fix: Fix roles option merge (#3)

* fix: Fix roles option merge * feat: Add descriptor name for roles * fix: Fix example
getindata · Jan 19, 2023 · 5a55079 · 5a55079
1 parent e72c302
commit 5a55079
Show file tree

Hide file tree

Showing 25 changed files with 150 additions and 44 deletions.
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -8,7 +8,6 @@ on:
 
 env:
   TERRAFORM_DOCS_VERSION: v0.16.0
-  TFLINT_VERSION: v0.41.0
 
 jobs:
   collectInputs:

diff --git a/.gitignore b/.gitignore
@@ -29,3 +29,5 @@ override.tf.json
 # Include override files you do wish to add to version control using negated pattern
 #
 # !example_override.tf
+
+tfplan*
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -16,9 +16,10 @@ repos:
         args: ["."]
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: "2.2.168" # Get the latest from: https://github.com/bridgecrewio/checkov/releases
+    rev: "2.2.246" # Get the latest from: https://github.com/bridgecrewio/checkov/releases
     hooks:
       - id: checkov
+        args: [--skip-check, "CKV2_GHA_1"] #Flase positive for top-level permissions
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: "v4.3.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases

diff --git a/.tflint.hcl b/.tflint.hcl
@@ -1,3 +1,9 @@
+config {
+  ignore_module = {
+    "Invicton-Labs/deepmerge/null" = true
+  }
+}
+
 rule "terraform_deprecated_interpolation" {
   enabled = true
 }

diff --git a/README.md b/README.md
@@ -80,7 +80,7 @@ module "resource_monitors" {
 | <a name="input_notify_triggers"></a> [notify\_triggers](#input\_notify\_triggers) | A list of percentage thresholds at which to send an alert to subscribed users. | `list(number)` | `null` | no |
 | <a name="input_notify_users"></a> [notify\_users](#input\_notify\_users) | Specifies the list of users to receive email notifications on resource monitors. | `list(string)` | `null` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
-| <a name="input_roles"></a> [roles](#input\_roles) | Roles created on the Resource Monitor level | `any` | `{}` | no |
+| <a name="input_roles"></a> [roles](#input\_roles) | Roles created on the Resource Monitor level | <pre>map(object({<br>    enabled                 = optional(bool, true)<br>    descriptor_name         = optional(string, "snowflake-role")<br>    comment                 = optional(string)<br>    role_ownership_grant    = optional(string)<br>    granted_roles           = optional(list(string))<br>    granted_to_roles        = optional(list(string))<br>    granted_to_users        = optional(list(string))<br>    resource_monitor_grants = optional(list(string))<br>  }))</pre> | `{}` | no |
 | <a name="input_set_for_account"></a> [set\_for\_account](#input\_set\_for\_account) | Specifies whether the resource monitor should be applied globally to your Snowflake account. | `bool` | `true` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_start_timestamp"></a> [start\_timestamp](#input\_start\_timestamp) | The date and time when the resource monitor starts monitoring credit usage for the assigned warehouses. | `string` | `null` | no |
@@ -96,7 +96,8 @@ module "resource_monitors" {
 |------|--------|---------|
 | <a name="module_monitor_label"></a> [monitor\_label](#module\_monitor\_label) | cloudposse/label/null | 0.25.0 |
 | <a name="module_roles_deep_merge"></a> [roles\_deep\_merge](#module\_roles\_deep\_merge) | Invicton-Labs/deepmerge/null | 0.1.5 |
-| <a name="module_snowflake_role"></a> [snowflake\_role](#module\_snowflake\_role) | getindata/role/snowflake | 1.0.3 |
+| <a name="module_snowflake_custom_role"></a> [snowflake\_custom\_role](#module\_snowflake\_custom\_role) | getindata/role/snowflake | 1.0.3 |
+| <a name="module_snowflake_default_role"></a> [snowflake\_default\_role](#module\_snowflake\_default\_role) | getindata/role/snowflake | 1.0.3 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
 ## Outputs
@@ -109,7 +110,7 @@ module "resource_monitors" {
 | <a name="output_name"></a> [name](#output\_name) | Name of resource monitor |
 | <a name="output_notify_triggers"></a> [notify\_triggers](#output\_notify\_triggers) | A list of percentage thresholds at which to send an alert to subscribed users |
 | <a name="output_notify_users"></a> [notify\_users](#output\_notify\_users) | A list of users to receive email notifications on resource monitors |
-| <a name="output_roles"></a> [roles](#output\_roles) | Functional roles created for warehouse |
+| <a name="output_roles"></a> [roles](#output\_roles) | Access roles created for resource monitor |
 | <a name="output_set_for_account"></a> [set\_for\_account](#output\_set\_for\_account) | Whether the resource monitor should be applied globally to your Snowflake account |
 | <a name="output_start_timestamp"></a> [start\_timestamp](#output\_start\_timestamp) | The date and time when the resource monitor starts monitoring credit usage |
 | <a name="output_suspend_immediate_triggers"></a> [suspend\_immediate\_triggers](#output\_suspend\_immediate\_triggers) | A list of percentage thresholds at which to immediately suspend all warehouses |
@@ -120,14 +121,14 @@ module "resource_monitors" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_snowflake"></a> [snowflake](#provider\_snowflake) | ~> 0.51 |
+| <a name="provider_snowflake"></a> [snowflake](#provider\_snowflake) | ~> 0.54 |
 
