feat: Added Missing Grant Updates + Removed ForceNew

pkg/resources/database_grant.go

@@ -3,8 +3,8 @@ package resources
 import (
 	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/snowflake"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
-	"github.com/pkg/errors"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	"github.com/pkg/errors"
 )
 
 var validDatabasePrivileges = NewPrivilegeSet(
@@ -36,7 +36,6 @@ var databaseGrantSchema = map[string]*schema.Schema{
 		Type:        schema.TypeSet,
 		Elem:        &schema.Schema{Type: schema.TypeString},
 		Optional:    true,
-		ForceNew:    true,
 		Description: "Grants privilege to these roles.",
 	},
 	"shares": {

pkg/resources/external_table_grant.go

@@ -45,14 +45,12 @@ var externalTableGrantSchema = map[string]*schema.Schema{
 		Elem:        &schema.Schema{Type: schema.TypeString},
 		Optional:    true,
 		Description: "Grants privilege to these roles.",
-		ForceNew:    true,
 	},
 	"shares": {
 		Type:        schema.TypeSet,
 		Elem:        &schema.Schema{Type: schema.TypeString},
 		Optional:    true,
 		Description: "Grants privilege to these shares (only valid if on_future is false).",
-		ForceNew:    true,
 	},
 	"on_future": {
 		Type:        schema.TypeBool,
@@ -84,6 +82,7 @@ func ExternalTableGrant() *TerraformGrantResource {
 			Create: CreateExternalTableGrant,
 			Read:   ReadExternalTableGrant,
 			Delete: DeleteExternalTableGrant,
+			Update: UpdateExternalTableGrant,
 
 			Schema: externalTableGrantSchema,
 			Importer: &schema.ResourceImporter{
@@ -216,3 +215,56 @@ func DeleteExternalTableGrant(d *schema.ResourceData, meta interface{}) error {
 	}
 	return deleteGenericGrant(d, meta, builder)
 }
+
+// UpdateExternalTableGrant implements schema.UpdateFunc
+func UpdateExternalTableGrant(d *schema.ResourceData, meta interface{}) error {
+	// for now the only thing we can update are roles or shares
+	// if nothing changed, nothing to update and we're done
+	if !d.HasChanges("roles", "shares") {
+		return nil
+	}
+
+	rolesToAdd := []string{}
+	rolesToRevoke := []string{}
+	sharesToAdd := []string{}
+	sharesToRevoke := []string{}
+	if d.HasChange("roles") {
+		rolesToAdd, rolesToRevoke = changeDiff(d, "roles")
+	}
+	if d.HasChange("shares") {
+		sharesToAdd, sharesToRevoke = changeDiff(d, "shares")
+	}
+	grantID, err := grantIDFromString(d.Id())
+	if err != nil {
+		return err
+	}
+
+	dbName := grantID.ResourceName
+	schemaName := grantID.SchemaName
+	externalTableName := grantID.ObjectName
+	futureExternalTables := (externalTableName == "")
+
+	// create the builder
+	var builder snowflake.GrantBuilder
+	if futureExternalTables {
+		builder = snowflake.FutureExternalTableGrant(dbName, schemaName)
+	} else {
+		builder = snowflake.ExternalTableGrant(dbName, schemaName, externalTableName)
+	}
+
+	// first revoke
+	err = deleteGenericGrantRolesAndShares(
+		meta, builder, grantID.Privilege, rolesToRevoke, sharesToRevoke)
+	if err != nil {
+		return err
+	}
+	// then add
+	err = createGenericGrantRolesAndShares(
+		meta, builder, grantID.Privilege, grantID.GrantOption, rolesToAdd, sharesToAdd)
+	if err != nil {
+		return err
+	}
+
+	// Done, refresh state
+	return ReadExternalTableGrant(d, meta)
+}

pkg/resources/file_format_grant.go

@@ -44,7 +44,6 @@ var fileFormatGrantSchema = map[string]*schema.Schema{
 		Elem:        &schema.Schema{Type: schema.TypeString},
 		Optional:    true,
 		Description: "Grants privilege to these roles.",
-		ForceNew:    true,
 	},
 	"on_future": {
 		Type:        schema.TypeBool,
@@ -76,6 +75,7 @@ func FileFormatGrant() *TerraformGrantResource {
 			Create: CreateFileFormatGrant,
 			Read:   ReadFileFormatGrant,
 			Delete: DeleteFileFormatGrant,
+			Update: UpdateFileFormat,
 
