Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

snowflake_role_grant inconsistent with snowflake_grant_privileges_to_account_role when using escaped characters #2548

Closed
wpl-sf-nbirch opened this issue Feb 23, 2024 · 2 comments · Fixed by #2564
Closed

snowflake_role_grant inconsistent with snowflake_grant_privileges_to_account_role when using escaped characters #2548

wpl-sf-nbirch opened this issue Feb 23, 2024 · 2 comments · Fixed by #2564
Assignees
@sfc-gh-jcieslak
Labels
bug Used to mark issues with provider's incorrect behavior

Comments

@wpl-sf-nbirch
Copy link

Terraform CLI and Provider Versions

Terraform v1.7.0
on windows_amd64

  • provider registry.terraform.io/hashicorp/aws v5.37.0
  • provider registry.terraform.io/snowflake-labs/snowflake v0.86.0

Terraform Configuration

locals {
  support_role = "\"USER-EDP.L3.SUPPORT\""
}

resource "snowflake_role" "support_role" {
  provider = snowflake.aad_provisioner
  name    = local.support_role
}

resource "snowflake_role_grants" "support_role_grants" {
  role_name = snowflake_role.support_role.name

  roles = [
    "SNOWFLAKE_ADMIN",
  ]
}

Expected Behavior

This should assign role SNOWFLAKE_ADMIN to role USER-EDP.L3.SUPPORT

Actual Behavior

Error: '"' can not start an identifier

with module.base_platform.snowflake_role_grants.support_role_grants
on standard_roles.tf line 1506, in resource "snowflake_role_grants" "support_role_grants":

role_name = snowflake_role.support_role.name

Steps to Reproduce

  1. terraform plan
  2. terraform apply

How much impact is this issue causing?

High

Logs

No response

Additional Information

Please note that the above configuration snippet has redacted values, and is not in the same format as the actual deployment, which is using modules.
@wpl-sf-nbirch wpl-sf-nbirch added the bug Used to mark issues with provider's incorrect behavior label Feb 23, 2024
@sfc-gh-asawicki
Copy link
Collaborator

Hey @wpl-sf-nbirch. I will take a look at it on Monday.

@sfc-gh-jcieslak sfc-gh-jcieslak self-assigned this Feb 27, 2024
@sfc-gh-jcieslak sfc-gh-jcieslak mentioned this issue Feb 27, 2024
Merged
1 task
sfc-gh-jcieslak added a commit that referenced this issue Feb 28, 2024
@sfc-gh-jcieslak
fix: loosen identifier field validation for account object identifiers (
a5ed8cd 
#2564)

Fixes:
#2548

Fails because identifier validation doesn't work well for account object
identifiers (that may contain dots).

## Test Plan
* [x] Acceptance test recreating role name with dots + unit tests for
validation function
@sfc-gh-jcieslak
Copy link
Collaborator

Hey @wpl-sf-nbirch. We have released the fix as part of v0.87.0 release. Please follow the migration guide during the update. Please confirm that the issue is resolved in the newest version. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sfc-gh-jcieslak sfc-gh-jcieslak

Labels
bug Used to mark issues with provider's incorrect behavior
Projects
None yet
Milestone
No milestone
3 participants
@wpl-sf-nbirch @sfc-gh-jcieslak @sfc-gh-asawicki