[Bug]: Terraform fails to success while creating secure procedure in reader account though procedure gets created in account.

[hnmpatel]

Terraform CLI Version

0.14.11

Terraform Provider Version

0.94.1

Terraform Configuration

resource "snowflake_procedure" "custom_proc" {
  name        = "CUSTOM_PROC"
  database    = snowflake_database.common_shared_db.name
  schema      = "SECURE"
  comment     = "A procedure to process customer views"
  language    = "SQL"
  return_type = "OBJECT"
  secure      = true
  statement   = <<-EOF
    ${file("./procedure/custom_proc.sql")}
  EOF

  arguments {
    name = "ARG1"
    type = "VARCHAR"
  }

  depends_on = [snowflake_schema.secure_schema]
}

Category

category:resource

Object type(s)

resource:procedure

Expected Behavior

It should have created successfully, and plan should have been applied without any error.

Actual Behavior

Failed with error as following

╷
╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to snowflake_procedure.process_customer_views,
│ provider "provider[\"registry.terraform.io/snowflake-labs/snowflake\"]"
│ produced an unexpected new value: Root object was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
│ Warning: Describe procedure failed.
│ 
│   with snowflake_procedure.custom_proc,
│   on main.tf line 76, in resource "snowflake_procedure" "custom_proc":
│   76: resource "snowflake_procedure" "custom_proc" {
│ 
│ Describe procedure failed: 001089 (42601): SQL compilation error:
│ Operation is not supported in reader account.

Steps to Reproduce

Use terraform configuration and just hit terraform apply after making plan

How much impact is this issue causing?

High

Logs

No response

Additional Information

No response

Would you like to implement a fix?

• Yeah, I'll take it 😎

[hnmpatel]

Also common_shared_db is not created from share. It's standard database created within reader account only. Procedure gets created but plan execution still fails with the error as given in issue details.

[sfc-gh-jmichalak]

Hi @hnmpatel 👋 It seems like you are not authorized to do a DESCRIBE query on the procedure. Please make sure you have proper grants. For more information, please provide more detailed logs with TF_LOG=DEBUG.

[hnmpatel]

@sfc-gh-jmichalak Is it possible that, role can create procedure but do not have permission to describe? If we have to grant separate grants then could you please give reference?

[sfc-gh-jmichalak]

I see that you're using a separate reader account for reading procedures, right? It seems like show operation is not permitted (docs), so maybe it affects describe operation as well? Please check on your reader account to see if you can run show and describe procedures. If it's not possible, then it's just a Snowflake limitation, and I would advise using a regular account for this resource.

[sfc-gh-asawicki]

@hnmpatel did you have a chance to verify what @sfc-gh-jmichalak suggested?

[hnmpatel]

Yeah the show and describe are not possible in the reader account hence I had to use null resources for that.

[sfc-gh-asawicki]

Okay, thanks! So I understand that because this is a Snowflake limitation, we can close this issue?

[sfc-gh-jmichalak]

Closing the issue due to inactivity.