chore: refactor to use map of list objects

examples/complete/main.tf

@@ -33,25 +33,32 @@ module "snowflake_database_role" {
   #   },
   # ]
 
-  schema_objects_grants = [
-    {
-      object_type = "VIEWS"
-      privileges  = ["SELECT"]
-      on_all      = true
-      in_schema   = "BRONZE"
-    },
-    {
-      object_type = "TABLE"
-      privileges  = ["SELECT"]
-      object_name = "TEST_TABLE"
-      in_schema   = "BRONZE"
-    },
-    {
-      object_type = "ICEBERG TABLES"
-      privileges  = ["SELECT"]
-      on_future   = true
-      in_schema   = "BRONZE"
-    }
-  ]
-
+  schema_objects_grants = {
+    "TABLE" = [
+      {
+        privileges  = ["SELECT"]
+        object_name = "TEST_TABLE"
+        schema_name = "BRONZE"
+      },
+      {
+        all_privileges = true
+        object_name    = "TEST_TABLE_2"
+        schema_name    = "BRONZE"
+      }
+    ]
+    "ICEBERG TABLE" = [
+      {
+        privileges = ["SELECT"]
+        on_future  = true
+        on_all     = true
+      },
+      {
+        privileges  = ["SELECT"]
+        object_name = "TEST_ICEBERG_TABLE"
+        schema_name = "BRONZE"
+      }
+    ]
+  }
 }
+
+

locals.tf

@@ -22,19 +22,47 @@ locals {
   }
 
   schema_objects_grants = {
-    for schema_objects_grant in var.schema_objects_grants :
-    "${one(snowflake_database_role.this[*].database)}_${one(snowflake_database_role.this[*].name)}${
-      schema_objects_grant.object_type != null && schema_objects_grant.object_name != null ?
-      "_${schema_objects_grant.object_type}_${schema_objects_grant.object_name}_${schema_objects_grant.all_privileges == true ? "ALL" : join("_", schema_objects_grant.privileges)}"
+    for index, grant in flatten([
+      for object_type, grants in var.schema_objects_grants : [
+        for grant in grants :
+        grant.on_all && grant.on_future ? [
+          merge(
+            grant,
+            {
+              object_type = "${object_type}S",
+              on_future   = true,
+              on_all      = false
+            }
+          ),
+          merge(
+            grant,
+            {
+              object_type = "${object_type}S",
+              on_future   = false,
+              on_all      = true
+            }
+          )
+          ] : [
+          merge(
+            grant,
+            {
+              object_type = grant.on_all || grant.on_future ? "${object_type}S" : object_type
+            }
+          )
+        ]
+      ]
+      ]) : "${one(snowflake_database_role.this[*].database)}_${one(snowflake_database_role.this[*].name)}${
+      grant.object_type != null && grant.object_name != null ?
+      "_${grant.object_type}_${grant.object_name}_${grant.all_privileges == true ? "ALL" : join("_", grant.privileges)}"
       : ""
       }${
-      schema_objects_grant.on_all != null && schema_objects_grant.on_all ?
-      "_ALL_${schema_objects_grant.object_type}${schema_objects_grant.in_schema != null ? "_${schema_objects_grant.in_schema}_${schema_objects_grant.all_privileges == true ? "ALL" : join("_", schema_objects_grant.privileges)}" : ""}"
+      grant.on_all != null && grant.on_all ?
+      "_ALL_${grant.object_type}${grant.schema_name != null ? "_${grant.schema_name}_${grant.all_privileges == true ? "ALL" : join("_", grant.privileges)}" : ""}"
       : ""
       }${
-      schema_objects_grant.on_future != null && schema_objects_grant.on_future ?
-      "_FUTURE_${schema_objects_grant.object_type}${schema_objects_grant.in_schema != null ? "_${schema_objects_grant.in_schema}_${schema_objects_grant.all_privileges == true ? "ALL" : join("_", schema_objects_grant.privileges)}" : ""}"
+      grant.on_future != null && grant.on_future ?
+      "_FUTURE_${grant.object_type}${grant.schema_name != null ? "_${grant.schema_name}_${grant.all_privileges == true ? "ALL" : join("_", grant.privileges)}" : ""}"
       : ""
-    }" => schema_objects_grant
+    }" => grant
   }
 }

