Indices resolution crashing on foreach snowflake_grant_privileges_to_role

[matheus-fractal-river]

Provider Version

0.72.0

Terraform Version

v1.6.0

Describe the bug

I'm trying to run a terraform apply using a module that references a snowflake_grant_privileges_to_role with a for_each command targeting a role created in the same module and a role provided via an external variable, which is resulting on this stack trace:

 Error: Plugin did not respond
│ 
│   with module.snowflake_data_transformation.snowflake_grant_privileges_to_role.dw_dev_dbt_permissions["DBT_ROLE"],
│   on modules/snowflake_data_transformation/main.tf line 43, in resource "snowflake_grant_privileges_to_role" "dw_dev_dbt_permissions":
│   43: resource "snowflake_grant_privileges_to_role" "dw_dev_dbt_permissions" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵
╷
│ Error: Plugin did not respond
│ 
│   with module.snowflake_data_transformation.snowflake_grant_privileges_to_role.dw_dev_dbt_permissions["ENGINEERING_ROLE"],
│   on modules/snowflake_data_transformation/main.tf line 43, in resource "snowflake_grant_privileges_to_role" "dw_dev_dbt_permissions":
│   43: resource "snowflake_grant_privileges_to_role" "dw_dev_dbt_permissions" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵
╷
│ Error: Plugin did not respond
│ 
│   with module.snowflake_datafold_integration.snowflake_grant_privileges_to_role.snowflake_database_datafold_permissions,
│   on modules/snowflake_datafold_integration/main.tf line 40, in resource "snowflake_grant_privileges_to_role" "snowflake_database_datafold_permissions":
│   40: resource "snowflake_grant_privileges_to_role" "snowflake_database_datafold_permissions" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵
╷
│ Error: Plugin did not respond
│ 
│   with module.snowflake_datafold_integration.snowflake_grant_privileges_to_role.datafold_schema_permissions,
│   on modules/snowflake_datafold_integration/main.tf line 54, in resource "snowflake_grant_privileges_to_role" "datafold_schema_permissions":
│   54: resource "snowflake_grant_privileges_to_role" "datafold_schema_permissions" {
│ 
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may
│ contain more details.
╵

Stack trace from the terraform-provider-snowflake_v0.72.0 plugin:

panic: runtime error: index out of range [1] with length 1

goroutine 105 [running]:
github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk.NewDatabaseObjectIdentifierFromFullyQualifiedName({0xc000e0e060?, 0xc000e484e0?})
        github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk/identifier_helpers.go:159 +0xcc
github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources.configureAccountRoleGrantPrivilegeOptions(0xc000260270?, {0x0, 0x0, 0x0}, 0x1?, 0xc001006e08)
        github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources/grant_privileges_to_role.go:715 +0x833
github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources.CreateGrantPrivilegesToRole(0x0?, {0x1b5b4a0?, 0xc000260270?})
        github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources/grant_privileges_to_role.go:456 +0x1ad
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x1e8a680?, {0x1e8a680?, 0xc000e0a210?}, 0xd?, {0x1b5b4a0?, 0xc000260270?})
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:766 +0x178
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc00016c2a0, {0x1e8a680, 0xc000e0a210}, 0xc000e1c8f0, 0xc000e22180, {0x1b5b4a0, 0xc000260270})
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:909 +0xa7e
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc0001a5dd0, {0x1e8a680?, 0xc000e0a0c0?}, 0xc000e08000)
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:1060 +0xe8d
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0xc0008f48c0, {0x1e8a680?, 0xc000ed74a0?}, 0xc0009fae00)
        github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:859 +0x574
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x1b0de80?, 0xc0008f48c0}, {0x1e8a680, 0xc000ed74a0}, 0xc0009fad90, 0x0)
        github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:467 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0007f4b40, {0x1e9a1a0, 0xc00050c820}, 0xc000d639e0, 0xc000619980, 0x2b412b8, 0x0)
        google.golang.org/[email protected]/server.go:1360 +0xe23
google.golang.org/grpc.(*Server).handleStream(0xc0007f4b40, {0x1e9a1a0, 0xc00050c820}, 0xc000d639e0, 0x0)
        google.golang.org/[email protected]/server.go:1737 +0xa36
google.golang.org/grpc.(*Server).serveStreams.func1.1()
        google.golang.org/[email protected]/server.go:982 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/[email protected]/server.go:980 +0x18c

Error: The terraform-provider-snowflake_v0.72.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Operation failed: failed running terraform apply (exit 1)

Expected behavior

I expect the terraform apply to correctly manage the permissions for each role I included on my for_each block.

