[Feature]: Is it possible to have an option to disable the limitation on preview features?

[yinxu0619]

Company Name

Use Cases or Problem Statement

Hi there, hope you’re doing well.

We are using Jsonnet to render the terraform main.tf file. Since upgrading to v1.0.0, the first GA release, we’ve noticed that many behaviors have changed. The preview_features_enabled setting has had the most significant impact on us. Here’s an example:

We define different aliases in the Snowflake provider to execute different tasks with different roles. If we need to use snowflake_account_password_policy_attachment, we should add it to:

{
   "provider": {
      "snowflake": [
         {
            "preview_features_enabled": [
               "snowflake_network_policy_attachment_resource",
               "snowflake_network_rule_resource",
               "snowflake_email_notification_integration_resource",
               "snowflake_password_policy_resource"
            ]
         },
         {
            "alias": "account_admin",
            "role": "ACCOUNTADMIN"
         },
         {
            "alias": "sys_admin",
            "role": "SYSADMIN"
         },
         {
            "alias": "user_admin",
            "role": "USERADMIN"
         },
         {
            "alias": "security_admin",
            "role": "SECURITYADMIN"
         },
         {
            "alias": "tag_admin",
            "role": "TAG_ADMIN"
         },
         {
            "alias": "default",
            "role": "TERRAFORM_ROLE"
         }
      ]
   },
   "resource": {
      "snowflake_account_parameter": {
         "snowflake_account_parameter_ENABLE_UNREDACTED_QUERY_SYNTAX_ERROR": {
            "key": "ENABLE_UNREDACTED_QUERY_SYNTAX_ERROR",
            "provider": "snowflake.account_admin",
            "value": "true"
         },
         "snowflake_account_parameter_TIMEZONE": {
            "key": "TIMEZONE",
            "provider": "snowflake.account_admin",
            "value": "UTC"
         }
      },
      "snowflake_account_password_policy_attachment": {
         "account_password_policy_attachment_account_password_policy": {
            "depends_on": [
               "snowflake_password_policy.password_policy_ACCOUNT_LEVEL_PASSWORD_POLICY"
            ],
            "password_policy": "\"SNOWFLAKE_GOV\".\"PUBLIC\".\"ACCOUNT_LEVEL_PASSWORD_POLICY\""
         }
      },
...

Even with that change, when executing terraform plan, we still encounter the error.

│ Error: snowflake_password_policy_resource is currently a preview feature, and must be enabled by adding snowflake_password_policy_resource to `preview_features_enabled` in Terraform configuration.
│ 
│   with snowflake_password_policy.password_policy_ACCOUNT_LEVEL_PASSWORD_POLICY,
│   on main.tf.json line 555, in resource.snowflake_password_policy.password_policy_ACCOUNT_LEVEL_PASSWORD_POLICY:
│  555:          }
│ 

I realize that we might need to append the snowflake.preview_features_enabled to the corresponding resources individually. However, since we are running different versions of the provider, this could lead to a messy configuration.

Is it possible to add an environment variable that would unlock the preview resources globally?

thanks
xyin

Category

category:other

Object type(s)

No response

Proposal

add an environment variable that would unlock the preview resources globally

How much impact is this issue causing?

Medium

Additional Information

N/A

Would you like to implement a fix?

• Yeah, I'll take it 😎

[sfc-gh-jmichalak]

Hi @yinxu0619 👋

We were considering it; however, for now, we don't want to allow it. The main reason is that we want to emphasize the fact that certain features are in preview and kind of "enforce" our customers to explicitly agree to their state. Allowing to set all will basically mean that the majority of users will use this option without taking a moment to think about which resources are stable and which are not. We want to avoid it.

However, there's a way to simplify your setup. You can provide a variable block and reference it in the provider block, like this:

variable "preview_features_enabled" {
  type    = list(any)
  default = ["snowflake_function_java_resource", "snowflake_function_javascript_resource", "snowflake_function_sql_resource"]
}

provider "snowflake" {
  # ...
  preview_features_enabled = var.preview_features_enabled
}

This variable can be reused across many providers. However, I'm not sure how it translates to jsonnet.

[yinxu0619]

Hi @sfc-gh-asawicki thanks for the update!