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_snowflake"></a> [snowflake](#requirement\_snowflake) | ~> 0.51 |
+| <a name="requirement_snowflake"></a> [snowflake](#requirement\_snowflake) | ~> 0.54 |
 
 ## Resources
 

diff --git a/examples/complete/.env.dist b/examples/complete/.env.dist
@@ -0,0 +1,4 @@
+SNOWFLAKE_USER=
+SNOWFLAKE_PASSWORD=
+SNOWFLAKE_ROLE=
+SNOWFLAKE_ACCOUNT=
diff --git a/examples/complete/.envrc b/examples/complete/.envrc
@@ -0,0 +1,2 @@
+#Override defaults
+command -v dotenv && test -f .env && dotenv
diff --git a/examples/complete/.gitignore b/examples/complete/.gitignore
@@ -0,0 +1 @@
+.env
diff --git a/examples/complete/Makefile b/examples/complete/Makefile
@@ -0,0 +1,11 @@
+init:
+	terraform init
+
+plan:
+	terraform plan -out tfplan
+
+apply:
+	terraform apply tfplan
+
+destroy:
+	terraform destroy
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -58,14 +58,14 @@ This example creates:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_snowflake"></a> [snowflake](#provider\_snowflake) | ~> 0.47 |
+| <a name="provider_snowflake"></a> [snowflake](#provider\_snowflake) | ~> 0.54 |
 
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_snowflake"></a> [snowflake](#requirement\_snowflake) | ~> 0.47 |
+| <a name="requirement_snowflake"></a> [snowflake](#requirement\_snowflake) | ~> 0.54 |
 
 ## Resources
 

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -130,9 +130,9 @@ module "warehouse_resource_monitor" {
       granted_to_roles = [snowflake_role.this_admin.name]
     }
     custom_role = {
-      privileges       = ["MONITOR", "MODIFY"]
-      granted_to_roles = [snowflake_role.this_dev.name]
-      granted_to_users = [snowflake_user.this_user.name]
+      resource_monitor_grants = ["MONITOR", "MODIFY"]
+      granted_to_roles        = [snowflake_role.this_dev.name]
+      granted_to_users        = [snowflake_user.this_user.name]
     }
   }
 }

diff --git a/examples/complete/providers.tf b/examples/complete/providers.tf
@@ -0,0 +1 @@
+provider "snowflake" {}
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     snowflake = {
       source  = "Snowflake-Labs/snowflake"
-      version = "~> 0.47"
+      version = "~> 0.54"
     }
   }
 }
diff --git a/examples/simple/.env.dist b/examples/simple/.env.dist
@@ -0,0 +1,4 @@
+SNOWFLAKE_USER=
+SNOWFLAKE_PASSWORD=
+SNOWFLAKE_ROLE=
+SNOWFLAKE_ACCOUNT=
diff --git a/examples/simple/.envrc b/examples/simple/.envrc
@@ -0,0 +1,2 @@
+#Override defaults
+command -v dotenv && test -f .env && dotenv
diff --git a/examples/simple/.gitignore b/examples/simple/.gitignore
@@ -0,0 +1 @@
+.env
diff --git a/examples/simple/Makefile b/examples/simple/Makefile
@@ -0,0 +1,11 @@
+init:
+	terraform init
+
+plan:
+	terraform plan -out tfplan
+
+apply:
+	terraform apply tfplan
+
+destroy:
+	terraform destroy
diff --git a/examples/simple/README.md b/examples/simple/README.md
@@ -30,7 +30,10 @@ No providers.
 
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_snowflake"></a> [snowflake](#requirement\_snowflake) | ~> 0.54 |
 
 ## Resources
 

diff --git a/examples/simple/providers.tf b/examples/simple/providers.tf
@@ -0,0 +1 @@
+provider "snowflake" {}
diff --git a/examples/simple/versions.tf b/examples/simple/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.3"
+  required_providers {
+    snowflake = {
+      source  = "Snowflake-Labs/snowflake"
+      version = "~> 0.54"
+    }
+  }
+}
diff --git a/locals.tf b/locals.tf
@@ -3,24 +3,45 @@ locals {
     lookup(module.monitor_label.descriptors, var.descriptor_name, module.monitor_label.id), "/${module.monitor_label.delimiter}${module.monitor_label.delimiter}+/", module.monitor_label.delimiter
   ), module.monitor_label.delimiter) : null
 
