Destroying snowflake_grant_privileges_to_role resources fails at apply time with validation error.

[liamjamesfoley]

Provider Version
"0.69"

Terraform Version
1.5.2

The version of Terraform you were using when the bug was encountered.
Can't destroy snowflake_grant_privileges_to_role resources.

A clear and concise description of what the bug is.
I'm trying to destroy a module that creates some roles and does a bunch of grants via snowflake_grant_privileges_to_role, but I cannot destroy the resources b/c I keep getting:

Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set

terraform-provider-snowflake/pkg/sdk/grants_validations.go

Line 38 in 538efa5

return fmt.Errorf("exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set")

A clear and concise description of what you expected to happen.

I expect the resources to be destroyed.

Please add code examples and commands that were run to cause the problem.
The plan:

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.owner_schema_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.owner_schema_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "owner_schema_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__OWNER|OWNERSHIP|false|true|false|false|true|false|false|false||||false|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__OWNER" -> null
      - with_grant_option = true -> null

      - on_schema {
          - schema_name = "ANALYTICS.SCHEMA_V2_TEST" -> null
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_database_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_database_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_database_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|USAGE|false|false|false|true|false|false|false|false|DATABASE|ANALYTICS||false||false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_account_object {
          - object_name = "ANALYTICS" -> null
          - object_type = "DATABASE" -> null
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_future_file_format_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_future_file_format_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_future_file_format_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|USAGE|false|false|false|false|false|true|false|true|||FILE FORMATS|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "FILE FORMATS" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_future_function_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_future_function_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_future_function_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|USAGE|false|false|false|false|false|true|false|true|||FUNCTIONS|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "FUNCTIONS" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_future_stage_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_future_stage_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_future_stage_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|USAGE|false|false|false|false|false|true|false|true|||STAGES|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "STAGES" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_future_table_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_future_table_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_future_table_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|SELECT|false|false|false|false|false|true|false|true|||TABLES|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "TABLES" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_future_view_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_future_view_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_future_view_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|SELECT|false|false|false|false|false|true|false|true|||VIEWS|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "VIEWS" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_monitor_pipe_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_monitor_pipe_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_monitor_pipe_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|MONITOR|false|false|false|false|false|true|false|true|||PIPES|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "PIPES" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_schema_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_schema_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_schema_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|USAGE|false|false|false|false|true|false|false|false||||false|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_schema {
          - schema_name = "ANALYTICS.SCHEMA_V2_TEST" -> null
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_database_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_database_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_database_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|USAGE|false|false|false|true|false|false|false|false|DATABASE|ANALYTICS||false||false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_account_object {
          - object_name = "ANALYTICS" -> null
          - object_type = "DATABASE" -> null
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_future_file_format_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_future_file_format_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_future_file_format_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|OWNERSHIP|false|false|false|false|false|true|false|true|||FILE FORMATS|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "FILE FORMATS" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_future_function_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_future_function_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_future_function_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|OWNERSHIP|false|false|false|false|false|true|false|true|||FUNCTIONS|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "FUNCTIONS" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_future_pipe_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_future_pipe_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_future_pipe_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|OWNERSHIP|false|false|false|false|false|true|false|true|||PIPES|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "PIPES" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_future_sequence_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_future_sequence_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_future_sequence_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|OWNERSHIP|false|false|false|false|false|true|false|true|||SEQUENCES|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "SEQUENCES" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_future_stage_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_future_stage_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_future_stage_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|OWNERSHIP|false|false|false|false|false|true|false|true|||STAGES|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "STAGES" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_future_table_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_future_table_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_future_table_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|OWNERSHIP|false|false|false|false|false|true|false|true|||TABLES|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "TABLES" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_future_view_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_future_view_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_future_view_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|OWNERSHIP|false|false|false|false|false|true|false|true|||VIEWS|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "VIEWS" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_schema_grants will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_schema_grants is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_schema_grants" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|CREATE TASK,CREATE PROCEDURE,CREATE FILE FORMAT,CREATE TABLE,CREATE VIEW,CREATE STAGE,CREATE PIPE,USAGE,CREATE FUNCTION|false|false|false|false|true|false|false|false||||false|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema {
          - schema_name = "ANALYTICS.SCHEMA_V2_TEST" -> null
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_role.owner_role will be destroyed
  # (because snowflake_role.owner_role is not in configuration)
  - resource "snowflake_role" "owner_role" {
      - id   = "ANALYTICS__SCHEMA_V2_TEST__OWNER" -> null
      - name = "ANALYTICS__SCHEMA_V2_TEST__OWNER" -> null
    }

