Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Destroying schema ownership grant fails unless the owning role is assigned to the provider's role #3143

Open
1 task done
QuintenBruynseraede opened this issue Oct 18, 2024 · 0 comments
Open
1 task done

[Bug]: Destroying schema ownership grant fails unless the owning role is assigned to the provider's role #3143

QuintenBruynseraede opened this issue Oct 18, 2024 · 0 comments
Labels
bug Used to mark issues with provider's incorrect behavior

Comments

@QuintenBruynseraede
Copy link

QuintenBruynseraede commented Oct 18, 2024
edited
Loading

Terraform CLI Version

1.3.10

Terraform Provider Version

0.92.0

Terraform Configuration

provider "snowflake" {
  account       = <redacted>
  user          = <redacted>
  role          = "ACCOUNT_ADMIN"
  authenticator = "JWT"
  private_key   = <redacted>
}

resource "snowflake_database" "db" {
  name    = "TEST_DB"
}

resource "snowflake_role" "db_owner" {
  name    = "DB_OWNER"
}

resource "snowflake_grant_ownership" "grant_schema_ownership" {
  account_role_name   = snowflake_role.db_owner.name
  outbound_privileges = "COPY"
  on {
    all {
      object_type_plural = "SCHEMAS"
      in_database        = snowflake_database.db.name
    }
  }
}

resource "snowflake_schema" "schema" {
  database            = snowflake_database.db.name
  name                = "TEST_SCHEMA"
  is_managed          = true
}

resource "snowflake_grant_ownership" "table_ownership" {
  account_role_name   = <some other role>
  outbound_privileges = "COPY"
  on {
    all {
      object_type_plural = "TABLES"
      in_schema          = "TEST_DB.TEST_SCHEMA"
    }
  }
}

Category

category:resource

Object type(s)

No response

Expected Behavior

We should be able to create and destroy these resources without errors.

Actual Behavior

When destroying the table ownership resource, the provider will reassign ownership of the schema's objects (tables, streams, ...) to the ACCOUNT_ADMIN role (which is the role used to init the provider). Because in this setup, the original owner (DB_OWNER) is not granted to the ACCOUNT_ADMIN role, Snowflake rejects this.

╷
│ Error: An error occurred when transferring ownership back to the original role
│
│ Id: ToAccountRole|"DB_OWNER"|COPY|OnAll|TABLES|InSchema|"TEST_DB"."TEST_SCHEMA"
│ Error: 003514 (23001): SQL execution error: Ownership restriction violation in a managed access schema. Grantee need to be a subordinate role of the schema owner.
╵

Steps to Reproduce

  1. Apply the configuration
  2. Destroy the configuration

How much impact is this issue causing?

Low

Logs

No response

Additional Information

In previous versions of the provider, we granted ownership on schema objects (e.g. tables) using snowflake_schema_grant, which had an attribute revert_ownership_to_role_name. That attribute allowed you to specify a role to which ownership would be granted on delete. The new snowflake_grant_ownership resource no longer supports this, but instead always sets ownership to the role passed at provider initialization.

For this use case, the addition of a similar attribute would be a good solution.

Would you like to implement a fix?

  • Yeah, I'll take it 😎
@QuintenBruynseraede QuintenBruynseraede added the bug Used to mark issues with provider's incorrect behavior label Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to mark issues with provider's incorrect behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@QuintenBruynseraede