From 1de9a296e43a2e0262a3a77346d8d5c6d1d9500f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Cie=C5=9Blak?= <jan.cieslak@snowflake.com>
Date: Wed, 28 Feb 2024 13:01:10 +0100
Subject: [PATCH] fix: grants on external volumes (#2538)

Fixes:
https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/2533
Terraform couldn't read privileges for External volumes, because
Snowflake returns a shorter `VOLUME` name where we expect `EXTERNAL
VOLUME` to be returned. The proposed fix relies on replacing `EXTERNAL
VOLUME` with `VOLUME` in the prepare read request function so that the
Read operation will be untouched and will work for external volumes.

## Test Plan
<!-- detail ways in which this PR has been tested or needs to be tested
-->
* [x] acceptance tests to show the fix works (didn't pass without the
fix)
<!-- add more below if you think they are relevant -->

## Other
Wrote to the docs team to add this case to the SHOW GRANTS page.

**Update**: added missing privileges (CREATE MODEL needed for
https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/2563)
---
 ...vileges_to_account_role_acceptance_test.go |  71 +++++
 .../OnExternalVolume/test.tf                  |   9 +
 .../OnExternalVolume/variables.tf             |  15 +
 pkg/sdk/grants.go                             |   7 +
 pkg/sdk/privileges.go                         | 261 +++++++++---------
 5 files changed, 239 insertions(+), 124 deletions(-)
 create mode 100644 pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnExternalVolume/test.tf
 create mode 100644 pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnExternalVolume/variables.tf

diff --git a/pkg/resources/grant_privileges_to_account_role_acceptance_test.go b/pkg/resources/grant_privileges_to_account_role_acceptance_test.go
index cc7b1a2169..18fd92c309 100644
--- a/pkg/resources/grant_privileges_to_account_role_acceptance_test.go
+++ b/pkg/resources/grant_privileges_to_account_role_acceptance_test.go
@@ -964,6 +964,52 @@ func TestAcc_GrantPrivilegesToAccountRole_MultiplePartsInRoleName(t *testing.T)
 	})
 }
 
