Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: permadiff in snowflake_network_policy_attachment and snowflake_legacy_service_user causes removal #3404

Closed
1 task
RobbertDM opened this issue Feb 20, 2025 · 2 comments · Fixed by #3386
Closed
1 task

[Bug]: permadiff in snowflake_network_policy_attachment and snowflake_legacy_service_user causes removal #3404

RobbertDM opened this issue Feb 20, 2025 · 2 comments · Fixed by #3386
Labels
general-usage General help/usage questions

Comments

@RobbertDM
Copy link

Terraform CLI Version

1.3.8

Terraform Provider Version

1.0.2

Company Name

No response

Terraform Configuration

resource "snowflake_network_policy_attachment" "network_policy_attachment" {
  for_each = local.purpose_env_combined_network_policies

  network_policy_name = upper(keys(each.value)[0])
  set_for_account     = false
  users               = [snowflake_legacy_service_user.purpose_env[each.key].name]
}


resource "snowflake_legacy_service_user" "purpose_env" {
  for_each                       = local.purpose_env
  name                           = upper("${each.value["purpose_slug"]}_${each.value["environment"]}")
  comment                        = "purpose-based user for ${each.value["purpose"]} in the ${each.value["environment"]} environment"
  password                       = REDACTED
  disabled                       = REDACTED
  display_name                   = REDACTED
  default_warehouse              = upper(each.key)
  default_role                   = snowflake_account_role.purpose_env[each.key].name
  default_namespace              = "${upper(each.value["environment"])}.${snowflake_schema.purpose_env[each.key].name}"
  must_change_password           = REDACTED
  default_secondary_roles_option = REDACTED
}

Category

category:resource

Object type(s)

resource:network_policy_attachment

Expected Behavior

I expect the network policy attachment to provisioned once and then at each subsequent terraform apply not to produce any differences.

Actual Behavior

Each terraform apply causes a diff for the network policy attachment:
First:

  # module.snowflake_purpose[0].snowflake_legacy_service_user.purpose_env["myproject_pro"] will be updated in-place
  ~ resource "snowflake_legacy_service_user" "purpose_env" {
        id                                            = "MYPROJECT_PRO"
        name                                          = "MYPROJECT_PRO"
      ~ network_policy                                = "NEO" -> (known after apply)
        # (66 unchanged attributes hidden)
    }

Then:

  # module.snowflake_purpose[0].snowflake_network_policy_attachment.network_policy_attachment["myproject_pro"] will be updated in-place
  ~ resource "snowflake_network_policy_attachment" "network_policy_attachment" {
        id                  = "NEO_attachment"
      ~ users               = [
          + "MYPROJECT_PRO",
        ]
        # (2 unchanged attributes hidden)
    }

After this, the cycle starts over. When the first one is applied, the network policy gets unattached from the service user!

Steps to Reproduce

  • Create a snowflake_legacy_service_user
  • Create a snowflake_network_policy
  • Create a snowflake_network_policy_attachment and attach it to that user
  • terraform apply twice.

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Would you like to implement a fix?

  • Yeah, I'll take it 😎
@RobbertDM RobbertDM added the bug Used to mark issues with provider's incorrect behavior label Feb 20, 2025
@sfc-gh-asawicki sfc-gh-asawicki added general-usage General help/usage questions and removed bug Used to mark issues with provider's incorrect behavior labels Feb 20, 2025
@sfc-gh-asawicki
Copy link
Collaborator

Hey @RobbertDM. Thanks for reaching out to us.

You should not use these two resources together; the network policy is settable on all user resources (including snowflake_legacy_service_user). PLease check this migration guide entry: https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#breaking-change-snowflake_network_policy_attachment-usage-with-snowflake_user.

I will clarify the docs.

@sfc-gh-asawicki sfc-gh-asawicki mentioned this issue Feb 25, 2025
Merged
sfc-gh-asawicki added a commit that referenced this issue Feb 25, 2025
@sfc-gh-asawicki
chore: Update user docs (#3416)
9d5224f 
References: #3404
@snowflake-release-please snowflake-release-please bot mentioned this issue Feb 26, 2025
Merged
sfc-gh-jcieslak pushed a commit that referenced this issue Feb 26, 2025
@snowflake-release-please
chore(main): release 1.0.4 (#3386)
bb22bb2 
🤖 I have created a release *beep* *boop*
---


##
[1.0.4](v1.0.3...v1.0.4)
(2025-02-26)


### 🔧 **Misc**

* Add GA scope to the roadmap
([#3385](#3385))
([9be2196](9be2196))
* Adjust saml2_integration documentation
([#3415](#3415))
([b8c127d](b8c127d))
* Bump Go version
([#3408](#3408))
([902670e](902670e))
* Bump provider version
([#3419](#3419))
([552e44b](552e44b))
* Remove hardcoded values from documentation
([#3381](#3381))
([cb1d6e2](cb1d6e2))
* Update user docs
([#3416](#3416))
([9d5224f](9d5224f)),
closes
[#3404](#3404)
* Upgrade deps
([#3389](#3389))
([086bf15](086bf15))


### 🐛 **Bug fixes:**

* account for null comment
([#3417](#3417))
([2f7f80f](2f7f80f))
* external function varchar return type validation
([#3400](#3400))
([abf5883](abf5883))
* Fix managed account and adjust account ticket numbers
([#3395](#3395))
([a7cb5cb](a7cb5cb))
* Propose changes to assertions setup with varying test client
([#3406](#3406))
([fb27f6a](fb27f6a))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: snowflake-release-please[bot] <105954990+snowflake-release-please[bot]@users.noreply.github.com>
@RobbertDM
Copy link
Author

Indeed @sfc-gh-asawicki , this works after applying twice: one to remove the snowflake_network_policy_attachment, and then once more so that the snowflake_legacy_service_user sees that it should be updated. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
general-usage General help/usage questions
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(main): release 1.0.4 Snowflake-Labs/terraform-provider-snowflake
3 participants
@RobbertDM @sfc-gh-jcieslak @sfc-gh-asawicki