Dbt Cloud Provider: Invalid Schema/Dataset Names Allowed

Aug 11, 2025 by Henrik Larsen 57 views

Provider Allows Invalid Environment Schema/Dataset Names Without Validation

Hey guys! Today, we're diving into a sneaky bug in the dbt Cloud Terraform provider that can cause some headaches if you're not careful. It's all about how the provider handles schema and dataset names – or, more accurately, doesn't handle them – and how this can lead to runtime failures. Let's break it down and see how we can avoid this pitfall.

The Bug: Invalid Names Slip Through

The core issue is that the dbt Cloud Terraform provider doesn't validate schema or dataset names when you're setting up credentials or environments. This means you can accidentally create resources with names that are invalid according to your data warehouse's rules. The Terraform apply will succeed, making you think everything's fine and dandy, but the real trouble starts later.

When you try to run a dbt job or create objects using these invalid names, boom! The whole thing crashes at runtime. This is super frustrating because you only find out about the problem when something breaks, rather than when you're initially setting things up. It's like building a house with faulty foundations – it might look good at first, but it's gonna crumble eventually.

Affected Resources: A Long List

The problem isn't limited to just one type of resource; it potentially affects quite a few. Here’s a rundown of the resources that might be vulnerable to this lack of validation:

dbtcloud_databricks_credential.schema
dbtcloud_snowflake_credential.schema
dbtcloud_bigquery_credential.dataset
dbtcloud_redshift_credential.default_schema
dbtcloud_postgres_credential.default_schema
dbtcloud_starburst_credential.schema
dbtcloud_teradata_credential.schema
dbtcloud_synapse_credential.schema
dbtcloud_fabric_credential.schema
dbtcloud_athena_credential.schema

That’s a hefty list, so it’s crucial to be extra vigilant when working with these resources. The key takeaway here is that you can't rely on the provider to catch these errors for you right now – you've got to be your own gatekeeper.

Minimal Terraform Configuration: Spot the Error

To illustrate the issue, let's look at a minimal Terraform configuration that triggers the bug. Pay close attention to the schema value in the dbtcloud_databricks_credential resource:

terraform {
  required_providers {
    dbtcloud = {
      source  = "dbt-labs/dbtcloud"
      version = "~> 1.0"
    }
  }
}

provider "dbtcloud" {
  account_id = var.dbt_account_id
  token      = var.dbt_token
  host_url   = var.dbt_host_url
}

resource "dbtcloud_project" "example" {
  name = "Validation Test"
}

resource "dbtcloud_databricks_credential" "invalid_schema" {
  project_id   = dbtcloud_project.example.id
  token        = "placeholder"
  schema       = "dbt_prod_schema_databricks_user/token" # invalid: contains '/'
  adapter_type = "databricks"
  catalog      = "main"
}

Notice the / in the schema value: `