+// proves https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/2533 is fixed
+func TestAcc_GrantPrivilegesToAccountRole_OnExternalVolume(t *testing.T) {
+	name := strings.ToUpper(acctest.RandStringFromCharSet(10, acctest.CharSetAlpha))
+	roleName := sdk.NewAccountObjectIdentifier(name).FullyQualifiedName()
+	externalVolumeName := strings.ToUpper(acctest.RandStringFromCharSet(10, acctest.CharSetAlpha))
+	configVariables := config.Variables{
+		"name":            config.StringVariable(roleName),
+		"external_volume": config.StringVariable(externalVolumeName),
+		"privileges": config.ListVariable(
+			config.StringVariable(string(sdk.AccountObjectPrivilegeUsage)),
+		),
+		"with_grant_option": config.BoolVariable(true),
+	}
+	resourceName := "snowflake_grant_privileges_to_account_role.test"
+
+	resource.Test(t, resource.TestCase{
+		ProtoV6ProviderFactories: acc.TestAccProtoV6ProviderFactories,
+		PreCheck:                 func() { acc.TestAccPreCheck(t) },
+		TerraformVersionChecks: []tfversion.TerraformVersionCheck{
+			tfversion.RequireAbove(tfversion.Version1_5_0),
+		},
+		CheckDestroy: testAccCheckAccountRolePrivilegesRevoked(name),
+		Steps: []resource.TestStep{
+			{
+				PreConfig: func() {
+					createAccountRoleOutsideTerraform(t, name)
+					cleanupExternalVolume := createExternalVolume(t, externalVolumeName)
+					t.Cleanup(cleanupExternalVolume)
+				},
+				ConfigDirectory: acc.ConfigurationDirectory("TestAcc_GrantPrivilegesToAccountRole/OnExternalVolume"),
+				ConfigVariables: configVariables,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "account_role_name", roleName),
+					resource.TestCheckResourceAttr(resourceName, "privileges.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "privileges.0", string(sdk.AccountObjectPrivilegeUsage)),
+					resource.TestCheckResourceAttr(resourceName, "with_grant_option", "true"),
+					resource.TestCheckResourceAttr(resourceName, "on_account_object.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "on_account_object.0.object_type", "EXTERNAL VOLUME"),
+					resource.TestCheckResourceAttr(resourceName, "on_account_object.0.object_name", externalVolumeName),
+					resource.TestCheckResourceAttr(resourceName, "id", fmt.Sprintf("%s|true|false|USAGE|OnAccountObject|EXTERNAL VOLUME|\"%s\"", roleName, externalVolumeName)),
+				),
+			},
+		},
+	})
+}
+
 func getSecondaryAccountName(t *testing.T) (string, error) {
 	t.Helper()
 	config, err := sdk.ProfileConfig(testprofiles.Secondary)
@@ -1100,3 +1146,28 @@ func queriedAccountRolePrivilegesContainAtLeast(roleName sdk.AccountObjectIdenti
 		})
 	}, roleName, privileges...)
 }
+
+func createExternalVolume(t *testing.T, externalVolumeName string) func() {
+	t.Helper()
+
+	client, err := sdk.NewDefaultClient()
+	require.NoError(t, err)
+
+	ctx := context.Background()
+	_, err = client.ExecForTests(ctx, fmt.Sprintf(`create external volume "%s" storage_locations = (
+    (
+        name = 'test' 
+        storage_provider = 's3' 
+        storage_base_url = 's3://my_example_bucket/'
+        storage_aws_role_arn = 'arn:aws:iam::123456789012:role/myrole'
+        encryption=(type='aws_sse_kms' kms_key_id='1234abcd-12ab-34cd-56ef-1234567890ab')
+    )
+)
+`, externalVolumeName))
+	require.NoError(t, err)
+
+	return func() {
+		_, err = client.ExecForTests(ctx, fmt.Sprintf(`drop external volume "%s"`, externalVolumeName))
+		require.NoError(t, err)
+	}
+}
diff --git a/pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnExternalVolume/test.tf b/pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnExternalVolume/test.tf
new file mode 100644
index 0000000000..a7ca78c1c5
--- /dev/null
+++ b/pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnExternalVolume/test.tf
@@ -0,0 +1,9 @@
+resource "snowflake_grant_privileges_to_account_role" "test" {
+  account_role_name = var.name
+  privileges        = var.privileges
+  with_grant_option = var.with_grant_option
+  on_account_object {
+    object_type = "EXTERNAL VOLUME"
+    object_name = var.external_volume
+  }
+}
diff --git a/pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnExternalVolume/variables.tf b/pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnExternalVolume/variables.tf
new file mode 100644
index 0000000000..2fc4a808a1
--- /dev/null
+++ b/pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnExternalVolume/variables.tf
@@ -0,0 +1,15 @@
+variable "name" {
+  type = string
+}
+
+variable "external_volume" {
+  type = string
+}
+
+variable "privileges" {
+  type = list(string)
+}
+
+variable "with_grant_option" {
+  type = bool
+}
diff --git a/pkg/sdk/grants.go b/pkg/sdk/grants.go
index 7ad5ba66a8..32134a84fe 100644
--- a/pkg/sdk/grants.go
+++ b/pkg/sdk/grants.go
@@ -242,11 +242,18 @@ func (row grantRow) convert() *Grant {
 	if row.GrantedOn != "" {
 		grantedOn = ObjectType(strings.ReplaceAll(row.GrantedOn, "_", " "))
 	}
+	if row.GrantedOn == "VOLUME" {
+		grantedOn = ObjectTypeExternalVolume
+	}
+
 	var grantOn ObjectType
 	// true for future grants
 	if row.GrantOn != "" {
 		grantOn = ObjectType(strings.ReplaceAll(row.GrantOn, "_", " "))
 	}
+	if row.GrantOn == "VOLUME" {
+		grantOn = ObjectTypeExternalVolume
+	}
 
 	return &Grant{
 		CreatedOn:   row.CreatedOn,
diff --git a/pkg/sdk/privileges.go b/pkg/sdk/privileges.go
index 201ff6f110..56b7a96752 100644
--- a/pkg/sdk/privileges.go
+++ b/pkg/sdk/privileges.go
@@ -3,11 +3,8 @@ package sdk
 type GlobalPrivilege string
 
 const (
-	// CREATE {
-	//	ACCOUNT | DATA EXCHANGE LISTING | DATABASE | FAILOVER GROUP | INTEGRATION
-	//	| NETWORK POLICY | REPLICATION GROUP | ROLE | SHARE | USER | WAREHOUSE
-	// }
 	GlobalPrivilegeCreateAccount             GlobalPrivilege = "CREATE ACCOUNT"
+	GlobalPrivilegeCreateComputePool         GlobalPrivilege = "CREATE COMPUTE POOL"
 	GlobalPrivilegeCreateDataExchangeListing GlobalPrivilege = "CREATE DATA EXCHANGE LISTING"
 	GlobalPrivilegeCreateDatabase            GlobalPrivilege = "CREATE DATABASE"
 	GlobalPrivilegeCreateFailoverGroup       GlobalPrivilege = "CREATE FAILOVER GROUP"
@@ -20,40 +17,41 @@ const (
 	GlobalPrivilegeCreateUser                GlobalPrivilege = "CREATE USER"
 	GlobalPrivilegeCreateWarehouse           GlobalPrivilege = "CREATE WAREHOUSE"
 