main.tf

@@ -66,22 +66,22 @@ resource "snowflake_grant_privileges_to_database_role" "schema_objects_grants" {
 
   on_schema_object {
     object_type = each.value.object_type != null && !try(each.value.on_all, false) && !try(each.value.on_future, false) ? each.value.object_type : null
-    object_name = each.value.object_name != null && !try(each.value.on_all, false) && !try(each.value.on_future, false) ? "\"${one(snowflake_database_role.this[*].database)}\".\"${each.value.in_schema}\".\"${each.value.object_name}\"" : null
+    object_name = each.value.object_name != null && !try(each.value.on_all, false) && !try(each.value.on_future, false) ? "\"${one(snowflake_database_role.this[*].database)}\".\"${each.value.schema_name}\".\"${each.value.object_name}\"" : null
     dynamic "all" {
       for_each = try(each.value.on_all, false) ? [1] : []
       content {
         object_type_plural = each.value.object_type
-        in_database        = each.value.in_schema != null ? null : one(snowflake_database_role.this[*].database)
-        in_schema          = each.value.in_schema != null ? "\"${one(snowflake_database_role.this[*].database)}\".\"${each.value.in_schema}\"" : null
+        in_database        = each.value.schema_name != null ? null : one(snowflake_database_role.this[*].database)
+        in_schema          = each.value.schema_name != null ? "\"${one(snowflake_database_role.this[*].database)}\".\"${each.value.schema_name}\"" : null
       }
     }
 
     dynamic "future" {
       for_each = try(each.value.on_future, false) ? [1] : []
       content {
         object_type_plural = each.value.object_type
-        in_database        = each.value.in_schema != null ? null : one(snowflake_database_role.this[*].database)
-        in_schema          = each.value.in_schema != null ? "\"${one(snowflake_database_role.this[*].database)}\".\"${each.value.in_schema}\"" : null
+        in_database        = each.value.schema_name != null ? null : one(snowflake_database_role.this[*].database)
+        in_schema          = each.value.schema_name != null ? "\"${one(snowflake_database_role.this[*].database)}\".\"${each.value.schema_name}\"" : null
       }
     }
   }

variables.tf

@@ -73,29 +73,26 @@ variable "schema_grants" {
 
 variable "schema_objects_grants" {
   description = "Grants on a schema object level"
-  type = list(object({
+  type = map(list(object({
     all_privileges    = optional(bool)
     with_grant_option = optional(bool)
     privileges        = optional(list(string))
-    object_type       = optional(string)
     object_name       = optional(string)
     on_all            = optional(bool, false)
-    in_schema         = optional(string)
+    schema_name       = optional(string)
     on_future         = optional(bool, false)
-  }))
-  default = []
+  })))
+  default = {}
 
   validation {
-    condition     = alltrue([for grant in var.schema_objects_grants : (grant.privileges != null) != (grant.all_privileges != null)])
+    condition     = alltrue([for object_type, grants in var.schema_objects_grants : alltrue([for grant in grants : (grant.privileges != null) != (grant.all_privileges != null)])])
     error_message = "Variable `schema_objects_grants` fails validation - only one of `privileges` or `all_privileges` can be set."
   }
 
   validation {
-    condition = alltrue([for grant in var.schema_objects_grants :
-      (grant.object_type != null && grant.object_name != null ? 1 : 0) +
-      (grant.on_all == true ? 1 : 0) +
-      (grant.on_future == true ? 1 : 0) == 1
-    ])
-    error_message = "Variable `schema_objects_grants` fails validation - only one of `object_type` and `object_name`, `on_all`, or `on_future` can be set."
+    condition = alltrue([for object_type, grants in var.schema_objects_grants : alltrue([for grant in grants :
+      !(grant.object_name != null && (grant.on_all == true || grant.on_future == true))
+    ])])
+    error_message = "Variable `schema_objects_grants` fails validation - `object_name` cannot be set with `on_all` or `on_future`."
   }
 }