Configuring a new Snowflake provider using the account id of the generated account

[AyushSVarma]

Provider Version

The provider version you are using.

snowflake-labs/snowflake v0.73.0

Terraform Version

The version of Terraform you were using when the bug was encountered.

Terraform v1.6.1

Describe the bug

A clear and concise description of what the bug is.

In a single deployment, I want to create a Snowflake ACCOUNTADMIN Provider, where the account field is the id generated by creating a new account, using the resource snowflake_account(using a different provider, based off ORGADMIN)

The issue has to do with creating the new provider

provider "snowflake" {
  alias    = "accountadmin"
  role     = "ACCOUNTADMIN"
  account  = snowflake_account.account.id #Issue arises here
  username = <insert user>
  password = <insert pass>
}

provider "snowflake" {
  alias    = "orgadmin"
  role     = "ORGADMIN"
  account  = <insert>
  username = <insert>
  password = <insert>
}

resource "snowflake_account" "account" {
  provider             = snowflake.orgadmin
  name                 = "<insert>"
  admin_name           = <insert>
  admin_password       = <insert>
  first_name           = "<insert>"
  last_name            = "<insert>"
  email                = "<insert>"
  must_change_password = true
  edition              = "STANDARD"
  comment              = <insert>
  region               = <insert>
}

When trying this, I get this error

Error: could not build dsn for snowflake connection err = 260000: account is empty
│
│   with module.main.module.snowflake.provider["registry.terraform.io/snowflake-labs/snowflake"].accadmin,
│   on ..\..\modules\snowflake\main.tf line 19, in provider "snowflake":
│   19: provider "snowflake" {

Expected behavior

A clear and concise description of what you expected to happen.

Successful terraform plan, where the Snowflake ACCOUNTADMIN provider can be created, depending on the read_only id of the snowflake_account, in one deployment. This new provider will be used to create resources under the new account

Code samples and commands

Please add code examples and commands that were run to cause the problem.

provider "snowflake" {
  alias    = "accadmin"
  role     = "ACCOUNTADMIN"
  account  = snowflake_account.account.id # This is where the issue arises
  username =<insert>
  password = <insert>
}

provider "snowflake" {
  alias    = "orgadmin"
  role     = "ORGADMIN"
  account  = <insert>
  username = <insert>
  password = <insert>
}


resource "snowflake_database" "env_db" {
  provider = snowflake.accadmin
  name     = "${var.env}_env_DB"
}

resource "snowflake_account" "account" {
  provider             = snowflake.orgadmin
  name                 = "<insert>"
  admin_name           = <insert>
  admin_password       = <insert>
  first_name           = "<insert>"
  last_name            = "<insert>"
  email                = "<insert>"
  must_change_password = true
  edition              = "STANDARD"
  comment              = <insert>
  region               = <insert>
}

Additional context

Add any other context about the problem here.

Let me know if this makes sense or if you have any questions. I can add anymore details if needed.

Thank you!

[sfc-gh-asawicki]

Hey @AyushSVarma. Thanks for creating the issue.

Unfortunately, this is not a bug but a Terraform limitation.

In the Terraform docs on provider configuration:

You can use expressions in the values of these configuration arguments, but can only reference values that are known before the configuration is applied. This means you can safely reference input variables, but not attributes exported by resources (with an exception for resource arguments that are specified directly in the configuration).

In your case, the second provider block is using unknown variables exported by a resource that has yet to be created.

[AyushSVarma]

@sfc-gh-asawicki

Thank you for the answer!