[Bug]: User network policy attachment gets deleted every apply

[Symbianx]

Terraform CLI Version

1.4.6

Terraform Provider Version

0.95.0

Terraform Configuration

resource "snowflake_user" "user" {
  name                 = upper(var.name)
  password             = random_password.password.result
  must_change_password = false
  display_name         = upper(var.name)

  default_role      = var.default_role
  default_warehouse = var.default_warehouse
  default_namespace = var.default_namespace
}

resource "snowflake_network_policy" "default" {
  name            = "network-policy"
  allowed_ip_list = var.cidr_allow_list
}

resource "snowflake_network_policy_attachment" "default" {
  network_policy_name = snowflake_network_policy.default.name
  users               = [snowflake_user.user.name]
}

Category

category:resource

Object type(s)

No response

Expected Behavior

The network policy attached via the attachment resource gets attached to the user.

Actual Behavior

The user loses the network policy on every 2nd plan/apply.

This is made clear by the plan showing the network_policy being changed even though we don't set it in the resource:

# module.external_analytics_snowflake_user.snowflake_user.user will be updated in-place
~ resource "snowflake_user" "user" {
        id                                            = "REDACTED_USERNAME"
        name                                          = "REDACTED_USERNAME"
      ~ network_policy                                = "REDACTED_NETWORK_POLICY" -> (known after apply)
        # (64 unchanged attributes hidden)
    }

Steps to Reproduce

1. Use the provided configuration to create just the user
2. Create the network policy and attachment
3. It works
4. Plan again, the user resource will show a change in the network_policy

How much impact is this issue causing?

High

Logs

No response

Additional Information

No response

Would you like to implement a fix?

• Yeah, I'll take it 😎

[Symbianx]

In case it's relevant, this started happening after an upgrade to 0.95.0

[sfc-gh-asawicki]

Hey @Symbianx. Thanks for reaching out to us.

The migration guide to v0.95.0 is missing this, but it will be added soon (maybe even today). Please check #3048 (comment).

This is expected behavior starting with v0.95.0.

[sfc-gh-asawicki]

Added here:

terraform-provider-snowflake/MIGRATION_GUIDE.md

Line 318 in d5dac60

#### *(breaking change)* snowflake_network_policy_attachment usage with snowflake_user

[ffmc-mayank]

@sfc-gh-asawicki How does this work when user is created with USERADMIN role and network policy is created with SECURITYADMIN role? We aren't using ACCOUNTADMIN for deploying all the resources (in line with snowflake suggestion).

[sfc-gh-asawicki]

Hey @ffmc-mayank. If you want to have different roles creating different resources through Terraform, currently, you should define provider aliases.

[ffmc-mayank]

Hi @sfc-gh-asawicki thanks for quick reply. Sorry I should have been clearer with my question. I am already using aliases for managing different roles but the common problem that I had faced in the past when we used to do user creation manually is the useradmin role typically doesn't have access to network policies so specifying that while creating a user used to be a problem. So I always did an alter later on using securityadmin or accountadmin role. I was not sure if I will run into the same issue if I do something like:

resource "snowflake_user" "non_svc_users" {
  for_each          = local.user_info
  provider          = snowflake.user_admin
  name              = each.key
  display_name      = each.key
  login_name        = "${each.key}@email.domain"
  email             = "${each.key}@email.domain"
  default_role      = each.value["default_role"]
  default_warehouse = snowflake_warehouse.dev_wh.name
  network_policy    = snowflake_network_policy.account_default_policy.name
}

[sfc-gh-asawicki]

There are no restrictions documented here: https://docs.snowflake.com/en/sql-reference/sql/create-user#access-control-requirements, so I would assume it should work the way you described. I have not tested this particular setup, though.

[ffmc-mayank]

@sfc-gh-asawicki I tested and it's failing as I would expect with error Network policy ACCOUNT_DEFAULT_POLICY does not exist or not authorized. It is trying to run ALTER USER "SOME_USER" SET NETWORK_POLICY = "ACCOUNT_DEFAULT_POLICY" with USERADMIN but the policy itself was created by SECURITYADMIN and afaik, there's no way to grant "usage" on network policy to some other role.

This is the reason I was using snowflake_network_policy_attachment resource but the caveat is what is mentioned originally in the issue above.

[sfc-gh-asawicki]

Hey @ffmc-mayank, thanks for checking it out. The current solution would be to either:

• use an elevated role to manage users
• use https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle#ignore_changes for the user's network policy and continue using the attachment resource

This is not the first issue of that type (example here: #3019). We will address this post-V1.