For "snowflake_grant_privileges_to_role" the resource ID is not changed when replacing grants, so an update-in-place is applied instead of a destroy then create.

[Arnellluke]

Provider Version
0.71.0

Terraform Version
v1.5.7

Describe the bug
When changing the values of "on_account_object" in "snowflake_grant_privileges_to_role" to a new value,
(for instance replacing "test_db" with "test_db1"). The ID of the resource is not changed, so terraform is updating-in-place instead of destroying the original grant and replacing with the new one.
However as Terraform does Destroy, Create, Update in that order when it gets to Update, the object no longer exists and the apply fails.

Existing Terraform State.

• create_database: "test_db"
• create role: "test_role"
• grant_privileges_to_role: "test_db" to "test_role"

Changes made: renamed database from "test_db" to "test_db1"

• Destroy: "test_db"
• Create: "test_db1"
• No Changes: "test_role"
• Update: "grant_privileges_to_role" : "test_db" -> "test_db1"

Apply fails as "test_db" no longer exists.
(Our workaround is to use Lifecycle: replace_triggered_by but this is not compatible with modules)

Expected behavior

• Destroy: "test_db"
• Create: "test_db1"
• No Changes: "test_role"
• Destroy: "grant_privileges_to_role" : "test_db"
• Create: "grant_privileges_to_role" : "test_db1"

Code samples and commands

[imre-kerr-sb1]

We also ran into this and needed to do state surgery to get back on track. Minimal example:

terraform {
  required_providers {
    snowflake = {
      source  = "Snowflake-labs/snowflake"
      version = ">= 0.75.0"
    }
  }
}

resource "snowflake_database" "test_db" {
  name = "test_db"
}

resource "snowflake_role" "test_role" {
  name = "test_role"
}

resource "snowflake_grant_privileges_to_role" "example" {
  privileges = ["USAGE"]
  role_name  = snowflake_role.example.name
  on_account_object {
    object_type = "DATABASE"
    object_name = snowflake_database.test_db.name
  }
}

Change the database name after apply to trigger the bug.

[imre-kerr-sb1]

In this particular instance you can force the correct behavior with a lifecycle argument:

resource "snowflake_grant_privileges_to_role" "example" {
  privileges = ["USAGE"]
  role_name  = snowflake_role.example.name
  on_account_object {
    object_type = "DATABASE"
    object_name = snowflake_database.test_db.name
  }
  lifecycle {
    replace_triggered_by = [
      snowflake_database.test_db.name
    ]
  }
}

[sfc-gh-jcieslak]

Hey, @imre-kerr-sb1 @Arnellluke this may be caused by the fact that the object_type and object_name fields are not marked as `ForceNew (and they probably should be because after changing their values Terraform will perform delete -> create operations on the resource, which should solve this issue). I'm currently working on re-designing / designing grant resources / data sources and in the new design I have this as a ForceNew, so we should soon go into implementing those new designs and the issue should be solved :)

[sfc-gh-jcieslak]

Hey @Arnellluke I guess the issue can be closed right?

[sfc-gh-jcieslak]

@Arnellluke any updates on the issue? Can we close the issue?

[sfc-gh-jcieslak]

Closing due to long inactivity. If the issue persists, please create another ticket.