I think we can ignore the issue of Jsonnet rendering for now. My current main.tf.jsonnet is structured like this, and if I follow the example you provided:

{
   
   "variable": {
      "preview_features_enabled": {
        "type": "list(any)",
        "default": [
        "snowflake_network_policy_attachment_resource", 
        "snowflake_network_rule_resource", 
        "snowflake_email_notification_integration_resource", 
        "snowflake_password_policy_resource"
        ]
      }
    },
    "provider": {
      "snowflake": [
         {
            "preview_features_enabled": "${var.preview_features_enabled}"
         },
         {
            "alias": "account_admin",
            "role": "ACCOUNTADMIN"
         },
         {
            "alias": "sys_admin",
            "role": "SYSADMIN"
         },
         {
            "alias": "user_admin",
            "role": "USERADMIN"
         },
         {
            "alias": "security_admin",
            "role": "SECURITYADMIN"
         },
         {
            "alias": "tag_admin",
            "role": "TAG_ADMIN"
         },
         {
            "alias": "default",
            "role": "TERRAFORM_ROLE"
         }
      ]
   },
   "resource": {
      "snowflake_account_parameter": {
         "snowflake_account_parameter_ENABLE_UNREDACTED_QUERY_SYNTAX_ERROR": {
            "key": "ENABLE_UNREDACTED_QUERY_SYNTAX_ERROR",
            "provider": "snowflake.account_admin",
            "value": "true"
         },
...
      "snowflake_email_notification_integration": {
         "snowflake_email_notification_integration_EMAIL_SRE_NOTIFICATIONS": {
            "allowed_recipients": [
               "xxxx@xxxxxx.xxxx",
               "xxxxx@xxxxxx.xxxx"
            ],
            "comment": "Email integration for SRE",
            "enabled": true,
            "name": "EMAIL_NOTIFICATIONS",
            "provider": "snowflake.account_admin"
         }
      },

During the plan phase, it correctly prints out the changes, but it also raises the following error:

│ Error: snowflake_email_notification_integration_resource is currently a preview feature, and must be enabled by adding snowflake_email_notification_integration_resource to `preview_features_enabled` in Terraform configuration.
│ 
│   with snowflake_email_notification_integration.snowflake_email_notification_integrationEMAIL_SRE_NOTIFICATIONS,
│   on main.tf.json line 102, in resource.snowflake_email_notification_integration.snowflake_email_notification_integrationEMAIL_SRE_NOTIFICATIONS:
│  102:          }

Could you please help identify what might be wrong with my main.tf.json?
I’m currently using version v1.0.1, and since Terraform natively supports the JSON format for main.tf, this approach has been consistently working in previous versions before v1.

[yinxu0619]

I’ve created a new main.tf.json file to focus solely on the snowflake_network_rule_resource resource. Below is the content of the main.tf.json file:

{
   "provider": {
      "snowflake": [
         {
            "preview_features_enabled": [
               "snowflake_network_policy_attachment_resource",
               "snowflake_network_rule_resource",
            ]
         },
         {
            "alias": "account_admin",
            "role": "ACCOUNTADMIN"
         },
         {
            "alias": "sys_admin",
            "role": "SYSADMIN"
         },
         {
            "alias": "user_admin",
            "role": "USERADMIN"
         },
         {
            "alias": "security_admin",
            "role": "SECURITYADMIN"
         },
         {
            "alias": "tag_admin",
            "role": "TAG_ADMIN"
         },
         {
            "alias": "default",
            "role": "TERRAFORM_ROLE"
         }
      ]
   },
   "resource": {
      "snowflake_network_policy": {
         "network_policy_TF_TEST_NET_POLICY": {
            "allowed_network_rule_list": [
               "SNOWFLAKE_GOV.PUBLIC.TF_V1_TEST"
            ],
            "comment": "TF V1 TEST",
            "depends_on": [
               "snowflake_network_rule.network_rule_TF_V1_TEST"
            ],
            "name": "TF_TEST_NET_POLICY",
            "provider": "snowflake.account_admin"
         }
      },
      "snowflake_network_policy_attachment": {
         "network_policy_attachment_TF_TEST_NET_POLICY_ATTACHMENT": {
            "network_policy_name": "TF_TEST_NET_POLICY",
            "provider": "snowflake.account_admin",
            "set_for_account": false,
            "users": [
               "NETWORK_POLICY_USER_1"
            ]
         }
      },
      "snowflake_network_rule": {
         "network_rule_TF_V1_TEST": {
            "comment": "This is test allow lists",
            "database": "SNOWFLAKE_GOV",
            "mode": "INGRESS",
            "name": "TF_V1_TEST",
            "provider": "snowflake.account_admin",
            "schema": "PUBLIC",
            "type": "IPV4",
            "value_list": [
               "18.138.0.0"
            ]
         }
      }
   },
   "terraform": {
      "backend": {
         "s3": {
            "bucket": "snfl_state",
            "key": "DEV/terraforms.tfstate",
            "region": "us-east-1"
         }
      },
      "required_providers": {
         "aws": {
            "source": "hashicorp/aws",
            "version": "~> 5.60.0"
         },
         "snowflake": {
            "configuration_aliases": [
               "snowflake.sys_admin",
               "snowflake.user_admin",
               "snowflake.account_admin",
               "snowflake.security_admin",
               "snowflake.tag_admin",
               "snowflake.default"
            ],
            "source": "Snowflake-Labs/snowflake",
            "version": "1.0.1"
         }
      }
   }
}