 			Schema: fileFormatGrantSchema,
 			Importer: &schema.ResourceImporter{
@@ -205,3 +205,53 @@ func DeleteFileFormatGrant(d *schema.ResourceData, meta interface{}) error {
 	}
 	return deleteGenericGrant(d, meta, builder)
 }
+
+// UpdateFileFormatGrant implements schema.UpdateFunc
+func UpdateFileFormatGrant(d *schema.ResourceData, meta interface{}) error {
+	// for now the only thing we can update are roles or shares
+	// if nothing changed, nothing to update and we're done
+	if !d.HasChanges("roles") {
+		return nil
+	}
+
+	rolesToAdd := []string{}
+	rolesToRevoke := []string{}
+
+	if d.HasChange("roles") {
+		rolesToAdd, rolesToRevoke = changeDiff(d, "roles")
+	}
+
+	grantID, err := grantIDFromString(d.Id())
+	if err != nil {
+		return err
+	}
+
+	dbName := grantID.ResourceName
+	schemaName := grantID.SchemaName
+	fileFormatName := grantID.ObjectName
+	futureFileFormats := (fileFormatName == "")
+
+	// create the builder
+	var builder snowflake.GrantBuilder
+	if futureFileFormats {
+		builder = snowflake.FutureFileFormatGrant(dbName, schemaName)
+	} else {
+		builder = snowflake.FileFormatGrant(dbName, schemaName, fileFormatName)
+	}
+
+	// first revoke
+	err = deleteGenericGrantRolesAndShares(
+		meta, builder, grantID.Privilege, rolesToRevoke, []string{})
+	if err != nil {
+		return err
+	}
+	// then add
+	err = createGenericGrantRolesAndShares(
+		meta, builder, grantID.Privilege, grantID.GrantOption, rolesToAdd, []string{})
+	if err != nil {
+		return err
+	}
+
+	// Done, refresh state
+	return ReadFileFormatGrant(d, meta)
+}

pkg/resources/function_grant.go

@@ -72,14 +72,12 @@ var functionGrantSchema = map[string]*schema.Schema{
 		Elem:        &schema.Schema{Type: schema.TypeString},
 		Optional:    true,
 		Description: "Grants privilege to these roles.",
-		ForceNew:    true,
 	},
 	"shares": {
 		Type:        schema.TypeSet,
 		Elem:        &schema.Schema{Type: schema.TypeString},
 		Optional:    true,
 		Description: "Grants privilege to these shares (only valid if on_future is false).",
-		ForceNew:    true,
 	},
 	"on_future": {
 		Type:        schema.TypeBool,
@@ -111,6 +109,7 @@ func FunctionGrant() *TerraformGrantResource {
 			Create: CreateFunctionGrant,
 			Read:   ReadFunctionGrant,
 			Delete: DeleteFunctionGrant,
+			Update: UpdateFunctionGrant,
 
 			Schema: functionGrantSchema,
 			Importer: &schema.ResourceImporter{
@@ -286,3 +285,62 @@ func DeleteFunctionGrant(d *schema.ResourceData, meta interface{}) error {
 	}
 	return deleteGenericGrant(d, meta, builder)
 }
+
+// UpdateFunctionGrant implements schema.UpdateFunc
+func UpdateFunctionGrant(d *schema.ResourceData, meta interface{}) error {
+	// for now the only thing we can update are roles or shares
+	// if nothing changed, nothing to update and we're done
+	if !d.HasChanges("roles", "shares") {
+		return nil
+	}
+
+	rolesToAdd := []string{}
+	rolesToRevoke := []string{}
+	sharesToAdd := []string{}
+	sharesToRevoke := []string{}
+	if d.HasChange("roles") {
+		rolesToAdd, rolesToRevoke = changeDiff(d, "roles")
+	}
+	if d.HasChange("shares") {
+		sharesToAdd, sharesToRevoke = changeDiff(d, "shares")
+	}
+	grantID, err := grantIDFromString(d.Id())
+	if err != nil {
+		return err
+	}
+
+	dbName := grantID.ResourceName
+	schemaName := grantID.SchemaName
+	functionName := grantID.ObjectName
+	futureFunctions := (functionName == "")
+
+	// create the builder
+	var builder snowflake.GrantBuilder
+	if futureFunctions {
+		builder = snowflake.FutureFunctionGrant(dbName, schemaName)
+	} else {
+		functionSignatureMap, err := parseCallableObjectName(grantID.ObjectName)
+		if err != nil {
+			return err
+		}
+		functionName := functionSignatureMap["callableName"].(string)
+		argumentTypes := functionSignatureMap["argumentTypes"].([]string)
+		builder = snowflake.FunctionGrant(dbName, schemaName, functionName, argumentTypes)
+	}
+
+	// first revoke
+	err = deleteGenericGrantRolesAndShares(
+		meta, builder, grantID.Privilege, rolesToRevoke, sharesToRevoke)
+	if err != nil {
+		return err
+	}
+	// then add
+	err = createGenericGrantRolesAndShares(
+		meta, builder, grantID.Privilege, grantID.GrantOption, rolesToAdd, sharesToAdd)
+	if err != nil {
+		return err
+	}
+
+	// Done, refresh state
+	return ReadFunctionGrant(d, meta)
+}

