Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Destroying snowflake_grant_privileges_to_role resources fails at apply time with validation error. "exactly one of AllPrivileges, GlobalPrivileges...." #2069

Closed
liamjamesfoley opened this issue Sep 22, 2023 · 4 comments
Closed

Destroying snowflake_grant_privileges_to_role resources fails at apply time with validation error. "exactly one of AllPrivileges, GlobalPrivileges...." #2069

liamjamesfoley opened this issue Sep 22, 2023 · 4 comments
Labels
bug Used to mark issues with provider's incorrect behavior category:grants

Comments

@liamjamesfoley
Copy link
Contributor

Provider Version
"0.69"

Terraform Version
1.5.2

The version of Terraform you were using when the bug was encountered.
Can't destroy snowflake_grant_privileges_to_role resources.

A clear and concise description of what the bug is.
I'm trying to destroy a module that creates some roles and does a bunch of grants via snowflake_grant_privileges_to_role, but I cannot destroy the resources b/c I keep getting:

Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set

terraform-provider-snowflake/pkg/sdk/grants_validations.go

Line 38 in 538efa5

return fmt.Errorf("exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set")

A clear and concise description of what you expected to happen.

I expect the resources to be destroyed.

Please add code examples and commands that were run to cause the problem.
The plan:

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.owner_schema_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.owner_schema_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "owner_schema_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__OWNER|OWNERSHIP|false|true|false|false|true|false|false|false||||false|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__OWNER" -> null
      - with_grant_option = true -> null

      - on_schema {
          - schema_name = "ANALYTICS.SCHEMA_V2_TEST" -> null
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_database_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_database_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_database_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|USAGE|false|false|false|true|false|false|false|false|DATABASE|ANALYTICS||false||false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_account_object {
          - object_name = "ANALYTICS" -> null
          - object_type = "DATABASE" -> null
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_future_file_format_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_future_file_format_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_future_file_format_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|USAGE|false|false|false|false|false|true|false|true|||FILE FORMATS|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "FILE FORMATS" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_future_function_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_future_function_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_future_function_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|USAGE|false|false|false|false|false|true|false|true|||FUNCTIONS|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "FUNCTIONS" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_future_stage_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_future_stage_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_future_stage_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|USAGE|false|false|false|false|false|true|false|true|||STAGES|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "STAGES" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_future_table_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_future_table_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_future_table_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|SELECT|false|false|false|false|false|true|false|true|||TABLES|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "TABLES" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_future_view_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_future_view_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_future_view_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|SELECT|false|false|false|false|false|true|false|true|||VIEWS|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "VIEWS" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_monitor_pipe_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_monitor_pipe_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_monitor_pipe_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|MONITOR|false|false|false|false|false|true|false|true|||PIPES|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "PIPES" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.reader_schema_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.reader_schema_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "reader_schema_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__READER|USAGE|false|false|false|false|true|false|false|false||||false|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - with_grant_option = false -> null

      - on_schema {
          - schema_name = "ANALYTICS.SCHEMA_V2_TEST" -> null
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_database_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_database_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_database_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|USAGE|false|false|false|true|false|false|false|false|DATABASE|ANALYTICS||false||false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_account_object {
          - object_name = "ANALYTICS" -> null
          - object_type = "DATABASE" -> null
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_future_file_format_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_future_file_format_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_future_file_format_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|OWNERSHIP|false|false|false|false|false|true|false|true|||FILE FORMATS|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "FILE FORMATS" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_future_function_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_future_function_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_future_function_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|OWNERSHIP|false|false|false|false|false|true|false|true|||FUNCTIONS|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "FUNCTIONS" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_future_pipe_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_future_pipe_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_future_pipe_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|OWNERSHIP|false|false|false|false|false|true|false|true|||PIPES|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "PIPES" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_future_sequence_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_future_sequence_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_future_sequence_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|OWNERSHIP|false|false|false|false|false|true|false|true|||SEQUENCES|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "SEQUENCES" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_future_stage_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_future_stage_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_future_stage_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|OWNERSHIP|false|false|false|false|false|true|false|true|||STAGES|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "STAGES" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_future_table_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_future_table_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_future_table_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|OWNERSHIP|false|false|false|false|false|true|false|true|||TABLES|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "TABLES" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_future_view_grant will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_future_view_grant is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_future_view_grant" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|OWNERSHIP|false|false|false|false|false|true|false|true|||VIEWS|true|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema_object {
          - future {
              - in_schema          = "ANALYTICS.SCHEMA_V2_TEST" -> null
              - object_type_plural = "VIEWS" -> null
            }
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role.writer_schema_grants will be destroyed
  # (because snowflake_grant_privileges_to_role.writer_schema_grants is not in configuration)
  - resource "snowflake_grant_privileges_to_role" "writer_schema_grants" {
      - all_privileges    = false -> null
      - id                = "ANALYTICS__SCHEMA_V2_TEST__WRITER|CREATE TASK,CREATE PROCEDURE,CREATE FILE FORMAT,CREATE TABLE,CREATE VIEW,CREATE STAGE,CREATE PIPE,USAGE,CREATE FUNCTION|false|false|false|false|true|false|false|false||||false|ANALYTICS.SCHEMA_V2_TEST|false|" -> null
      - on_account        = false -> null
      - privileges        = [] -> null
      - role_name         = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - with_grant_option = false -> null

