feat: Snowflake db role (#4)

* feat: initial commit WIP * chore: add WIP for schema and database grants * feat: use name from resource to make dependency * chore: add more validation * feat: add proper names for schema_objects_grants * fix: database name extraction from resource * chore: add validation for object name in schema_object_grants * chore: debug with examples * chore: refactor schema_objects_grants * chore: refactor all_schemas_in_database future_schemas_in_database to use boolean * chore: pre-commit * fix: parent_database_role and granted_database_roles passing arguments * chore: add dummy example to complete * chore: update docs and remove prefix with initials * docs: add notes about module and example * chore: poc for easier UX * chore: refactor to use map of list objects * chore: fix the logic for in_database * chore: add more cases * chore: Update schema_objects_grants input to use a map instead of a list * chore: rename default value for descriptor name * chore: refactor layout for condition Co-authored-by: Dominik Gniewek-Węgrzyn <47598580+dgniewek@users.noreply.github.com> * chore: remove additional code * chore: update description for schema_objects_grants * chore: add database role name with fully qualified format * feat: refactor naming convention and upgrade ux for schema_grants * chore: update test * chore: update examples * chore: update readme * chore: update readme * chore: remove database name * chore: update output name * chore: update description for schema_objects_grants * chore: replace condition in database_grants * chore: pre-commit run * chore: small changes * chore: fix case when database_grants is empty * docs: README.md update * fix: interpolation in tflint --------- Co-authored-by: Dominik Gniewek-Węgrzyn <dominik.gniewek@getindata.com> Co-authored-by: Piotr Sierkin <piotr.sierkin@getindata.com> Co-authored-by: Dominik Gniewek-Węgrzyn <47598580+dgniewek@users.noreply.github.com> Co-authored-by: Daniel Noworyta <daniel.noworyta@getindata.com>
getindata · Jul 15, 2024 · 03b46ac · 03b46ac
1 parent 54bb90c
commit 03b46ac
Show file tree

Hide file tree

Showing 19 changed files with 634 additions and 133 deletions.
diff --git a/README.md b/README.md
diff --git a/examples/complete/.env.dist b/examples/complete/.env.dist
@@ -0,0 +1,6 @@
+export SNOWFLAKE_PRIVATE_KEY_PATH=""
+export SNOWFLAKE_USER=""
+export SNOWFLAKE_ROLE=""
+export SNOWFLAKE_ACCOUNT=""
+export SNOWFLAKE_AUTHENTICATOR=""
+export SNOWFLAKE_REGION=""
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -1,20 +1,122 @@
 # Complete Example
 
 ```terraform
-module "terraform_module_template" {
+resource "snowflake_database" "this" {
+  name = "TEST_DB"
+}
+
+resource "snowflake_schema" "this" {
+  database = snowflake_database.this.name
+  name     = "BRONZE"
+}
+
+resource "snowflake_table" "table_1" {
+  database = snowflake_schema.this.database
+  schema   = snowflake_schema.this.name
+  name     = "TEST_TABLE_1"
+
+  column {
+    name     = "identity"
+    type     = "NUMBER(38,0)"
+    nullable = true
+
+    identity {
+      start_num = 1
+      step_num  = 3
+    }
+  }
+}
+
+resource "snowflake_table" "table_2" {
+  database = snowflake_schema.this.database
+  schema   = snowflake_schema.this.name
+  name     = "TEST_TABLE_2"
+
+  column {
+    name     = "identity"
+    type     = "NUMBER(38,0)"
+    nullable = true
+
+    identity {
+      start_num = 1
+      step_num  = 3
+    }
+  }
+}
+
+resource "snowflake_database_role" "db_role_1" {
+  database = snowflake_database.this.name
+  name     = "DB_ROLE_1"
+}
+
+resource "snowflake_database_role" "db_role_2" {
+  database = snowflake_database.this.name
+  name     = "DB_ROLE_2"
+}
+
+resource "snowflake_database_role" "db_role_3" {
+  database = snowflake_database.this.name
+  name     = "DB_ROLE_3"
+}
+
+module "snowflake_database_role" {
   source  = "../../"
   context = module.this.context
 
-  example_var = "This is a example value."
-  sub_resource = {
-    example_var = "This is a example value of sub resource."
+  database_name = snowflake_database.this.name
+  name          = "TEST_DB_ROLE"
+
+
+  parent_database_role = snowflake_database_role.db_role_1.name
+  granted_database_roles = [
+    snowflake_database_role.db_role_2.name,
+    snowflake_database_role.db_role_3.name
+  ]
+  database_grants = [
+    {
+      privileges = ["USAGE", "CREATE SCHEMA"]
+    },
+  ]
+
+  schema_grants = [
+    {
+      schema_name = snowflake_schema.this.name
+      privileges  = ["USAGE"]
+    },
+    {
+      future_schemas_in_database = true
+      all_schemas_in_database    = true
+      privileges                 = ["USAGE"]
+    },
+  ]
+
+  schema_objects_grants = {
+    "TABLE" = [
+      {
+        privileges  = ["SELECT"]
+        object_name = snowflake_table.table_1.name
+        schema_name = snowflake_schema.this.name
+      },
+      {
+        all_privileges = true
+        object_name    = snowflake_table.table_2.name
+        schema_name    = snowflake_schema.this.name
+      }
+    ]
+    "ALERT" = [
+      {
+        all_privileges = true
+        on_future      = true
+        on_all         = true
+      }
+    ]
   }
 }
 ```
 