pkg/resources/integration_grant.go

@@ -30,7 +30,6 @@ var integrationGrantSchema = map[string]*schema.Schema{
 		Elem:        &schema.Schema{Type: schema.TypeString},
 		Optional:    true,
 		Description: "Grants privilege to these roles.",
-		ForceNew:    true,
 	},
 	"with_grant_option": {
 		Type:        schema.TypeBool,
@@ -55,6 +54,7 @@ func IntegrationGrant() *TerraformGrantResource {
 			Create: CreateIntegrationGrant,
 			Read:   ReadIntegrationGrant,
 			Delete: DeleteIntegrationGrant,
+			Update: UpdateIntegrationGrant,
 
 			Schema: integrationGrantSchema,
 			Importer: &schema.ResourceImporter{
@@ -133,3 +133,45 @@ func DeleteIntegrationGrant(d *schema.ResourceData, meta interface{}) error {
 
 	return deleteGenericGrant(d, meta, builder)
 }
+
+// UpdateIntegrationGrant implements schema.UpdateFunc
+func UpdateIntegrationGrant(d *schema.ResourceData, meta interface{}) error {
+	// for now the only thing we can update are roles or shares
+	// if nothing changed, nothing to update and we're done
+	if !d.HasChanges("roles") {
+		return nil
+	}
+
+	rolesToAdd := []string{}
+	rolesToRevoke := []string{}
+
+	if d.HasChange("roles") {
+		rolesToAdd, rolesToRevoke = changeDiff(d, "roles")
+	}
+
+	grantID, err := grantIDFromString(d.Id())
+	if err != nil {
+		return err
+	}
+
+	w := grantID.ResourceName
+
+	// create the builder
+	builder := snowflake.IntegrationGrant(w)
+
+	// first revoke
+	err = deleteGenericGrantRolesAndShares(
+		meta, builder, grantID.Privilege, rolesToRevoke, []string{})
+	if err != nil {
+		return err
+	}
+	// then add
+	err = createGenericGrantRolesAndShares(
+		meta, builder, grantID.Privilege, grantID.GrantOption, rolesToAdd, []string{})
+	if err != nil {
+		return err
+	}
+
+	// Done, refresh state
+	return ReadIntegrationGrant(d, meta)
+}

pkg/resources/masking_policy_grant.go

@@ -37,7 +37,6 @@ var maskingPolicyGrantSchema = map[string]*schema.Schema{
 		Elem:        &schema.Schema{Type: schema.TypeString},
 		Optional:    true,
 		Description: "Grants privilege to these roles.",
-		ForceNew:    true,
 	},
 	"schema_name": {
 		Type:        schema.TypeString,
@@ -68,6 +67,7 @@ func MaskingPolicyGrant() *TerraformGrantResource {
 			Create: CreateMaskingPolicyGrant,
 			Read:   ReadMaskingPolicyGrant,
 			Delete: DeleteMaskingPolicyGrant,
+			Update: UpdateMaskingPolicyGrant,
 
 			Schema: maskingPolicyGrantSchema,
 			Importer: &schema.ResourceImporter{
@@ -165,3 +165,47 @@ func DeleteMaskingPolicyGrant(d *schema.ResourceData, meta interface{}) error {
 
 	return deleteGenericGrant(d, meta, builder)
 }
+
+// UpdateMaskingPolicyGrant implements schema.UpdateFunc
+func UpdateMaskingPolicyGrant(d *schema.ResourceData, meta interface{}) error {
+	// for now the only thing we can update are roles or shares
+	// if nothing changed, nothing to update and we're done
+	if !d.HasChanges("roles") {
+		return nil
+	}
+
+	rolesToAdd := []string{}
+	rolesToRevoke := []string{}
+
+	if d.HasChange("roles") {
+		rolesToAdd, rolesToRevoke = changeDiff(d, "roles")
+	}
+
+	grantID, err := grantIDFromString(d.Id())
+	if err != nil {
+		return err
+	}
+
+	dbName := grantID.ResourceName
+	schemaName := grantID.SchemaName
+	maskingPolicyName := grantID.ObjectName
+
+	// create the builder
+	builder := snowflake.MaskingPolicyGrant(dbName, schemaName, maskingPolicyName)
+
+	// first revoke
+	err = deleteGenericGrantRolesAndShares(
+		meta, builder, grantID.Privilege, rolesToRevoke, []string{})
+	if err != nil {
+		return err
+	}
+	// then add
+	err = createGenericGrantRolesAndShares(
+		meta, builder, grantID.Privilege, grantID.GrantOption, rolesToAdd, []string{})
+	if err != nil {
+		return err
+	}
+
+	// Done, refresh state
+	return ReadMaskingPolicyGrant(d, meta)
+}