the output of terraform apply as below

 $ terraform apply -auto-approve  

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # snowflake_network_policy.network_policy_TF_TEST_NET_POLICY will be created
  + resource "snowflake_network_policy" "network_policy_TF_TEST_NET_POLICY" {
      + allowed_network_rule_list = [
          + "SNOWFLAKE_GOV.PUBLIC.TF_V1_TEST",
        ]
      + comment                   = "TF V1 TEST"
      + describe_output           = (known after apply)
      + fully_qualified_name      = (known after apply)
      + id                        = (known after apply)
      + name                      = "TF_TEST_NET_POLICY"
      + show_output               = (known after apply)
    }

  # snowflake_network_policy_attachment.network_policy_attachment_TF_TEST_NET_POLICY_ATTACHMENT will be created
  + resource "snowflake_network_policy_attachment" "network_policy_attachment_TF_TEST_NET_POLICY_ATTACHMENT" {
      + id                  = (known after apply)
      + network_policy_name = "TF_TEST_NET_POLICY"
      + set_for_account     = false
      + users               = [
          + "NETWORK_POLICY_USER_1",
        ]
    }

  # snowflake_network_rule.network_rule_TF_V1_TEST will be created
  + resource "snowflake_network_rule" "network_rule_TF_V1_TEST" {
      + comment              = "This is test allow lists"
      + database             = "SNOWFLAKE_GOV"
      + fully_qualified_name = (known after apply)
      + id                   = (known after apply)
      + mode                 = "INGRESS"
      + name                 = "TF_V1_TEST"
      + schema               = "PUBLIC"
      + type                 = "IPV4"
      + value_list           = [
          + "18.138.0.0",
        ]
    }

Plan: 3 to add, 0 to change, 0 to destroy.
snowflake_network_policy_attachment.network_policy_attachment_TF_TEST_NET_POLICY_ATTACHMENT: Creating...
snowflake_network_rule.network_rule_TF_V1_TEST: Creating...
╷
│ Error: snowflake_network_policy_attachment_resource is currently a preview feature, and must be enabled by adding snowflake_network_policy_attachment_resource to `preview_features_enabled` in Terraform configuration.
│ 
│   with snowflake_network_policy_attachment.network_policy_attachment_TF_TEST_NET_POLICY_ATTACHMENT,
│   on main.tf.json line 60, in resource.snowflake_network_policy_attachment.network_policy_attachment_TF_TEST_NET_POLICY_ATTACHMENT:
│   60:          }
│ 
╵
╷
│ Error: snowflake_network_rule_resource is currently a preview feature, and must be enabled by adding snowflake_network_rule_resource to `preview_features_enabled` in Terraform configuration.
│ 
│   with snowflake_network_rule.network_rule_TF_V1_TEST,
│   on main.tf.json line 74, in resource.snowflake_network_rule.network_rule_TF_V1_TEST:
│   74:          }
│ ```

[sfc-gh-asawicki]

Hey @yinxu0619. You have to set enabled preview features for each provider alias separately. You can use what @sfc-gh-jmichalak suggested in this #3299 (comment) if you are interested in setting the same values for each alias.