      - on_schema {
          - schema_name = "ANALYTICS.SCHEMA_V2_TEST" -> null
        }
    }

  # module.analytics__schema_v2_test__schema.snowflake_role.owner_role will be destroyed
  # (because snowflake_role.owner_role is not in configuration)
  - resource "snowflake_role" "owner_role" {
      - id   = "ANALYTICS__SCHEMA_V2_TEST__OWNER" -> null
      - name = "ANALYTICS__SCHEMA_V2_TEST__OWNER" -> null
    }

  # module.analytics__schema_v2_test__schema.snowflake_role.reader_role will be destroyed
  # (because snowflake_role.reader_role is not in configuration)
  - resource "snowflake_role" "reader_role" {
      - id   = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
      - name = "ANALYTICS__SCHEMA_V2_TEST__READER" -> null
    }

  # module.analytics__schema_v2_test__schema.snowflake_role.writer_role will be destroyed
  # (because snowflake_role.writer_role is not in configuration)
  - resource "snowflake_role" "writer_role" {
      - id   = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - name = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
    }

  # module.analytics__schema_v2_test__schema.snowflake_role_grants.writer_grants will be destroyed
  # (because snowflake_role_grants.writer_grants is not in configuration)
  - resource "snowflake_role_grants" "writer_grants" {
      - enable_multiple_grants = true -> null
      - id                     = "ANALYTICS__SCHEMA_V2_TEST__WRITER||" -> null
      - role_name              = "ANALYTICS__SCHEMA_V2_TEST__WRITER" -> null
      - roles                  = [] -> null
      - users                  = [] -> null
    }

  # module.analytics__schema_v2_test__schema.snowflake_schema.schema will be destroyed
  # (because snowflake_schema.schema is not in configuration)
  - resource "snowflake_schema" "schema" {
      - data_retention_days = 1 -> null
      - database            = "ANALYTICS" -> null
      - id                  = "ANALYTICS|SCHEMA_V2_TEST" -> null
      - is_managed          = false -> null
      - is_transient        = false -> null
      - name                = "SCHEMA_V2_TEST" -> null
    }

The apply error:

╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
╷
│ Error: error revoking privileges from account role: exactly one of AllPrivileges, GlobalPrivileges, AccountObjectPrivileges, SchemaPrivileges, or SchemaObjectPrivileges must be set
│ 
│ 
╵
@liamjamesfoley liamjamesfoley added the bug Used to mark issues with provider's incorrect behavior label Sep 22, 2023
@jacobcbeaudin
Copy link
Contributor

jacobcbeaudin commented Sep 27, 2023
edited
Loading

Hi there,

I've encountered a similar issue and found a workaround that might help others facing this problem. While this doesn't address the root cause, it provides a temporary solution to successfully run the terraform destroy command.

Workaround:

  1. Remove the snowflake_grant_privileges_to_role from the Terraform state using the following command:
terraform state rm module.analytics__schema_v2_test__schema.snowflake_grant_privileges_to_role
  1. After executing the above command, you can run terraform destroy to destroy the other resources without encountering the error.

It's important to note that this workaround bypasses the actual problem. The root issue looks like a bug in the Snowflake Terraform provider. I hope this helps in the interim, but I'd recommend the maintainers to investigate this further for a more permanent fix. I would like for the root cause of this issue to be addressed. I face this issue very frequently.

@liamjamesfoley
Copy link
Contributor Author

@jacobcbeaudin thanks and yes, I did something similar using terraform state rm to get back into a good state but I'm also worried about this occurring in the future.

@simonepm
Copy link

simonepm commented Dec 5, 2023
edited
Loading

Issue still present in 0.77.0

resource "snowflake_grant_privileges_to_role" "TEST" {
  privileges = ["IMPORTED PRIVILEGES"]
  role_name = "ROLE"
  on_account_object {
    object_type = "DATABASE"
    object_name = "SNOWFLAKE"
  }
}

After granting IMPORTED PRIVILEGES with snowflake_grant_privileges_to_role on database SNOWFLAKE, when it is time to destroy I receive:

Error: error revoking privileges from account role: [grants_validations.go:46]
exactly one of AccountRoleGrantPrivileges fields [AllPrivileges GlobalPrivileges AccountObjectPrivileges SchemaPrivileges SchemaObjectPrivileges] must be set

Duplicates: 2068

@simonepm simonepm mentioned this issue Dec 5, 2023
Closed
@sfc-gh-jcieslak
Copy link
Collaborator

Hey @liamjamesfoley please close this if that's the same issue as in #2068

@mmyers5 mmyers5 mentioned this issue Apr 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to mark issues with provider's incorrect behavior category:grants
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@liamjamesfoley @simonepm @jacobcbeaudin @sfc-gh-jcieslak