 ## Usage
 ```
 terraform init
-terraform plan -var-file fixtures.tfvars -out tfplan
+terraform plan -out tfplan
 terraform apply tfplan
 ```
diff --git a/examples/complete/fixtures.tfvars b/examples/complete/fixtures.tfvars
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -1,9 +1,111 @@
-module "terraform_module_template" {
+resource "snowflake_database" "this" {
+  name = "TEST_DB"
+}
+
+resource "snowflake_schema" "this" {
+  database = snowflake_database.this.name
+  name     = "BRONZE"
+}
+
+resource "snowflake_table" "table_1" {
+  database = snowflake_schema.this.database
+  schema   = snowflake_schema.this.name
+  name     = "TEST_TABLE_1"
+
+  column {
+    name     = "identity"
+    type     = "NUMBER(38,0)"
+    nullable = true
+
+    identity {
+      start_num = 1
+      step_num  = 3
+    }
+  }
+}
+
+resource "snowflake_table" "table_2" {
+  database = snowflake_schema.this.database
+  schema   = snowflake_schema.this.name
+  name     = "TEST_TABLE_2"
+
+  column {
+    name     = "identity"
+    type     = "NUMBER(38,0)"
+    nullable = true
+
+    identity {
+      start_num = 1
+      step_num  = 3
+    }
+  }
+}
+
+resource "snowflake_database_role" "db_role_1" {
+  database = snowflake_database.this.name
+  name     = "DB_ROLE_1"
+}
+
+resource "snowflake_database_role" "db_role_2" {
+  database = snowflake_database.this.name
+  name     = "DB_ROLE_2"
+}
+
+resource "snowflake_database_role" "db_role_3" {
+  database = snowflake_database.this.name
+  name     = "DB_ROLE_3"
+}
+
+module "snowflake_database_role" {
   source  = "../../"
   context = module.this.context
 
-  example_var = "This is a example value."
-  sub_resource = {
-    example_var = "This is a example value of sub resource."
+  database_name = snowflake_database.this.name
+  name          = "TEST_DB_ROLE"
+
+
+  parent_database_role = snowflake_database_role.db_role_1.name
+  granted_database_roles = [
+    snowflake_database_role.db_role_2.name,
+    snowflake_database_role.db_role_3.name
+  ]
+
+  database_grants = {
+    privileges = ["USAGE", "CREATE SCHEMA"]
+  }
+
+
+  schema_grants = [
+    {
+      schema_name = snowflake_schema.this.name
+      privileges  = ["USAGE"]
+    },
+    {
+      future_schemas_in_database = true
+      all_schemas_in_database    = true
+      privileges                 = ["USAGE"]
+    },
+  ]
+
+  schema_objects_grants = {
+    "TABLE" = [
+      {
+        privileges  = ["SELECT"]
+        object_name = snowflake_table.table_1.name
+        schema_name = snowflake_schema.this.name
+      },
+      {
+        all_privileges = true
+        object_name    = snowflake_table.table_2.name
+        schema_name    = snowflake_schema.this.name
+      }
+    ]
+    "ALERT" = [
+      {
+        all_privileges = true
+        on_future      = true
+        on_all         = true
+      }
+    ]
   }
 }
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
@@ -1,4 +1,4 @@
-output "example_output" {
-  description = "Example output of the module"
-  value       = module.terraform_module_template
+output "snowflake_database_role" {
+  description = "Snowflake database role outputs"
+  value       = module.snowflake_database_role
 }
diff --git a/examples/complete/providers.tf b/examples/complete/providers.tf
@@ -1,3 +1 @@
-provider "null" {
-  # Configuration options
-}
+provider "snowflake" {}
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
@@ -1,10 +1,11 @@
 terraform {
-  required_version = ">= 1.3.0"
+  required_version = ">= 1.3"
 
