for routine use, and is provided only for exceptional situations such as recovering from errors or mistakes, or when
│ Terraform specifically suggests to use it as part of an error message.
╵
╷
│ Warning: Couldn't find OWNERSHIP privilege on the target object. Marking the resource as removed.
│ 
│   with module.existing_raw_schemas["REDACTED"].snowflake_grant_ownership.read_ownership,
│   on .terraform/modules/existing_raw_schemas/readonly_privilege_grants.tf line 1, in resource "snowflake_grant_ownership" "read_ownership":
│    1: resource "snowflake_grant_ownership" "read_ownership" {
│ 
│ Id: 
╵
╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to module.existing_raw_schemas["REDACTED"].snowflake_grant_ownership.read_ownership, provider
│ "provider[\"registry.terraform.io/snowflake-labs/snowflake\"].SYSADMIN_ER" produced an unexpected new value: Root object was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

The issue clearly comes from https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/pkg/resources/grant_ownership.go#L392, which is executed here: https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/pkg/resources/grant_ownership.go#L237. The providers fails to properly read the grants of the database role. The query to retrieve the grants is being formatted properly (show grants on database role...).

Steps to Reproduce

Just run the ownership change on a database role.

How much impact is this issue causing?

High

Logs

No response

Additional Information

I am using two providers, one env oriented sysadmin, one env oriented useradmin. I am trying to change an ownership of a database role from sysadmin (who created it) to useradmin. It changes the ownership, but it fails to verify the changes afterwards.
I think the problem is here: https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/pkg/resources/grant_ownership.go#L377, the GranteeName does not have the Name() method, in opposition to AccountRoleName.

[sfc-gh-jcieslak]

@sgrzemski The fix will be most likely released tomorrow

[sfc-gh-jcieslak]

Hey, we released a new provider version: https://github.com/Snowflake-Labs/terraform-provider-snowflake/releases/tag/v0.89.0. Please bump and confirm that it works.

[sfc-gh-jcieslak]

Hey @sgrzemski
Did you have a chance to try the new version with the fix ?

[sgrzemski]

Sure thing, works like a charm.

[sfc-gh-jcieslak]

Great, closing the ticket then.