  # module.analytics__schema_v2_test__schema.snowflake_role.reader_role will be destroyed
  # (because snowflake_role.reader_role is not in configuration)
  - resource "snowflake_role" "reader_role" {
      - id   = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - name = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
    }

  # module.analytics__schema_v2_test__schema.snowflake_role.writer_role will be destroyed
  # (because snowflake_role.writer_role is not in configuration)
  - resource "snowflake_role" "writer_role" {
      - id   = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - name = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
    }

  # module.analytics__schema_v2_test__schema.snowflake_role_grants.writer_grants will be destroyed
  # (because snowflake_role_grants.writer_grants is not in configuration)
  - resource "snowflake_role_grants" "writer_grants" {
      - enable_multiple_grants = true -> null
      - id                     = "ANALYTICS__SCHEMA_V2_TEST__WRITER||" -> null
      - role_name              = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - roles                  = [] -> null
      - users                  = [] -> null
    }

  # module.analytics__schema_v2_test__schema.snowflake_schema.schema will be destroyed
  # (because snowflake_schema.schema is not in configuration)
  - resource "snowflake_schema" "schema" {
      - data_retention_days = 1 -> null
      - database            = "ANALYTICS" -> null
      - id                  = "ANALYTICS|SCHEMA_V2_TEST" -> null
      - is_managed          = false -> null
      - is_transient        = false -> null
      - name                = "SCHEMA_V2_TEST" -> null
    }

The apply error:

╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵

[matheus-fractal-river]

I'm facing the same problem with Terraform v1.6.0 and snowflake provider v0.72.0. Trying to delete the following resource:

resource "snowflake_grant_privileges_to_role" "snowflake_database_datafold_permissions" {
  role_name = snowflake_role.datafold_role.name
  on_account_object {
    object_name = "SNOWFLAKE"
    object_type = "DATABASE"
  }
  privileges = ["IMPORTED PRIVILEGES"]
}

Will return a:

Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set

[simonepm]

I'm facing the same problem with Terraform v1.6.0 and snowflake provider v0.72.0. Trying to delete the following resource:

resource "snowflake_grant_privileges_to_role" "snowflake_database_datafold_permissions" {
  role_name = snowflake_role.datafold_role.name
  on_account_object {
    object_name = "SNOWFLAKE"
    object_type = "DATABASE"
  }
  privileges = ["IMPORTED PRIVILEGES"]
}

Will return a:

Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set

I report identical issue on 0.77.0. Duplicated by: 2069

[gdelia-pm]

I'm facing the same problem with Terraform v1.6.0 and snowflake provider v0.72.0. Trying to delete the following resource:

resource "snowflake_grant_privileges_to_role" "snowflake_database_datafold_permissions" {
  role_name = snowflake_role.datafold_role.name
  on_account_object {
    object_name = "SNOWFLAKE"
    object_type = "DATABASE"
  }
  privileges = ["IMPORTED PRIVILEGES"]
}

Will return a:
Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set

I report identical issue on 0.77.0. Duplicated by: 2069

Reporting this exact same issue on v0.86.0, same resource / and same grant attempted (and then revoked as I found a more strict permission that worked for our use case).

I'm able to work around it but flagging as a bug that's not yet resolved.

[sfc-gh-jcieslak]

Hey
@liamjamesfoley please try again with the latest version of the provider with the newer snowflake_grant_privileges_to_account_role resource.

@matheus-fractal-river @simonepm @gdelia-pm @jacobcbeaudin IMPORTED PRIVILEGES should also work with the latest version of the provider with the newer snowflake_grant_privileges_to_account_role resource.

Duplicated in #2069

[gdelia-pm]

Hey @liamjamesfoley please try again with the latest version of the provider with the newer snowflake_grant_privileges_to_account_role resource.

@matheus-fractal-river @simonepm @gdelia-pm @jacobcbeaudin IMPORTED PRIVILEGES should also work with the latest version of the provider with the newer snowflake_grant_privileges_to_account_role resource.

Duplicated in #2069

Confirming this works for me as expected with 0.87.1. Thanks again Jan!

[liamjamesfoley]

Hey @sfc-gh-jcieslak, It would take me a bit to reproduce the error so I'll just trust @gdelia-pm and close the issue. Thanks!!