diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 8fc9501..46c0555 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -33,25 +33,32 @@ module "snowflake_database_role" { # }, # ] - schema_objects_grants = [ - { - object_type = "VIEWS" - privileges = ["SELECT"] - on_all = true - in_schema = "BRONZE" - }, - { - object_type = "TABLE" - privileges = ["SELECT"] - object_name = "TEST_TABLE" - in_schema = "BRONZE" - }, - { - object_type = "ICEBERG TABLES" - privileges = ["SELECT"] - on_future = true - in_schema = "BRONZE" - } - ] - + schema_objects_grants = { + "TABLE" = [ + { + privileges = ["SELECT"] + object_name = "TEST_TABLE" + schema_name = "BRONZE" + }, + { + all_privileges = true + object_name = "TEST_TABLE_2" + schema_name = "BRONZE" + } + ] + "ICEBERG TABLE" = [ + { + privileges = ["SELECT"] + on_future = true + on_all = true + }, + { + privileges = ["SELECT"] + object_name = "TEST_ICEBERG_TABLE" + schema_name = "BRONZE" + } + ] + } } + + diff --git a/locals.tf b/locals.tf index 830f5b3..e44da22 100644 --- a/locals.tf +++ b/locals.tf @@ -22,19 +22,47 @@ locals { } schema_objects_grants = { - for schema_objects_grant in var.schema_objects_grants : - "${one(snowflake_database_role.this[*].database)}_${one(snowflake_database_role.this[*].name)}${ - schema_objects_grant.object_type != null && schema_objects_grant.object_name != null ? - "_${schema_objects_grant.object_type}_${schema_objects_grant.object_name}_${schema_objects_grant.all_privileges == true ? "ALL" : join("_", schema_objects_grant.privileges)}" + for index, grant in flatten([ + for object_type, grants in var.schema_objects_grants : [ + for grant in grants : + grant.on_all && grant.on_future ? [ + merge( + grant, + { + object_type = "${object_type}S", + on_future = true, + on_all = false + } + ), + merge( + grant, + { + object_type = "${object_type}S", + on_future = false, + on_all = true + } + ) + ] : [ + merge( + grant, + { + object_type = grant.on_all || grant.on_future ? "${object_type}S" : object_type + } + ) + ] + ] + ]) : "${one(snowflake_database_role.this[*].database)}_${one(snowflake_database_role.this[*].name)}${ + grant.object_type != null && grant.object_name != null ? + "_${grant.object_type}_${grant.object_name}_${grant.all_privileges == true ? "ALL" : join("_", grant.privileges)}" : "" }${ - schema_objects_grant.on_all != null && schema_objects_grant.on_all ? - "_ALL_${schema_objects_grant.object_type}${schema_objects_grant.in_schema != null ? "_${schema_objects_grant.in_schema}_${schema_objects_grant.all_privileges == true ? "ALL" : join("_", schema_objects_grant.privileges)}" : ""}" + grant.on_all != null && grant.on_all ? + "_ALL_${grant.object_type}${grant.schema_name != null ? "_${grant.schema_name}_${grant.all_privileges == true ? "ALL" : join("_", grant.privileges)}" : ""}" : "" }${ - schema_objects_grant.on_future != null && schema_objects_grant.on_future ? - "_FUTURE_${schema_objects_grant.object_type}${schema_objects_grant.in_schema != null ? "_${schema_objects_grant.in_schema}_${schema_objects_grant.all_privileges == true ? "ALL" : join("_", schema_objects_grant.privileges)}" : ""}" + grant.on_future != null && grant.on_future ? + "_FUTURE_${grant.object_type}${grant.schema_name != null ? "_${grant.schema_name}_${grant.all_privileges == true ? "ALL" : join("_", grant.privileges)}" : ""}" : "" - }" => schema_objects_grant + }" => grant } } diff --git a/main.tf b/main.tf index b4b2972..4365b4a 100644 --- a/main.tf +++ b/main.tf @@ -66,13 +66,13 @@ resource "snowflake_grant_privileges_to_database_role" "schema_objects_grants" { on_schema_object { object_type = each.value.object_type != null && !try(each.value.on_all, false) && !try(each.value.on_future, false) ? each.value.object_type : null - object_name = each.value.object_name != null && !try(each.value.on_all, false) && !try(each.value.on_future, false) ? "\"${one(snowflake_database_role.this[*].database)}\".