Code samples and commands

This is the problem code:

resource "snowflake_grant_privileges_to_role" "dw_dev_dbt_permissions" {
  for_each = {
    for role in [snowflake_role.dbt_role.name, var.engineering_role] :
    role => role
  }
  on_account_object {
    object_name = snowflake_database.dw_dev_database.name
    object_type = "DATABASE"
  }
  privileges        = ["ALL PRIVILEGES"]
  role_name         = each.key
  with_grant_option = false
}

Additional context

The reference found on the for_each session is both the snowflake_role.dbt_role resource created with:

resource "snowflake_role" "dbt_role" {
  name    = "DBT_ROLE"
  comment = "Role created to be used in dbt"
}

And the external variable provided upon the module call like this:

module "snowflake_data_warehouse" {
  source      = "./modules/snowflake_data_warehouse"
  environment = var.environment
}

module "snowflake_data_transformation" {
  source             = "./modules/snowflake_data_transformation"
  engineering_role   = module.snowflake_data_warehouse.engineering_role
  data_lake_database = module.snowflake_data_warehouse.data_lake_database
  depends_on         = [module.snowflake_data_warehouse]
}

[kalinon]

Encountered same error when using on_schema

resource "snowflake_grant_privileges_to_role" "demo_schema" {
  privileges = ["USAGE", "CREATE TABLE", "CREATE STAGE", "CREATE PIPE"]
  role_name  = snowflake_role.demo_connector_role.name

  on_schema {
    schema_name = snowflake_schema.demo_schema.name
  }
}

Error log:

snowflake_grant_privileges_to_role.demo_schema: Creating...
╷
│ Error: Plugin did not respond
│
│   with snowflake_resource_monitor.demo,
│   on demo.tf line 7, in resource "snowflake_resource_monitor" "demo":
│    7: resource "snowflake_resource_monitor" "demo" {
│
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).PlanResourceChange call. The plugin logs may contain more details.
╵
╷
│ Error: Plugin did not respond
│
│   with snowflake_grant_privileges_to_role.demo_schema,
│   on demo.tf line 57, in resource "snowflake_grant_privileges_to_role" "demo_schema":
│   57: resource "snowflake_grant_privileges_to_role" "demo_schema" {
│
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵
Releasing state lock. This may take a few moments...

Stack trace from the terraform-provider-snowflake_v0.72.0 plugin:

panic: runtime error: index out of range [1] with length 1

goroutine 43 [running]:
github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk.NewDatabaseObjectIdentifierFromFullyQualifiedName({0x140008e5b30?, 0x14000ee4060?})
	github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk/identifier_helpers.go:159 +0xb8
github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources.configureAccountRoleGrantPrivilegeOptions(0x14000e9fc20?, {0x14000ebac80, 0x4, 0x4}, 0x60?, 0x14000e86dd8)
	github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources/grant_privileges_to_role.go:715 +0x730
github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources.CreateGrantPrivilegesToRole(0x0?, {0x1063d2760?, 0x14000a952b0?})
	github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources/grant_privileges_to_role.go:456 +0x13c
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x1064108c0?, {0x1064108c0?, 0x14000eb56b0?}, 0xd?, {0x1063d2760?, 0x14000a952b0?})
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:766 +0x134
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0x140006861c0, {0x1064108c0, 0x14000eb56b0}, 0x14000e95ee0, 0x14000ec2480, {0x1063d2760, 0x14000a952b0})
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:909 +0x8a0
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0x14000b12a20, {0x1064108c0?, 0x14000eb5590?}, 0x14000ea8960)
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:1060 +0xb78
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0x140001c8640, {0x1064108c0?, 0x14000eb4ba0?}, 0x14000df2ee0)
	github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:859 +0x3bc
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x106385ca0?, 0x140001c8640}, {0x1064108c0, 0x14000eb4ba0}, 0x14000df2e70, 0x0)
	github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:467 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0x14000718d20, {0x10641fe20, 0x140004fcb60}, 0x14000eb3320, 0x14000b18e40, 0x106fccc78, 0x0)
	google.golang.org/[email protected]/server.go:1360 +0xcb4
google.golang.org/grpc.(*Server).handleStream(0x14000718d20, {0x10641fe20, 0x140004fcb60}, 0x14000eb3320, 0x0)
	google.golang.org/[email protected]/server.go:1737 +0x82c
google.golang.org/grpc.(*Server).serveStreams.func1.1()
	google.golang.org/[email protected]/server.go:982 +0x84
created by google.golang.org/grpc.(*Server).serveStreams.func1
	google.golang.org/[email protected]/server.go:980 +0x16c

Error: The terraform-provider-snowflake_v0.72.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

[kalinon]

Also on 0.73.0

[hieu-cc]

Happens in 0.76.0 as well:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # snowflake_grant_privileges_to_role.schema will be created
  + resource "snowflake_grant_privileges_to_role" "schema" {
      + all_privileges    = false
      + id                = (known after apply)
      + on_account        = false
      + privileges        = [
          + "CREATE TABLE",
        ]
      + role_name         = "DB_READER"
      + with_grant_option = false

      + on_schema {
          + schema_name = "my_schema"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

snowflake_grant_privileges_to_role.schema: Creating...
╷
│ Error: Request cancelled
│
│ The plugin6.(*GRPCProvider).ApplyResourceChange request was cancelled.
╵

