The snowflake_grant_privileges_to_role resource does not include an enable_multiple_grants flag

[bdumford-OM1]

Terraform CLI and Provider Versions

Terraform 1.5.3
Snowflake-Labs/snowflake 0.76.0

Use Cases or Problem Statement

The new resource snowflake_grant_privileges_to_role that we are supposed to migrate to does not include an enable_multiple_grants input parameter. This flag exists on the older grant resources, e.g. snowflake_table_grant or snowflake_schema_grant. These older grant resources have been deprecated, hence the need to migrate.

Though we manage some of our Snowflake grants via Terraform, our users still add additional grants via scripts at runtime. It would be a painful experience if Terraform attempted to remove these other grants each time a plan was run. I'm hesitant to migrate to the snowflake_grant_privileges_to_role resource until I know what behavior I'm likely to encounter when planning.

Does the snowflake_grant_privileges_to_role resource inherently include the enable_multiple_grants = true functionality by default? I.e., if we migrate to the new resource, will Terraform ignore other grants created within Snowflake? Or should I expect Terraform to plan to remove grants inconsistent with the resource?

Proposal

Depending on the answers to the problem statement, you could update the documentation for the snowflake_grant_privileges_to_role resource to address how grants created apart from Terraform will be handled. Or you could add the enable_multiple_grants input flag to the resource such that it functions like it did on the older grant resources.

How much impact is this issue causing?

Medium

Additional Information

No response

[sfc-gh-swinkler]

@sfc-gh-jcieslak in our grant design spec we had an "authoritative" flag that would act the same as the old "enable_multiple_grants" flag, but this was not included you your latest PR . Is there a ticket for this in the next quarter, or is this something that we still need to discuss how it should be implemented?

[sfc-gh-jcieslak]

Hey @bdumford-OM1
New grant resources have enable_multiple_grants "enabled by default", so it won't revoke other grants that exist on an object. As @sfc-gh-swinkler said, we have an "authoritative" flag in our plans that would have inverted effect of enable_multiple_grants (set to true it will revoke grants that are not managed by the resource). It's lower priority task and cannot specify when it will be available, but the defaults set in new grant resources should be sufficient for most cases. Soon we should put a migration guide for grants in our MIGRATION.md document in the repository, so stay tuned :)
It should cover migration from deprecated grant resources to new ones and I would say in a week or two it should be there. Also, later on, we'll publish a document that will summarize the grant redesign we did and new inner workings of new resources, which will appear later, but for sure in Q1.

[bdumford-OM1]

Thanks for the insight @sfc-gh-jcieslak ! I really appreciate it. Having the enable_multiple_grants enabled by default should make the migration a lot easier.

I think I have my question answered, and there's plans for what to do with this grant moving forward, so I'm going to close this feature request.