Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error setting account role privilege UPDATE on DYNAMIC TABLES #2550

Closed
toni-moreno opened this issue Feb 23, 2024 · 3 comments
Closed

Error setting account role privilege UPDATE on DYNAMIC TABLES #2550

toni-moreno opened this issue Feb 23, 2024 · 3 comments
Labels
general-usage General help/usage questions

Comments

@toni-moreno
Copy link

Terraform CLI and Provider Versions

Terraform v1.5.0
on linux_amd64

  • provider registry.terraform.io/snowflake-labs/snowflake v0.86.0

Terraform Configuration

resource "snowflake_grant_privileges_to_account_role" "obj_v2_grant_future" {

  privileges        = ["INSERT","DELETE","SELECT","UPDATE"]
  account_role_name = MY_ROLE
  on_schema_object {
    future {
      object_type_plural = "DYNAMIC TABLES"
      in_schema          = "MY_DB.MY_SCHEMA"
    }
  }
}

Expected Behavior

Grant privileges as I did manually with the statement.

GRANT UPDATE ON FUTURE DYNAMIC TABLES IN SCHEMA MY_DB.MY_SCHEMA TO ROLE MY_ROLE;

Actual Behavior

╷
│ Error: An error occurred when granting privileges to account role
│ 
│   with module.sfbs.snowflake_grant_privileges_to_account_role.obj_v2_grant_future["MY_DB.MY_SCHEMA|MY_ROLE|DYNAMIC TABLES"],
│   on ../modules/snowflake_bs_v2/db-objects-profile-privileges-new.tf line 347, in resource "snowflake_grant_privileges_to_account_role" "obj_v2_grant_future":
│  347: resource "snowflake_grant_privileges_to_account_role" "obj_v2_grant_future" {
│ 
│ Id: "MY_ROLE"|false|false|INSERT,DELETE,SELECT,UPDATE|OnSchemaObject|OnFuture|DYNAMIC TABLES|InSchema|"MY_DB"."MY_SCHEMA"
│ Database role name: {MY_ROLE}
│ Error: 003008 (42601): SQL compilation error:
│ Invalid object type 'DYNAMIC_TABLE' for privilege 'UPDATE'.
╵

Steps to Reproduce

  1. terraform apply

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response
@toni-moreno toni-moreno added the bug Used to mark issues with provider's incorrect behavior label Feb 23, 2024
@toni-moreno
Copy link
Author

I've removed the UPDATE privilege and tested again but the error still happened with the previous privilege in the list

│ Invalid object type 'DYNAMIC_TABLE' for privilege 'INSERT'.

And again until only ["SELECT"] privilege in the list.

In this context it seems that the only accepted privilege for FUTURE DYNAMIC TABLES is "SELECT".

thank you in advance.

@sfc-gh-asawicki sfc-gh-asawicki added general-usage General help/usage questions and removed bug Used to mark issues with provider's incorrect behavior labels Feb 23, 2024
@sfc-gh-asawicki
Copy link
Collaborator

Hey @toni-moreno. Thanks for reaching out to us.

This does not seem like the provider bug. The error originates in SNowflake and is consistent with the grant docs https://docs.snowflake.com/en/sql-reference/sql/grant-privilege:

schemaObjectPrivileges ::=
(...)
  -- For DYNAMIC TABLE
     MONITOR, OPERATE, SELECT [ , ...]

@toni-moreno
Copy link
Author

Ok , thank you ! @sfc-gh-asawicki I dont know why but I could execute this statement some weeks ago..

GRANT UPDATE ON FUTURE DYNAMIC TABLES IN SCHEMA MY_DB.MY_SCHEMA TO ROLE MY_ROLE;

and I can't rigth now with the same error than the terraform provider returs.

This seems to be the correct behaviour now.

Thank you very much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
general-usage General help/usage questions
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@toni-moreno @sfc-gh-asawicki