[Bug]: terraform apply -refresh-only fails

[israel]

Terraform CLI Version

1.11.0

Terraform Provider Version

1.0.4

Company Name

Nice

Terraform Configuration

resource "snowflake_schema" "schema" {
  name     = "my_schema"
  database = "my_database"
}

Category

category:resource

Object type(s)

resource:schema

Expected Behavior

Expected no errors

Actual Behavior

Error: expected [{{} is_transient}] to be one of ["true" "false"], got default

Steps to Reproduce

create a simple snowflake_schema resource, apply it successfuly and then try to refresh it using 'terraform apply -refresh-only'
I have seen in the code that in some cases, not just in the schema resource a "default" value is assigned to fields when they should have true/false. This breaks when trying to refresh.

How much impact is this issue causing?

High

Logs

No response

Additional Information

No response

Would you like to implement a fix?

• Yeah, I'll take it 😎

[sfc-gh-jmichalak]

Hi @israel 👋

I couldn't reproduce this. After applying the configuration and running terraform apply -refresh-only, I get the following:

❯ terraform apply -refresh-only
Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # snowflake_schema.schema has changed
  ~ resource "snowflake_schema" "schema" {
        id                                            = "\"JMICHALAK\".\"my_schema\""
        name                                          = "my_schema"
      ~ show_output                                   = [
          ~ {
              ~ is_current      = true -> false
                name            = "my_schema"
                # (9 unchanged attributes hidden)
            },
        ]
        # (24 unchanged attributes hidden)
    }


This is a refresh-only plan, so Terraform will not take any actions to undo these. If you were expecting these changes then you can apply this
plan to record the updated values in the Terraform state without changing any remote objects.

Would you like to update the Terraform state to reflect these detected changes?
  Terraform will write these changes to the state without modifying any real infrastructure.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes


Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

What is the reason for using terraform apply -refresh-only instead of terraform plan or terraform plan -refresh-only? Also, please check #3396 (comment) for related context.

[israel]

Hi @sfc-gh-jmichalak ,

Did you first successfuly applied the resource?
I can see in the provider code, in several places that for a true/false property, if not set, the provider will add 'default' (for example:

terraform-provider-snowflake/docs/resources/function_javascript.md

Line 71 in bb22bb2

- `is_secure` (String) Specifies that the function is secure. By design, the Snowflake's `SHOW FUNCTIONS` command does not provide information about secure functions (consult [function docs](https://docs.snowflake.com/en/sql-reference/sql/create-function#id1) and [Protecting Sensitive Information with Secure UDFs and Stored Procedures](https://docs.snowflake.com/en/developer-guide/secure-udf-procedure)) which is essential to manage/import function with Terraform. Use the role owning the function while managing secure functions. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.

). I guess this fails the validation when I run terraform apply -refresh-only

Here's a more complete output:
Error: expected [{{} with_managed_access}] to be one of ["true" "false"], got default │ │ with snowflake_schema.ujschema, │ on main.tf.json line 1, in resource.snowflake_schema.ujschema: │ 1: {"provider":{"snowflake":{"account_name":"poc","organization_name":"XXX","password":"XXXXX","preview_features_enabled":["snowflake_table_resource"],"role":"SYSADMIN","user":"tf_user"}},"resource":{"snowflake_schema":{"ujschema":{"comment":"upjet schema","data_retention_time_in_days":1,"database":"ujdp","is_transient":"default","lifecycle":{"prevent_destroy":true},"log_level":"OFF","max_data_extension_time_in_days":14,"name":"ujschema","storage_serialization_policy":"OPTIMIZED","suspend_task_after_num_failures":10,"trace_level":"OFF","user_task_managed_initial_warehouse_size":"Medium","user_task_minimum_trigger_interval_in_seconds":30,"user_task_timeout_ms":3600000,"with_managed_access":"default"}}},"terraform":{"required_providers":{"snowflake":{"source":"Snowflake-Labs/snowflake","version":"1.0.4"}}}}

[sfc-gh-jmichalak]

I checked TF 1.11.0 and provider 1.0.4 and the apply succeeds.

• Are you sure that's the correct config? Based on your complete output, you have a comment set, for example, so I'm not sure.
• On which version did this start happening?
• Please send logs with TF_LOG=DEBUG.

Please read more about handling default values here (Default values, Validations and "Empty" values sections). We use the default value inside the state as a workaround for a few limitations in Terraform SDK v2. The validations are called only for the values provided by users, not the ones set by the provider. We have made this change a few months ago, and such issues haven't been reported until now.