\"${each.value.in_schema}\".\"${each.value.object_name}\"" : null + object_name = each.value.object_name != null && !try(each.value.on_all, false) && !try(each.value.on_future, false) ? "\"${one(snowflake_database_role.this[*].database)}\".\"${each.value.schema_name}\".\"${each.value.object_name}\"" : null dynamic "all" { for_each = try(each.value.on_all, false) ? [1] : [] content { object_type_plural = each.value.object_type - in_database = each.value.in_schema != null ? null : one(snowflake_database_role.this[*].database) - in_schema = each.value.in_schema != null ? "\"${one(snowflake_database_role.this[*].database)}\".\"${each.value.in_schema}\"" : null + in_database = each.value.schema_name != null ? null : one(snowflake_database_role.this[*].database) + in_schema = each.value.schema_name != null ? "\"${one(snowflake_database_role.this[*].database)}\".\"${each.value.schema_name}\"" : null } } @@ -80,8 +80,8 @@ resource "snowflake_grant_privileges_to_database_role" "schema_objects_grants" { for_each = try(each.value.on_future, false) ? [1] : [] content { object_type_plural = each.value.object_type - in_database = each.value.in_schema != null ? null : one(snowflake_database_role.this[*].database) - in_schema = each.value.in_schema != null ? "\"${one(snowflake_database_role.this[*].database)}\".\"${each.value.in_schema}\"" : null + in_database = each.value.schema_name != null ? null : one(snowflake_database_role.this[*].database) + in_schema = each.value.schema_name != null ? "\"${one(snowflake_database_role.this[*].database)}\".\"${each.value.schema_name}\"" : null } } } diff --git a/variables.tf b/variables.tf index ce09ba1..08fc9f5 100644 --- a/variables.tf +++ b/variables.tf @@ -73,29 +73,26 @@ variable "schema_grants" { variable "schema_objects_grants" { description = "Grants on a schema object level" - type = list(object({ + type = map(list(object({ all_privileges = optional(bool) with_grant_option = optional(bool) privileges = optional(list(string)) - object_type = optional(string) object_name = optional(string) on_all = optional(bool, false) - in_schema = optional(string) + schema_name = optional(string) on_future = optional(bool, false) - })) - default = [] + }))) + default = {} validation { - condition = alltrue([for grant in var.schema_objects_grants : (grant.privileges != null) != (grant.all_privileges != null)]) + condition = alltrue([for object_type, grants in var.schema_objects_grants : alltrue([for grant in grants : (grant.privileges != null) != (grant.all_privileges != null)])]) error_message = "Variable `schema_objects_grants` fails validation - only one of `privileges` or `all_privileges` can be set." } validation { - condition = alltrue([for grant in var.schema_objects_grants : - (grant.object_type != null && grant.object_name != null ? 1 : 0) + - (grant.on_all == true ? 1 : 0) + - (grant.on_future == true ? 1 : 0) == 1 - ]) - error_message = "Variable `schema_objects_grants` fails validation - only one of `object_type` and `object_name`, `on_all`, or `on_future` can be set." + condition = alltrue([for object_type, grants in var.schema_objects_grants : alltrue([for grant in grants : + !(grant.object_name != null && (grant.on_all == true || grant.on_future == true)) + ])]) + error_message = "Variable `schema_objects_grants` fails validation - `object_name` cannot be set with `on_all` or `on_future`." } }