Plan always wants to add USAGE permission, although it already exists

[nick-amplify]

Terraform CLI and Provider Versions

Terraform Cloud, terraform v1.6.5

snowflake-tf-provider v0.87.2

Terraform Configuration

resource "snowflake_grant_privileges_to_account_role" "tenant_warehouses_grants" {

  privileges        = ["USAGE", "MONITOR", "OPERATE", "MODIFY"]
  account_role_name = "MY_ROLE_NAME"

  on_account_object {
    object_type = "WAREHOUSE"
    object_name = "\"${var.warehouse_name}\"" # note this is a fully qualified name!
  }
}

Expected Behavior

I expect the warehouse to be created with all permissions.

Actual Behavior

Warehouse is created.

On all following plans, the plan is shown as adding the USAGE permission, although it already exists. This results in the plan always showing a change that should not be happening.

Steps to Reproduce

1. plan and apply the resource once
2. run another plan, see plan to add USAGE permission again.

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

This is a similar issue to: #2533

however, I upgrade the snowflake provider to v0.87.2, and the issue persists.

[sfc-gh-jcieslak]

Hey @nick-amplify
Do you see in the logs that something similar to grant usage on warehouse "TEST_WAREHOUSE" to role "MY_ROLE_NAME"; is run on terraform apply and when you run show grants on warehouse "TEST_WAREHOUSE"; manually, it returns USAGE as one of the warehouse grants? For now, I don't see why that wouldn't work, but I'll try to reproduce the issue tomorrow morning.

[nick-amplify]

Usage is definitely shown as one of the grants when I run show grants on the warehouse.

I'm not sure if terraform cloud gives me access to the raw snowflake commands that it runs. I am looking for them now. If found, I will update this ticket

[sfc-gh-jcieslak]

As far as I remember the only thing you need to set is the TF_LOG environment variable to DEBUG. Then you'll have more logs in terraform plan/apply along with logs that show exactly what SQLs are being run. I ran the following config and it worked (no plan produced by Terraform):

resource "snowflake_warehouse" "test" {
  name = "test_warehouse_grants"
}

resource "snowflake_role" "test" {
  name = "test_account_role_grants"
}

resource "snowflake_grant_privileges_to_account_role" "test" {
  privileges        = ["USAGE", "MONITOR", "OPERATE", "MODIFY"]
  account_role_name = snowflake_role.test.name

  on_account_object {
    object_type = "WAREHOUSE"
    object_name = snowflake_warehouse.test.name
  }
}

Try to post the logs with TF_LOG=DEBUG enabled, so I'll be able to see SQLs.

[sfc-gh-jcieslak]

Hey 👋
Try changing this: object_name = "\"${var.warehouse_name}\"" to this object_name = var.warehouse_name. If no logs will be provided, I'm closing the issue as I'm not able to reproduce it from the given example.

[sfc-gh-jcieslak]

Closing due to long inactivity. If the issue persists, please create another issue.