-	// | APPLY { { MASKING | PASSWORD | ROW ACCESS | SESSION } POLICY | TAG }
-	GlobalPrivilegeApplyMaskingPolicy   GlobalPrivilege = "APPLY MASKING POLICY"
-	GlobalPrivilegeApplyPasswordPolicy  GlobalPrivilege = "APPLY PASSWORD POLICY"
-	GlobalPrivilegeApplyRowAccessPolicy GlobalPrivilege = "APPLY ROW ACCESS POLICY"
-	GlobalPrivilegeApplySessionPolicy   GlobalPrivilege = "APPLY SESSION POLICY"
-	GlobalPrivilegeApplyTag             GlobalPrivilege = "APPLY TAG"
+	GlobalPrivilegeApplyAggregationPolicy    GlobalPrivilege = "APPLY AGGREGATION POLICY"
+	GlobalPrivilegeApplyAuthenticationPolicy GlobalPrivilege = "APPLY AUTHENTICATION POLICY"
+	GlobalPrivilegeApplyMaskingPolicy        GlobalPrivilege = "APPLY MASKING POLICY"
+	GlobalPrivilegeApplyPackagesPolicy       GlobalPrivilege = "APPLY PACKAGES POLICY"
+	GlobalPrivilegeApplyPasswordPolicy       GlobalPrivilege = "APPLY PASSWORD POLICY"
+	GlobalPrivilegeApplyProjectionPolicy     GlobalPrivilege = "APPLY PROJECTION POLICY"
+	GlobalPrivilegeApplyRowAccessPolicy      GlobalPrivilege = "APPLY ROW ACCESS POLICY"
+	GlobalPrivilegeApplySessionPolicy        GlobalPrivilege = "APPLY SESSION POLICY"
+	GlobalPrivilegeApplyTag                  GlobalPrivilege = "APPLY TAG"
 
-	// | ATTACH POLICY | AUDIT |
-	GlobalPrivilegeAttachPolicy GlobalPrivilege = "ATTACH POLICY"
-	GlobalPrivilegeAudit        GlobalPrivilege = "AUDIT"
+	GlobalPrivilegeAttachPolicy        GlobalPrivilege = "ATTACH POLICY"
+	GlobalPrivilegeAudit               GlobalPrivilege = "AUDIT"
+	GlobalPrivilegeBindServiceEndpoint GlobalPrivilege = "BIND SERVICE ENDPOINT"
 
-	// | EXECUTE { ALERT | TASK }
 	GlobalPrivilegeExecuteAlert GlobalPrivilege = "EXECUTE ALERT"
 	GlobalPrivilegeExecuteTask  GlobalPrivilege = "EXECUTE TASK"
-	// | IMPORT SHARE
+
 	GlobalPrivilegeImportShare GlobalPrivilege = "IMPORT SHARE"
-	// | MANAGE GRANTS
-	GlobalPrivilegeManageGrants GlobalPrivilege = "MANAGE GRANTS"
-	// | MANAGE WAREHOUSES
-	GlobalPrivilegeManageWarehouses GlobalPrivilege = "MANAGE WAREHOUSES"
 
-	// | MODIFY { LOG LEVEL | TRACE LEVEL | SESSION LOG LEVEL | SESSION TRACE LEVEL }
+	GlobalPrivilegeManageGrants                 GlobalPrivilege = "MANAGE GRANTS"
+	GlobalPrivilegeManageListingAutoFulfillment GlobalPrivilege = "MANAGE LISTING AUTO FULFILLMENT"
+	GlobalPrivilegeManageWarehouses             GlobalPrivilege = "MANAGE WAREHOUSES"
+
 	GlobalPrivilegeModifyLogLevel          GlobalPrivilege = "MODIFY LOG LEVEL"
 	GlobalPrivilegeModifyTraceLevel        GlobalPrivilege = "MODIFY TRACE LEVEL"
 	GlobalPrivilegeModifySessionLogLevel   GlobalPrivilege = "MODIFY SESSION LOG LEVEL"
 	GlobalPrivilegeModifySessionTraceLevel GlobalPrivilege = "MODIFY SESSION TRACE LEVEL"
 
-	// | MONITOR { EXECUTION | USAGE }
 	GlobalPrivilegeMonitorExecution GlobalPrivilege = "MONITOR EXECUTION"
+	GlobalPrivilegeMonitorSecurity  GlobalPrivilege = "MONITOR SECURITY"
 	GlobalPrivilegeMonitorUsage     GlobalPrivilege = "MONITOR USAGE"
 
