[Bug]: snowflake_grant_privileges_to_account_role revoke of IMPORTED PRIVILEGES fails

[simonepm]

Terraform CLI Version

1.9.3

Terraform Provider Version

0.94.1

Terraform Configuration

resource "snowflake_grant_privileges_to_account_role" "GRANT_IMPORTED_PRIVILEGES_ON_DATABASE_DATABASE_NAME_TO_ROLE_PUBLIC" {
  provider = snowflake.ACCOUNTADMIN
  privileges = ["IMPORTED PRIVILEGES"]
  account_role_name = "PUBLIC"
  on_account_object {
    object_type = "DATABASE"
    object_name = snowflake_shared_database.DATABASE_NAME.name
  }
}

Error: Failed to revoke privileges
snowflake_grant_privileges_to_account_role.GRANT_IMPORTED_PRIVILEGES_ON_DATABASE_DATABASE_NAME_TO_ROLE_PUBLIC,
on main.tf line 41, in resource "snowflake_grant_privileges_to_account_role" "GRANT_IMPORTED_PRIVILEGES_ON_DATABASE_DATABASE_NAME_TO_ROLE_PUBLIC":
resource "snowflake_grant_privileges_to_account_role" "GRANT_IMPORTED_PRIVILEGES_ON_DATABASE_DATABASE_NAME_TO_ROLE_PUBLIC"
Id: "PUBLIC"|false|false|IMPORTED
PRIVILEGES|OnAccountObject|DATABASE|"DATABASE_NAME"
Privileges to add: [IMPORTED PRIVILEGES]
Error: 001003 (42000): SQL compilation error:
syntax error line 1 at position 24 unexpected 'IMPORTED'.

Category

category:resource

Object type(s)

resource:grant_privileges_to_account_role

Expected Behavior

Expected to successfully revoke the IMPORTED PRIVILEGES on database.

Actual Behavior

syntax error line 1 at position 24 unexpected 'IMPORTED'.

Steps to Reproduce

Grant and then revoke snowflake_grant_privileges_to_account_role privileges = ["IMPORTED PRIVILEGES"] on an imported database from share to account role PUBLIC.

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Would you like to implement a fix?

• Yeah, I'll take it 😎

[sfc-gh-jmichalak]

Hi @simonepm 👋, Could you provide a Terraform command that fails? Also, please include logs (run Terraform with TF_LOG=DEBUG). I just tested revoking imported privileges and it should work.

[simonepm]

@sfc-gh-jmichalak thanks, I am also not able to reproduce it again now! Murphy's law at its best, thanks a sorry!
If happens again I will provide the log, so the edge case will be more clear!
Thanks,
S.

[simonepm]

@sfc-gh-jmichalak I found new info:

When from_share is in the format 'LOCATOR.SHARE', instead of 'ORG.ACCOUNT.SHARE':

resource "snowflake_shared_database" "DATABASE_NAME" {
  provider = snowflake.ACCOUNTADMIN
  name = "DATABASE_NAME"
  from_share = "<LOCATOR>.<SHARE>"
}

From second apply on, snowflake_shared_database gets updated everytime as LOCATOR.SHARE is automatically stored in the ORG.ACCOUNT.SHARE format on first apply.

If there is a snowflake_grant_privileges_to_account_role that accesses object_name from the resource directly, the revoke due to the update of the dependent object breaks:

resource "snowflake_grant_privileges_to_account_role" "GRANT_IMPORTED_PRIVILEGES_ON_DATABASE_DATABASE_NAME_TO_ROLE_PUBLIC" {
  privileges = ["IMPORTED PRIVILEGES"]
  account_role_name = "PUBLIC"
  on_account_object {
    object_type = "DATABASE"
    object_name = snowflake_shared_database.DATABASE_NAME.name
  }
}

Instead, if we put a depends_on, it works:

resource "snowflake_grant_privileges_to_account_role" "GRANT_IMPORTED_PRIVILEGES_ON_DATABASE_DATABASE_NAME_TO_ROLE_PUBLIC" {
  privileges = ["IMPORTED PRIVILEGES"]
  account_role_name = "PUBLIC"
  on_account_object {
    object_type = "DATABASE"
    object_name = "DATABASE_NAME"
  }
  depends_on = [snowflake_shared_database.DATABASE_NAME]
}

I will try to collect some logs and in case re-open the issue.