From c2a1e880cce27cc32d74755f425a6ea9b9a431ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Gniewek-W=C4=99grzyn?= Date: Thu, 31 Oct 2024 15:18:18 +0100 Subject: [PATCH] feat: add possibility to grant DB role to share --- README.md | 2 ++ examples/complete/README.md | 2 ++ examples/complete/main.tf | 14 ++++++++++++++ main.tf | 7 +++++++ variables.tf | 6 ++++++ 5 files changed, 31 insertions(+) diff --git a/README.md b/README.md index 41bd5bc..cbe5587 100644 --- a/README.md +++ b/README.md @@ -114,6 +114,7 @@ List od code and variable (API) changes: | [granted\_database\_roles](#input\_granted\_database\_roles) | Database Roles granted to this role | `list(string)` | `[]` | no | | [granted\_to\_database\_roles](#input\_granted\_to\_database\_roles) | Fully qualified Parent Database Role name (`DB_NAME.ROLE_NAME`), to create parent-child relationship | `list(string)` | `[]` | no | | [granted\_to\_roles](#input\_granted\_to\_roles) | List of Snowflake Account Roles to grant this role to | `list(string)` | `[]` | no | +| [granted\_to\_shares](#input\_granted\_to\_shares) | List of Snowflake Shares to grant this role to | `list(string)` | `[]` | no | | [name](#input\_name) | Name of the resource | `string` | n/a | yes | | [name\_scheme](#input\_name\_scheme) | Naming scheme configuration for the resource. This configuration is used to generate names using context provider:
- `properties` - list of properties to use when creating the name - is superseded by `var.context_templates`
- `delimiter` - delimited used to create the name from `properties` - is superseded by `var.context_templates`
- `context_template_name` - name of the context template used to create the name
- `replace_chars_regex` - regex to use for replacing characters in property-values created by the provider - any characters that match the regex will be removed from the name
- `extra_values` - map of extra label-value pairs, used to create a name |
object({
properties = optional(list(string), ["environment", "name"])
delimiter = optional(string, "_")
context_template_name = optional(string, "snowflake-user")
replace_chars_regex = optional(string, "[^a-zA-Z0-9_]")
extra_values = optional(map(string))
})
| `{}` | no | | [parent\_database\_role](#input\_parent\_database\_role) | DEPRECATED variable - please use `granted_to_database_roles` instead | `string` | `null` | no | @@ -154,6 +155,7 @@ No modules. | [snowflake_grant_database_role.granted_database_roles](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_database_role) | resource | | [snowflake_grant_database_role.granted_to_database_roles](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_database_role) | resource | | [snowflake_grant_database_role.granted_to_role](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_database_role) | resource | +| [snowflake_grant_database_role.granted_to_share](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_database_role) | resource | | [snowflake_grant_database_role.parent_database_role](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_database_role) | resource | | [snowflake_grant_privileges_to_database_role.database_grants](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_database_role) | resource | | [snowflake_grant_privileges_to_database_role.schema_grants](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_database_role) | resource | diff --git a/examples/complete/README.md b/examples/complete/README.md index 56cdf45..d04c32f 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -172,7 +172,9 @@ terraform apply tfplan | [snowflake_database_role.db_role_1](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database_role) | resource | | [snowflake_database_role.db_role_2](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database_role) | resource | | [snowflake_database_role.db_role_3](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database_role) | resource | +| [snowflake_grant_privileges_to_share.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_share) | resource | | [snowflake_schema.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/schema) | resource | +| [snowflake_share.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/share) | resource | | [snowflake_table.table_1](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/table) | resource | | [snowflake_table.table_2](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/table) | resource | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 752e8b7..8fff1b9 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -63,6 +63,16 @@ resource "snowflake_database_role" "db_role_3" { name = "DB_ROLE_3" } +resource "snowflake_share" "this" { + name = "TEST_SHARE" +} + +resource "snowflake_grant_privileges_to_share" "this" { + to_share = snowflake_share.this.name + privileges = ["USAGE"] + on_database = snowflake_database.this.name +} + module "snowflake_database_role_1" { source = "../../" @@ -133,6 +143,10 @@ module "snowflake_database_role_2" { extra_values = { schema = "BRONZE" } } context_templates = var.context_templates + + granted_to_shares = [snowflake_share.this.name] + + depends_on = [snowflake_grant_privileges_to_share.this] } diff --git a/main.tf b/main.tf index c621395..7c2185a 100644 --- a/main.tf +++ b/main.tf @@ -28,6 +28,13 @@ resource "snowflake_grant_database_role" "granted_to_role" { parent_role_name = each.value } +resource "snowflake_grant_database_role" "granted_to_share" { + for_each = toset(var.granted_to_shares) + + database_role_name = local.database_role_name + share_name = each.value +} + resource "snowflake_grant_database_role" "parent_database_role" { count = var.parent_database_role != null ? 1 : 0 diff --git a/variables.tf b/variables.tf index c11f836..263f987 100644 --- a/variables.tf +++ b/variables.tf @@ -26,6 +26,12 @@ variable "granted_to_roles" { default = [] } +variable "granted_to_shares" { + description = "List of Snowflake Shares to grant this role to" + type = list(string) + default = [] +} + variable "granted_to_database_roles" { description = "Fully qualified Parent Database Role name (`DB_NAME.ROLE_NAME`), to create parent-child relationship" type = list(string)