-	// | OVERRIDE SHARE RESTRICTIONS | RESOLVE ALL
-	GlobalPrivilegeOverrideShareRestrictions GlobalPrivilege = "OVERRIDE SHARE RESTRICTIONS"
-	GlobalPrivilegeResolveAll                GlobalPrivilege = "RESOLVE ALL"
+	GlobalPrivilegeOverrideShareRestrictions   GlobalPrivilege = "OVERRIDE SHARE RESTRICTIONS"
+	GlobalPrivilegePurchaseDataExchangeListing GlobalPrivilege = "PURCHASE DATA EXCHANGE LISTING"
+	GlobalPrivilegeResolveAll                  GlobalPrivilege = "RESOLVE ALL"
 )
 
 func (p GlobalPrivilege) String() string {
@@ -63,8 +61,14 @@ func (p GlobalPrivilege) String() string {
 type AccountObjectPrivilege string
 
 const (
-	// -- For DATABASE
-	// { CREATE { DATABASE ROLE | SCHEMA } | IMPORTED PRIVILEGES | MODIFY | MONITOR | USAGE } [ , ... ]
+	// For COMPUTE POOL
+	// AccountObjectPrivilegeOperate AccountObjectPrivilege = "OPERATE" (duplicate)
+	// AccountObjectPrivilegeModify  AccountObjectPrivilege = "MODIFY" (duplicate)
+	// AccountObjectPrivilegeMonitor AccountObjectPrivilege = "MONITOR" (duplicate)
+	// AccountObjectPrivilegeUsage   AccountObjectPrivilege = "USAGE" (duplicate)
+
+	// For DATABASE
+	AccountObjectPrivilegeApplyBudget        AccountObjectPrivilege = "APPLYBUDGET"
 	AccountObjectPrivilegeCreateDatabaseRole AccountObjectPrivilege = "CREATE DATABASE ROLE"
 	AccountObjectPrivilegeCreateSchema       AccountObjectPrivilege = "CREATE SCHEMA"
 	AccountObjectPrivilegeImportedPrivileges AccountObjectPrivilege = "IMPORTED PRIVILEGES"
@@ -72,41 +76,36 @@ const (
 	AccountObjectPrivilegeMonitor            AccountObjectPrivilege = "MONITOR"
 	AccountObjectPrivilegeUsage              AccountObjectPrivilege = "USAGE"
 
-	// -- For EXTERNAL VOLUME
-	// AccountObjectPrivilegeUsage              AccountObjectPrivilege = "USAGE" (duplicate)
+	// For EXTERNAL VOLUME
+	// AccountObjectPrivilegeUsage AccountObjectPrivilege = "USAGE" (duplicate)
 
-	// -- For FAILOVER GROUP
-	// { FAILOVER | MODIFY | MONITOR | REPLICATE } [ , ... ]
+	// For FAILOVER GROUP
 	AccountObjectPrivilegeFailover AccountObjectPrivilege = "FAILOVER"
 	// AccountObjectPrivilegeModify AccountObjectPrivilege = "MODIFY" (duplicate)
 	// AccountObjectPrivilegeMonitor AccountObjectPrivilege = "MONITOR" (duplicate)
 	// AccountObjectPrivilegeReplicate AccountObjectPrivilege = "REPLICATE" (duplicate)
 
-	// -- For INTEGRATION
-	// { USAGE | USE_ANY_ROLE } [ , ... ]
+	// For INTEGRATION
 	// AccountObjectPrivilegeUsage AccountObjectPrivilege = "USAGE" (duplicate)
 	AccountObjectPrivilegeUseAnyRole AccountObjectPrivilege = "USE_ANY_ROLE"
 
-	// -- For REPLICATION GROUP
-	// { MODIFY | MONITOR | REPLICATE } [ , ... ]
+	// For REPLICATION GROUP
 	// AccountObjectPrivilegeModify AccountObjectPrivilege = "MODIFY" (duplicate)
 	// AccountObjectPrivilegeMonitor AccountObjectPrivilege = "MONITOR" (duplicate)
 	AccountObjectPrivilegeReplicate AccountObjectPrivilege = "REPLICATE"
 
-	//-- For RESOURCE MONITOR
-	// { MODIFY | MONITOR } [ , ... ]
+	// For RESOURCE MONITOR
 	// AccountObjectPrivilegeModify AccountObjectPrivilege = "MODIFY" (duplicate)
 	// AccountObjectPrivilegeMonitor AccountObjectPrivilege = "MONITOR" (duplicate)
 
-	// -- For USER
-	// { MONITOR } [ , ... ]
+	// For USER
 	// AccountObjectPrivilegeModify AccountObjectPrivilege = "MODIFY" (duplicate)
 
