feat: add possibility to grant DB role to share

getindata · Oct 31, 2024 · c2a1e88 · c2a1e88
1 parent 7ec107a
commit c2a1e88
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -114,6 +114,7 @@ List od code and variable (API) changes:
 | <a name="input_granted_database_roles"></a> [granted\_database\_roles](#input\_granted\_database\_roles) | Database Roles granted to this role | `list(string)` | `[]` | no |
 | <a name="input_granted_to_database_roles"></a> [granted\_to\_database\_roles](#input\_granted\_to\_database\_roles) | Fully qualified Parent Database Role name (`DB_NAME.ROLE_NAME`), to create parent-child relationship | `list(string)` | `[]` | no |
 | <a name="input_granted_to_roles"></a> [granted\_to\_roles](#input\_granted\_to\_roles) | List of Snowflake Account Roles to grant this role to | `list(string)` | `[]` | no |
+| <a name="input_granted_to_shares"></a> [granted\_to\_shares](#input\_granted\_to\_shares) | List of Snowflake Shares to grant this role to | `list(string)` | `[]` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the resource | `string` | n/a | yes |
 | <a name="input_name_scheme"></a> [name\_scheme](#input\_name\_scheme) | Naming scheme configuration for the resource. This configuration is used to generate names using context provider:<br>    - `properties` - list of properties to use when creating the name - is superseded by `var.context_templates`<br>    - `delimiter` - delimited used to create the name from `properties` - is superseded by `var.context_templates`<br>    - `context_template_name` - name of the context template used to create the name<br>    - `replace_chars_regex` - regex to use for replacing characters in property-values created by the provider - any characters that match the regex will be removed from the name<br>    - `extra_values` - map of extra label-value pairs, used to create a name | <pre>object({<br>    properties            = optional(list(string), ["environment", "name"])<br>    delimiter             = optional(string, "_")<br>    context_template_name = optional(string, "snowflake-user")<br>    replace_chars_regex   = optional(string, "[^a-zA-Z0-9_]")<br>    extra_values          = optional(map(string))<br>  })</pre> | `{}` | no |
 | <a name="input_parent_database_role"></a> [parent\_database\_role](#input\_parent\_database\_role) | DEPRECATED variable - please use `granted_to_database_roles` instead | `string` | `null` | no |
@@ -154,6 +155,7 @@ No modules.
 | [snowflake_grant_database_role.granted_database_roles](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_database_role) | resource |
 | [snowflake_grant_database_role.granted_to_database_roles](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_database_role) | resource |
 | [snowflake_grant_database_role.granted_to_role](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_database_role) | resource |
+| [snowflake_grant_database_role.granted_to_share](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_database_role) | resource |
 | [snowflake_grant_database_role.parent_database_role](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_database_role) | resource |
 | [snowflake_grant_privileges_to_database_role.database_grants](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_database_role) | resource |
 | [snowflake_grant_privileges_to_database_role.schema_grants](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_database_role) | resource |

diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -172,7 +172,9 @@ terraform apply tfplan
 | [snowflake_database_role.db_role_1](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database_role) | resource |
 | [snowflake_database_role.db_role_2](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database_role) | resource |
 | [snowflake_database_role.db_role_3](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database_role) | resource |
+| [snowflake_grant_privileges_to_share.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_share) | resource |
 | [snowflake_schema.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/schema) | resource |
+| [snowflake_share.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/share) | resource |
 | [snowflake_table.table_1](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/table) | resource |
 | [snowflake_table.table_2](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/table) | resource |
 <!-- END_TF_DOCS -->
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -63,6 +63,16 @@ resource "snowflake_database_role" "db_role_3" {
   name     = "DB_ROLE_3"
 }
 
+resource "snowflake_share" "this" {
+  name = "TEST_SHARE"
+}
+
+resource "snowflake_grant_privileges_to_share" "this" {
+  to_share    = snowflake_share.this.name
+  privileges  = ["USAGE"]
+  on_database = snowflake_database.this.name
+}
+
 module "snowflake_database_role_1" {
   source = "../../"
 
@@ -133,6 +143,10 @@ module "snowflake_database_role_2" {
     extra_values          = { schema = "BRONZE" }
   }
   context_templates = var.context_templates
+
+  granted_to_shares = [snowflake_share.this.name]
+
+  depends_on = [snowflake_grant_privileges_to_share.this]
 }
 
 

diff --git a/main.tf b/main.tf
@@ -28,6 +28,13 @@ resource "snowflake_grant_database_role" "granted_to_role" {
   parent_role_name   = each.value
 }
 
+resource "snowflake_grant_database_role" "granted_to_share" {
+  for_each = toset(var.granted_to_shares)
+
+  database_role_name = local.database_role_name
+  share_name         = each.value
+}
+
 resource "snowflake_grant_database_role" "parent_database_role" {
   count = var.parent_database_role != null ? 1 : 0
 

diff --git a/variables.tf b/variables.tf
@@ -26,6 +26,12 @@ variable "granted_to_roles" {
   default     = []
 }
 
+variable "granted_to_shares" {
+  description = "List of Snowflake Shares to grant this role to"
+  type        = list(string)
+  default     = []
+}
+
 variable "granted_to_database_roles" {
   description = "Fully qualified Parent Database Role name (`DB_NAME.ROLE_NAME`), to create parent-child relationship"
   type        = list(string)