   required_providers {
-    null = {
-      source  = "hashicorp/null"
-      version = "3.1.1"
+    snowflake = {
+      source  = "Snowflake-Labs/snowflake"
+      version = "0.87.2"
     }
   }
+
 }
diff --git a/examples/simple/.env.dist b/examples/simple/.env.dist
@@ -0,0 +1,6 @@
+export SNOWFLAKE_PRIVATE_KEY_PATH=""
+export SNOWFLAKE_USER=""
+export SNOWFLAKE_ROLE=""
+export SNOWFLAKE_ACCOUNT=""
+export SNOWFLAKE_AUTHENTICATOR=""
+export SNOWFLAKE_REGION=""
diff --git a/examples/simple/README.md b/examples/simple/README.md
@@ -1,12 +1,39 @@
 # Simple Example
 
 ```terraform
-module "terraform_module_template" {
+resource "snowflake_database" "this" {
+  name = "TEST_DB"
+}
+
+resource "snowflake_schema" "this" {
+  database = snowflake_database.this.name
+  name     = "BRONZE"
+}
+
+module "snowflake_database_role" {
   source = "../../"
 
-  example_var = "This is a example value."
-  sub_resource = {
-    example_var = "This is a example value of sub resource."
+  database_name = snowflake_database.this.name
+  name          = "TEST_DB_ROLE"
+
+
+  schema_grants = [
+    {
+      future_schemas_in_database = true
+      all_schemas_in_database    = true
+      all_privileges             = true
+    },
+  ]
+
+  schema_objects_grants = {
+    "TABLE" = [
+      {
+        all_privileges = true
+        on_future      = true
+        on_all         = true
+        schema_name    = snowflake_schema.this.name
+      }
+    ]
   }
 }
 ```

diff --git a/examples/simple/main.tf b/examples/simple/main.tf
@@ -1,8 +1,34 @@
-module "terraform_module_template" {
+resource "snowflake_database" "this" {
+  name = "TEST_DB"
+}
+
+resource "snowflake_schema" "this" {
+  database = snowflake_database.this.name
+  name     = "BRONZE"
+}
+
+module "snowflake_database_role" {
   source = "../../"
 
-  example_var = "This is a example value."
-  sub_resource = {
-    example_var = "This is a example value of sub resource."
+  database_name = snowflake_database.this.name
+  name          = "TEST_DB_ROLE"
+
+  schema_grants = [
+    {
+      future_schemas_in_database = true
+      all_schemas_in_database    = true
+      all_privileges             = true
+    },
+  ]
+
+  schema_objects_grants = {
+    "TABLE" = [
+      {
+        all_privileges = true
+        on_future      = true
+        on_all         = true
+        schema_name    = snowflake_schema.this.name
+      }
+    ]
   }
 }
diff --git a/examples/simple/outputs.tf b/examples/simple/outputs.tf
@@ -1,4 +1,4 @@
-output "example_output" {
-  description = "Example output of the module"
-  value       = module.terraform_module_template
+output "snowflake_database_role" {
+  description = "Snowflake database role outputs"
+  value       = module.snowflake_database_role
 }
diff --git a/examples/simple/providers.tf b/examples/simple/providers.tf
@@ -1,3 +1 @@
-provider "null" {
-  # Configuration options
-}
+provider "snowflake" {}