-	// -- For WAREHOUSE
-	// { MODIFY | MONITOR | USAGE | OPERATE } [ , ... ]
-	// AccountObjectPrivilegeModify AccountObjectPrivilege = "MODIFY" (duplicate)
-	// AccountObjectPrivilegeMonitor AccountObjectPrivilege = "MONITOR" (duplicate)
-	// AccountObjectPrivilegeUsage AccountObjectPrivilege = "USAGE" (duplicate)
+	// For WAREHOUSE
+	// AccountObjectPrivilegeApplyBudget AccountObjectPrivilege = "APPLYBUDGET" (duplicate)
+	// AccountObjectPrivilegeModify   	 AccountObjectPrivilege = "MODIFY" (duplicate)
+	// AccountObjectPrivilegeMonitor  	 AccountObjectPrivilege = "MONITOR" (duplicate)
+	// AccountObjectPrivilegeUsage    	 AccountObjectPrivilege = "USAGE" (duplicate)
 	AccountObjectPrivilegeOperate AccountObjectPrivilege = "OPERATE"
 )
 
@@ -117,45 +116,45 @@ func (p AccountObjectPrivilege) String() string {
 type SchemaPrivilege string
 
 const (
-	/*
-		ADD SEARCH OPTIMIZATION
-		| CREATE {
-			ALERT | EXTERNAL TABLE | FILE FORMAT | FUNCTION
-			| MATERIALIZED VIEW | PIPE | PROCEDURE
-			| { MASKING | PASSWORD | ROW ACCESS | SESSION } POLICY
-			| SECRET | SEQUENCE | STAGE | STREAM
-			| TAG | TABLE | TASK | VIEW
-		  }
-		| MODIFY | MONITOR | USAGE
-		[ , ... ]
-	*/
-	SchemaPrivilegeAddSearchOptimization  SchemaPrivilege = "ADD SEARCH OPTIMIZATION"
-	SchemaPrivilegeApplyBudget            SchemaPrivilege = "APPLYBUDGET"
-	SchemaPrivilegeCreateAlert            SchemaPrivilege = "CREATE ALERT"
-	SchemaPrivilegeCreateDynamicTable     SchemaPrivilege = "CREATE DYNAMIC TABLE"
-	SchemaPrivilegeCreateExternalTable    SchemaPrivilege = "CREATE EXTERNAL TABLE"
-	SchemaPrivilegeCreateFileFormat       SchemaPrivilege = "CREATE FILE FORMAT"
-	SchemaPrivilegeCreateFunction         SchemaPrivilege = "CREATE FUNCTION"
-	SchemaPrivilegeCreateIcebergTable     SchemaPrivilege = "CREATE ICEBERG TABLE"
-	SchemaPrivilegeCreateMaterializedView SchemaPrivilege = "CREATE MATERIALIZED VIEW"
-	SchemaPrivilegeCreatePipe             SchemaPrivilege = "CREATE PIPE"
-	SchemaPrivilegeCreateProcedure        SchemaPrivilege = "CREATE PROCEDURE"
-	SchemaPrivilegeCreateMaskingPolicy    SchemaPrivilege = "CREATE MASKING POLICY"
-	SchemaPrivilegeCreatePasswordPolicy   SchemaPrivilege = "CREATE PASSWORD POLICY"
-	SchemaPrivilegeCreateRowAccessPolicy  SchemaPrivilege = "CREATE ROW ACCESS POLICY"
-	SchemaPrivilegeCreateSessionPolicy    SchemaPrivilege = "CREATE SESSION POLICY"
-	SchemaPrivilegeCreateSecret           SchemaPrivilege = "CREATE SECRET"
-	SchemaPrivilegeCreateSequence         SchemaPrivilege = "CREATE SEQUENCE"
-	SchemaPrivilegeCreateStage            SchemaPrivilege = "CREATE STAGE"
-	SchemaPrivilegeCreateStream           SchemaPrivilege = "CREATE STREAM"
-	SchemaPrivilegeCreateStreamlit        SchemaPrivilege = "CREATE STREAMLIT"
-	SchemaPrivilegeCreateTag              SchemaPrivilege = "CREATE TAG"
-	SchemaPrivilegeCreateTable            SchemaPrivilege = "CREATE TABLE"
-	SchemaPrivilegeCreateTask             SchemaPrivilege = "CREATE TASK"
-	SchemaPrivilegeCreateView             SchemaPrivilege = "CREATE VIEW"
-	SchemaPrivilegeModify                 SchemaPrivilege = "MODIFY"
-	SchemaPrivilegeMonitor                SchemaPrivilege = "MONITOR"
-	SchemaPrivilegeUsage                  SchemaPrivilege = "USAGE"
+	SchemaPrivilegeAddSearchOptimization             SchemaPrivilege = "ADD SEARCH OPTIMIZATION"
+	SchemaPrivilegeApplyBudget                       SchemaPrivilege = "APPLYBUDGET"