Stack trace from the terraform-provider-snowflake_v0.76.0 plugin:

panic: runtime error: index out of range [1] with length 1

goroutine 57 [running]:
github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk.NewDatabaseObjectIdentifierFromFullyQualifiedName({0x14000792920?, 0x14000e19b90?})
	github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk/identifier_helpers.go:159 +0xb8
github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources.configureAccountRoleGrantPrivilegeOptions(0x14000a854c0?, {0x14000e15ac0, 0x1, 0x1}, 0x40?, 0x1400076acb8)
	github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources/grant_privileges_to_role.go:715 +0x730
github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources.CreateGrantPrivilegesToRole(0x0?, {0x104435740?, 0x14000954680?})
	github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources/grant_privileges_to_role.go:456 +0x13c
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x104477080?, {0x104477080?, 0x14000e0b650?}, 0xd?, {0x104435740?, 0x14000954680?})
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:766 +0x134
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0x14000b4c700, {0x104477080, 0x14000e0b650}, 0x14000d79450, 0x14000d67600, {0x104435740, 0x14000954680})
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:909 +0x8a0
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0x14000980a20, {0x104477080?, 0x14000e0b470?}, 0x14000d5b9f0)
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:1060 +0xb78
github.com/hashicorp/terraform-plugin-mux/tf5to6server.v5tov6Server.ApplyResourceChange({{0x104493ba0?, 0x14000980a20?}}, {0x104477080, 0x14000e0b470}, 0x0?)
	github.com/hashicorp/[email protected]/tf5to6server/tf5to6server.go:37 +0x58
github.com/hashicorp/terraform-plugin-mux/tf6muxserver.(*muxServer).ApplyResourceChange(0x104476fd8?, {0x104477080?, 0x14000e0b140?}, 0x14000d5b9a0)
	github.com/hashicorp/[email protected]/tf6muxserver/mux_server_ApplyResourceChange.go:36 +0x188
github.com/hashicorp/terraform-plugin-go/tfprotov6/tf6server.(*server).ApplyResourceChange(0x14000a5e320, {0x104477080?, 0x14000e0a750?}, 0x14000e0e070)
	github.com/hashicorp/[email protected]/tfprotov6/tf6server/server.go:857 +0x3bc
github.com/hashicorp/terraform-plugin-go/tfprotov6/internal/tfplugin6._Provider_ApplyResourceChange_Handler({0x1043e26e0?, 0x14000a5e320}, {0x104477080, 0x14000e0a750}, 0x14000e0e000, 0x0)
	github.com/hashicorp/[email protected]/tfprotov6/internal/tfplugin6/tfplugin6_grpc.pb.go:467 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0x1400027f2c0, {0x104486900, 0x14000208ea0}, 0x14000d90a20, 0x14000752c60, 0x1050a31d8, 0x0)
	google.golang.org/[email protected]/server.go:1376 +0xbe0
google.golang.org/grpc.(*Server).handleStream(0x1400027f2c0, {0x104486900, 0x14000208ea0}, 0x14000d90a20, 0x0)
	google.golang.org/[email protected]/server.go:1753 +0x82c
google.golang.org/grpc.(*Server).serveStreams.func1.1()
	google.golang.org/[email protected]/server.go:998 +0x84
created by google.golang.org/grpc.(*Server).serveStreams.func1
	google.golang.org/[email protected]/server.go:996 +0x16c

Error: The terraform-provider-snowflake_v0.76.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

[hieu-cc]

The error is gone for on_schema but it appears again when the on_schema_object.all or on_schema_object.future blocks are set.

[sfc-gh-jcieslak]

Hey @matheus-fractal-river @kalinon @hieu-cc
This issue seems to be connected to the fact that you specified not a fully qualified name for schema. Let's take an example from @kalinon:

resource "snowflake_grant_privileges_to_role" "demo_schema" {
  privileges = ["USAGE", "CREATE TABLE", "CREATE STAGE", "CREATE PIPE"]
  role_name  = snowflake_role.demo_connector_role.name

  on_schema {
    schema_name = snowflake_schema.demo_schema.name -- this is not correct
    schema_name = "\"${snowflake_database.demo_database.name}\".\"${snowflake_schema.demo_schema.name}\"" -- it should be like this
  }
}

@matheus-fractal-river you must've provided the wrong configuration because it seems you have the same error, but none of your configurations have on_schema.schema_name. Please close the issue if that's the case as it was just provider misuse.

[sfc-gh-jcieslak]

Hey @matheus-fractal-river
Still waiting for the response. One thing to add is that snowflake_grant_privileges_to_role is deprecated and there's a snowflake_grant_privileges_to_account_role alternative ready in the newer versions of the provider. The issue may be caused by an outdated provider version.

[sfc-gh-jcieslak]

Closing due to long inactivity. If the issue still persists open another gh issue. Thank You.