chanzuckerberg/cztack

Terraform modules snowflake-XXX-grant-all should not have OWNERSHIP privileges

wconti1017 opened this issue 4 years ago · 1 comments

wconti1017 commented 4 years ago

All the terraform modules have in their privileges list the OWNERSHIP role, for example on the snowflake-warehouse-grant-all module :

"privileges": [
"MODIFY",
"MONITOR",
"OPERATE",
"OWNERSHIP",
"USAGE"
]

This is incorrect, because the actual result of the Snowflake command GRANT ALL ON WAREHOUSE TO ROLE will give the following privileges : MODIFY, MONITOR, OPERATE and USAGE.

TonyGaul commented 4 years ago

I have this issue too. Please remove OWNERSHIP privileges from all "all" grants