+	SchemaPrivilegeCreateAlert                       SchemaPrivilege = "CREATE ALERT"
+	SchemaPrivilegeCreateDynamicTable                SchemaPrivilege = "CREATE DYNAMIC TABLE"
+	SchemaPrivilegeCreateExternalTable               SchemaPrivilege = "CREATE EXTERNAL TABLE"
+	SchemaPrivilegeCreateFileFormat                  SchemaPrivilege = "CREATE FILE FORMAT"
+	SchemaPrivilegeCreateFunction                    SchemaPrivilege = "CREATE FUNCTION"
+	SchemaPrivilegeCreateHybridTable                 SchemaPrivilege = "CREATE HYBRID TABLE"
+	SchemaPrivilegeCreateImageRepository             SchemaPrivilege = "CREATE IMAGE REPOSITORY"
+	SchemaPrivilegeCreateIcebergTable                SchemaPrivilege = "CREATE ICEBERG TABLE"
+	SchemaPrivilegeCreateMaterializedView            SchemaPrivilege = "CREATE MATERIALIZED VIEW"
+	SchemaPrivilegeCreateModel                       SchemaPrivilege = "CREATE MODEL"
+	SchemaPrivilegeCreateNetworkRule                 SchemaPrivilege = "CREATE NETWORK RULE"
+	SchemaPrivilegeCreatePipe                        SchemaPrivilege = "CREATE PIPE"
+	SchemaPrivilegeCreateProcedure                   SchemaPrivilege = "CREATE PROCEDURE"
+	SchemaPrivilegeCreateAggregationPolicy           SchemaPrivilege = "CREATE AGGREGATION POLICY"
+	SchemaPrivilegeCreateAuthenticationPolicy        SchemaPrivilege = "CREATE AUTHENTICATION POLICY"
+	SchemaPrivilegeCreateMaskingPolicy               SchemaPrivilege = "CREATE MASKING POLICY"
+	SchemaPrivilegeCreatePackagesPolicy              SchemaPrivilege = "CREATE PACKAGES POLICY"
+	SchemaPrivilegeCreatePasswordPolicy              SchemaPrivilege = "CREATE PASSWORD POLICY"
+	SchemaPrivilegeCreateProjectionPolicy            SchemaPrivilege = "CREATE PROJECTION POLICY"
+	SchemaPrivilegeCreateRowAccessPolicy             SchemaPrivilege = "CREATE ROW ACCESS POLICY"
+	SchemaPrivilegeCreateSessionPolicy               SchemaPrivilege = "CREATE SESSION POLICY"
+	SchemaPrivilegeCreateService                     SchemaPrivilege = "CREATE SERVICE"
+	SchemaPrivilegeCreateSecret                      SchemaPrivilege = "CREATE SECRET"
+	SchemaPrivilegeCreateSequence                    SchemaPrivilege = "CREATE SEQUENCE"
+	SchemaPrivilegeCreateStage                       SchemaPrivilege = "CREATE STAGE"
+	SchemaPrivilegeCreateStream                      SchemaPrivilege = "CREATE STREAM"
+	SchemaPrivilegeCreateStreamlit                   SchemaPrivilege = "CREATE STREAMLIT"
+	SchemaPrivilegeCreateSnowflakeCoreBudget         SchemaPrivilege = "CREATE SNOWFLAKE.CORE.BUDGET"
+	SchemaPrivilegeCreateSnowflakeMlAnomalyDetection SchemaPrivilege = "CREATE SNOWFLAKE.ML.ANOMALY_DETECTION"
+	SchemaPrivilegeCreateSnowflakeMlForecast         SchemaPrivilege = "CREATE SNOWFLAKE.ML.FORECAST"
+	SchemaPrivilegeCreateTag                         SchemaPrivilege = "CREATE TAG"
+	SchemaPrivilegeCreateTable                       SchemaPrivilege = "CREATE TABLE"
+	SchemaPrivilegeCreateTask                        SchemaPrivilege = "CREATE TASK"
+	SchemaPrivilegeCreateView                        SchemaPrivilege = "CREATE VIEW"
+	SchemaPrivilegeModify                            SchemaPrivilege = "MODIFY"
+	SchemaPrivilegeMonitor                           SchemaPrivilege = "MONITOR"
+	SchemaPrivilegeUsage                             SchemaPrivilege = "USAGE"
 )
 
 func (p SchemaPrivilege) String() string {
@@ -167,73 +166,87 @@ type SchemaObjectPrivilege string
 const (
 	SchemaObjectOwnership SchemaObjectPrivilege = "OWNERSHIP"
 
