MCP Server Grants cause infinite updates

[landiinii]

Terraform CLI Version

1.14.6

Terraform Provider Version

2.14.0

Company Name

No response

Terraform Configuration

resource "snowflake_grant_privileges_to_database_role" "read_future_mcp_in_database" {
  privileges         = ["USAGE"]
  database_role_name = snowflake_database_role.database_role.fully_qualified_name
  on_schema_object {
    future {
      object_type_plural = "MCP Servers"
      in_database        = var.database_name
    }
  }
}

Category

category:grants

Object type(s)

resource:grant_privileges_to_database_role

Expected Behavior

@sfc-gh-jmichalak added "MCP Server" types to grant objects a few weeks ago in #4478 (much thanks). We implemented them pretty quickly for a project that happened to line up soon after. We expected to be able to grant USAGE permissions on the object and for it to apply once, then for the terraform state to track that it has already been applied and not touch it after.

Actual Behavior

After the initial creation of the grant, subsequent terraform applies infinitely recreated the same grants on the same database roles. The terraform state was not properly recognizing the existing grants.

We noticed that the output that Snowflake provides in the "SHOW FUTURE GRANTS" response that the provider uses to track state changes does not match the object type identifier that is defined inside of this provider. Where the provider expects to see "MCP_SERVER" snowflake returns "CORTEX_AGENT_SERVER". So the check for the grant returns empty, and the grant reapplies.

This is also the case for "Models" and "Volumes" types as well which had to be mapped in #3070 and #2538 respectively. I believe the correction here (if it is not decided to just change the output of show grants) is to also add a mapping for the MCP Server -> Cortex Agent Server shift.

Steps to Reproduce

Create a grant resource as shown in the configuration
Apply it
Apply it again

How much impact is this issue causing?

Low

Logs

No response

Additional Information

These blocks on lines 242 and 257 of pkg/sdk/grants.go resolved this issue for me on local:

if row.GrantedOn == "CORTEX_AGENT_SERVER" {
    grantedOn = ObjectTypeMcpServer
}
...
if row.GrantOn == "CORTEX_AGENT_SERVER" {
    grantOn = ObjectTypeMcpServer
}

Would you like to implement a fix?

• Yeah, I'll take it 😎

[sfc-gh-jcieslak]

Hey 👋
Thank you for flagging this. Compatibility testing for those mappings is one of the missing things that we need to fix as soon as we have some time. As I was already fixing the AGENT case, I also did it for MCP SERVER before I saw your PR, so I'm sorry that we kind of duplicated the work, but if you don't mind, I would like to go with my version as it already contains all the necessary parts (PR). Also, we have in our CONTRIBUTING guide a rule (first line) that any change should be first consulted.

[landiinii]

@sfc-gh-jcieslak No worries, I can close my PR. Just glad its getting fixed.

Looks like yours has still not merged, do you have a timeline on that getting through?

Sorry for jumping the gun on the PR. Was in a groove that night and had the fix working for myself on local so figured I could just throw it up and if it got rejected it wasn't a big deal. Tried to follow the contributing guide otherwise. Thanks for correcting.

[sfc-gh-jcieslak]

Thank you for understanding. I was waiting for your approval, as for some, it's a bigger deal. I would have to either adjust your branch directly or just push it in and add the missing parts. Merging my pr is just easier for me. Nevertheless, a big thank you for reporting the issue and taking up the challenge. We would welcome future contributions. The PR should be merged soon and wait for the next release. We usually stack enough features to justify the release. I think the next version should be released soon (I think no more than 3 weeks).