Unable to grant a DB role to another DB role on v0.70.1

[5Quintessential]

Provider Version

v 0.70.1

Terraform Version

v 1.5.4

Describe the bug

If I have DB reader (DB role) and a DB writer (DB role) for the database D1,
I wanted to create a new DB read-write role (DB role) which gets granted the DB reader and the DB writer (DB roles).
I can do this in Snowflake SQL using:

GRANT DATABASE ROLE DB1.DB_READER TO DATABASE ROLE DB1.DB_READ_WRITE;
GRANT DATABASE ROLE DB1.DB_WRITER TO DATABASE ROLE DB1.DB_READ_WRITE;

Problem

Unable to find the right resource in the Snowflake-labs/snowflake (v 0.70.1) provider.

[sfc-gh-asawicki]

@5Quintessential Hey, thanks for creating this issue!

Granting database roles is a feature that is not yet implemented in the current version of the provider.

This functionality will be available (and adequately documented) as soon as we roll out the snowflake_grant_datatabase_role resource. We will work on it in October/November (check #1896, #2024 and #2018).

[5Quintessential]

@sfc-gh-asawicki Got it. I also noticed that I am unable to grant DB roles to custom account roles like a functional role. Would that be also addressed as part of the snowflake_grant_database_role resource?

[sfc-gh-asawicki]

@5Quintessential Yes, granting database roles to account roles will also be a part of the snowflake_grant_database_role resource. :)

[5Quintessential]

@sfc-gh-asawicki Just checking-in to see if we have any updates on this. When do we expect this capability to be available in the provider?

[sfc-gh-asawicki]

@5Quintessential, at the moment, we don't have any more specific dates yet. We had an inside-the-team discussion, but development has yet to happen.

[5Quintessential]

@sfc-gh-asawicki Hi, just checking if we have any updates. We are blocked because of this dependency atm. Is there a different tf resource that we could use to create the DB roles? I am just trying to see if we could unblock ourselves in a different way. Please let me know. Thanks.

[sfc-gh-asawicki]

@5Quintessential Hi, we are currently redesigning grants; the resource you are asking about will be available in the upcoming weeks.

If you are asking about in-Terraform workarounds, then I can suggest temporarily using a second provider (like https://registry.terraform.io/providers/paultyng/sql/latest/docs or https://registry.terraform.io/providers/aidanmelen/snowsql/latest/docs) and run only grants there, but keep in mind that these are NOT our providers so you use them on your own risk.

Some methods outside Terraform can be used as a workaround if you are blocked, like running a script or granting ownership directly through a worksheet.

We are planning to release a generic resource (the resource that can run any SQL script provided) ourselves. It will help situations like this one when the feature is unavailable in our provider.

[sfc-gh-jcieslak]

Hey @5Quintessential
As snowflake_grant_database_role is now available https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_database_role can we close this issue?

[5Quintessential]

@sfc-gh-jcieslak Thank you so much for the update. We have tested out the latest provider resources and it is working as expected for us. We are good to close this issue now.