-	// -- For ALERT
-	// OPERATE [ , ... ]
+	// For ALERT
+	// SchemaObjectPrivilegeMonitor SchemaObjectPrivilege = "MONITOR" (duplicate)
 	SchemaObjectPrivilegeOperate SchemaObjectPrivilege = "OPERATE"
 
-	// -- FOR DYNAMIC TABLE
-	//  OPERATE, SELECT [ , ...]
+	// For DYNAMIC TABLE
+	// SchemaObjectPrivilegeMonitor SchemaObjectPrivilege = "MONITOR" (duplicate)
 	// SchemaObjectPrivilegeOperate SchemaObjectPrivilege = "OPERATE" (duplicate)
-	// SchemaObjectPrivilegeSelect SchemaObjectPrivilege = "SELECT" (duplicate)
+	// SchemaObjectPrivilegeSelect  SchemaObjectPrivilege = "SELECT" (duplicate)
 
-	// -- For EVENT TABLE
-	// { SELECT | INSERT } [ , ... ]
+	// For EVENT TABLE
 	SchemaObjectPrivilegeSelect SchemaObjectPrivilege = "SELECT"
 	SchemaObjectPrivilegeInsert SchemaObjectPrivilege = "INSERT"
 
-	// -- For FILE FORMAT, FUNCTION (UDF or external function), PROCEDURE, SECRET, or SEQUENCE
-	// USAGE [ , ... ]
+	// For FILE FORMAT, FUNCTION (UDF or external function), PROCEDURE, SECRET, or SEQUENCE
 	SchemaObjectPrivilegeUsage SchemaObjectPrivilege = "USAGE"
 
-	// -- For ICEBERG TABLE
+	// For HYBRID TABLE
+	// SchemaObjectPrivilegeInsert SchemaObjectPrivilege = "INSERT" (duplicate)
+	// SchemaObjectPrivilegeSelect SchemaObjectPrivilege = "SELECT" (duplicate)
+	// SchemaObjectPrivilegeUpdate SchemaObjectPrivilege = "UPDATE" (duplicate)
+
+	// For IMAGE REPOSITORY
+	// SchemaObjectPrivilegeRead  SchemaObjectPrivilege = "READ" (duplicate)
+	// SchemaObjectPrivilegeWrite SchemaObjectPrivilege = "WRITE" (duplicate)
+
+	// For ICEBERG TABLE
 	SchemaObjectPrivilegeApplyBudget SchemaObjectPrivilege = "APPLYBUDGET"
-	// SchemaObjectPrivilegeDelete      SchemaObjectPrivilege = "DELETE" (duplicate)
-	// SchemaObjectPrivilegeInsert      SchemaObjectPrivilege = "INSERT" (duplicate)
-	// SchemaObjectPrivilegeReferences  SchemaObjectPrivilege = "REFERENCES" (duplicate)
-	// SchemaObjectPrivilegeSelect      SchemaObjectPrivilege = "SELECT" (duplicate)
-	// SchemaObjectPrivilegeTruncate      SchemaObjectPrivilege = "Truncate" (duplicate)
-	// SchemaObjectPrivilegeUpdate      SchemaObjectPrivilege = "Update" (duplicate)
+	// SchemaObjectPrivilegeDelete     SchemaObjectPrivilege = "DELETE" (duplicate)
+	// SchemaObjectPrivilegeInsert     SchemaObjectPrivilege = "INSERT" (duplicate)
+	// SchemaObjectPrivilegeReferences SchemaObjectPrivilege = "REFERENCES" (duplicate)
+	// SchemaObjectPrivilegeSelect     SchemaObjectPrivilege = "SELECT" (duplicate)
+	// SchemaObjectPrivilegeTruncate   SchemaObjectPrivilege = "TRUNCATE" (duplicate)
+	// SchemaObjectPrivilegeUpdate     SchemaObjectPrivilege = "UPDATE" (duplicate)
 
-	// -- For PIPE
-	// { MONITOR | OPERATE } [ , ... ]
+	// For PIPE
+	// SchemaObjectPrivilegeApplyBudget SchemaObjectPrivilege = "APPLYBUDGET" (duplicate)
 	SchemaObjectPrivilegeMonitor SchemaObjectPrivilege = "MONITOR"
 	// SchemaObjectPrivilegeOperate SchemaObjectPrivilege = "OPERATE" (duplicate)
 
-	// -- For { MASKING | PASSWORD | ROW ACCESS | SESSION } POLICY or TAG
-	// APPLY [ , ... ]
+	// For { MASKING | PASSWORD | ROW ACCESS | SESSION } POLICY or TAG
 	SchemaObjectPrivilegeApply SchemaObjectPrivilege = "APPLY"
 
-	// -- For external STAGE
-	// USAGE [ , ... ]
+	// For external STAGE
 	// SchemaObjectPrivilegeUsage SchemaObjectPrivilege = "USAGE" (duplicate)
 
-	// -- For internal STAGE
-	// READ [ , WRITE ] [ , ... ]
+	// For internal STAGE
 	SchemaObjectPrivilegeRead  SchemaObjectPrivilege = "READ"
 	SchemaObjectPrivilegeWrite SchemaObjectPrivilege = "WRITE"
 
-	// -- For STREAM
-	// SELECT [ , ... ]
+	// For STREAM
 	// SchemaObjectPrivilegeSelect SchemaObjectPrivilege = "SELECT" (duplicate)
 
-	// -- For TABLE
-	// { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES } [ , ... ]
-	// SchemaObjectPrivilegeSelect SchemaObjectPrivilege = "SELECT" (duplicate)
-	// SchemaObjectPrivilegeInsert SchemaObjectPrivilege = "INSERT" (duplicate)
-	SchemaObjectPrivilegeUpdate     SchemaObjectPrivilege = "UPDATE"
-	SchemaObjectPrivilegeDelete     SchemaObjectPrivilege = "DELETE"
-	SchemaObjectPrivilegeTruncate   SchemaObjectPrivilege = "TRUNCATE"
-	SchemaObjectPrivilegeReferences SchemaObjectPrivilege = "REFERENCES"
+	// For STREAMLIT
+	// SchemaObjectPrivilegeUsage SchemaObjectPrivilege = "USAGE" (duplicate)
 
-	// -- For TASK
-	// { MONITOR | OPERATE } [ , ... ]
-	// SchemaObjectPrivilegeMonitor SchemaObjectPrivilege = "MONITOR" (duplicate)
-	// SchemaObjectPrivilegeOperate SchemaObjectPrivilege = "OPERATE" (duplicate)
+	// For TABLE
+	// SchemaObjectPrivilegeApplyBudget SchemaObjectPrivilege = "APPLYBUDGET" (duplicate)
+	// SchemaObjectPrivilegeSelect 		SchemaObjectPrivilege = "SELECT" (duplicate)
+	// SchemaObjectPrivilegeInsert 		SchemaObjectPrivilege = "INSERT" (duplicate)
+	SchemaObjectPrivilegeEvolveSchema SchemaObjectPrivilege = "EVOLVE SCHEMA"
+	SchemaObjectPrivilegeUpdate       SchemaObjectPrivilege = "UPDATE"
+	SchemaObjectPrivilegeDelete       SchemaObjectPrivilege = "DELETE"
+	SchemaObjectPrivilegeTruncate     SchemaObjectPrivilege = "TRUNCATE"
+	SchemaObjectPrivilegeReferences   SchemaObjectPrivilege = "REFERENCES"
+
+	// For Tag
+	// SchemaObjectPrivilegeRead SchemaObjectPrivilege = "READ" (duplicate)
+
+	// For TASK
+	// SchemaObjectPrivilegeApplyBudget SchemaObjectPrivilege = "APPLYBUDGET" (duplicate)
+	// SchemaObjectPrivilegeMonitor 	SchemaObjectPrivilege = "MONITOR" (duplicate)
+	// SchemaObjectPrivilegeOperate 	SchemaObjectPrivilege = "OPERATE" (duplicate)
+
+	// For VIEW
+	// SchemaObjectPrivilegeSelect		SchemaObjectPrivilege = "SELECT" (duplicate)
+	// SchemaObjectPrivilegeReferences  SchemaObjectPrivilege = "REFERENCES" (duplicate)
 
-	// -- For VIEW or MATERIALIZED VIEW
-	// { SELECT | REFERENCES } [ , ... ]
-	// SchemaObjectPrivilegeSelect SchemaObjectPrivilege = "SELECT" (duplicate)
-	// SchemaObjectPrivilegeReferences SchemaObjectPrivilege = "REFERENCES" (duplicate)
+	// For MATERIALIZED VIEW
+	// SchemaObjectPrivilegeApplyBudget SchemaObjectPrivilege = "APPLYBUDGET" (duplicate)
+	// SchemaObjectPrivilegeSelect 		SchemaObjectPrivilege = "SELECT" (duplicate)
+	// SchemaObjectPrivilegeReferences 	SchemaObjectPrivilege = "REFERENCES" (duplicate)
 )
 
 func (p SchemaObjectPrivilege) String() string {