-  default_roles = var.create_default_roles ? {
-    monitor = {
-      privileges = ["MONITOR"]
-    }
-    modify = {
-      privileges = ["MODIFY"]
+  enabled              = module.this.enabled
+  create_default_roles = local.enabled && var.create_default_roles
+
+  default_roles_definition = {
+    readonly = {
+      resource_monitor_grants = ["MONITOR"]
     }
     admin = {
-      privileges = ["MODIFY", "MONITOR"]
+      resource_monitor_grants = ["MODIFY", "MONITOR"]
     }
-  } : {}
+  }
+
+  provided_roles = { for role_name, role in var.roles : role_name => {
+    for k, v in role : k => v
+    if v != null
+  } }
+  roles_definition = module.roles_deep_merge.merged
+
+  default_roles = {
+    for role_name, role in local.roles_definition : role_name => role
+    if contains(keys(local.default_roles_definition), role_name)
+  }
+  custom_roles = {
+    for role_name, role in local.roles_definition : role_name => role
+    if !contains(keys(local.default_roles_definition), role_name)
+  }
 
-  roles = module.roles_deep_merge.merged
+  roles = {
+    for role_name, role in merge(
+      module.snowflake_default_role,
+      module.snowflake_custom_role
+    ) : role_name => role
+    if role.name != null
+  }
 }
 
 module "roles_deep_merge" {
   source  = "Invicton-Labs/deepmerge/null"
   version = "0.1.5"
 
-  maps = [local.default_roles, var.roles]
+  maps = [local.default_roles_definition, local.provided_roles]
 }
diff --git a/main.tf b/main.tf
@@ -9,7 +9,7 @@ module "monitor_label" {
 }
 
 resource "snowflake_resource_monitor" "this" {
-  count = module.monitor_label.enabled ? 1 : 0
+  count = local.enabled ? 1 : 0
 
   name = local.name_from_descriptor
 
@@ -29,30 +29,47 @@ resource "snowflake_resource_monitor" "this" {
   warehouses      = var.warehouses
 }
 
-module "snowflake_role" {
-  for_each = local.roles
+module "snowflake_default_role" {
+  for_each = local.default_roles
 
   source  = "getindata/role/snowflake"
   version = "1.0.3"
+  context = module.this.context
+
+  name            = each.key
+  attributes      = ["RMN", one(snowflake_resource_monitor.this[*].name)]
+  enabled         = local.create_default_roles && lookup(each.value, "enabled", true)
+  descriptor_name = lookup(each.value, "descriptor_name", "snowflake-role")
+
+  role_ownership_grant = lookup(each.value, "role_ownership_grant", "SYSADMIN")
+  granted_to_users     = lookup(each.value, "granted_to_users", [])
+  granted_to_roles     = lookup(each.value, "granted_to_roles", [])
+  granted_roles        = lookup(each.value, "granted_roles", [])
+}
 
+module "snowflake_custom_role" {
+  for_each = local.custom_roles
+
+  source  = "getindata/role/snowflake"
+  version = "1.0.3"
   context = module.this.context
-  enabled = module.this.enabled && lookup(each.value, "enabled", true)
 
-  name       = each.key
-  attributes = ["RMN", one(snowflake_resource_monitor.this).name]
+  name            = each.key
+  attributes      = ["RMN", one(snowflake_resource_monitor.this[*].name)]
+  enabled         = local.create_default_roles && lookup(each.value, "enabled", true)
+  descriptor_name = lookup(each.value, "descriptor_name", "snowflake-role")
 
-  granted_to_users = lookup(each.value, "granted_to_users", [])
-  granted_to_roles = lookup(each.value, "granted_to_roles", [])
-  granted_roles    = lookup(each.value, "granted_roles", [])
+  role_ownership_grant = lookup(each.value, "role_ownership_grant", "SYSADMIN")
+  granted_to_users     = lookup(each.value, "granted_to_users", [])
+  granted_to_roles     = lookup(each.value, "granted_to_roles", [])
+  granted_roles        = lookup(each.value, "granted_roles", [])
 }
 
 resource "snowflake_resource_monitor_grant" "this" {
-  for_each = module.monitor_label.enabled ? transpose(
-    {
-      for role_name, role in module.snowflake_role : module.snowflake_role[role_name].name =>
-      local.roles[role_name].privileges if lookup(local.roles[role_name], "enabled", true)
-    }
-  ) : {}
+  for_each = local.enabled ? transpose({ for role_name, role in local.roles : local.roles[role_name].name =>
+    lookup(local.roles_definition[role_name], "resource_monitor_grants", [])
+    if lookup(local.roles_definition[role_name], "enabled", true)
+  }) : {}
 
   monitor_name = one(resource.snowflake_resource_monitor.this[*]).name
   privilege    = each.key

diff --git a/outputs.tf b/outputs.tf
@@ -54,6 +54,6 @@ output "warehouses" {
 }
 
 output "roles" {
-  description = "Functional roles created for warehouse"
-  value       = module.snowflake_role
+  description = "Access roles created for resource monitor"
+  value       = local.roles
 }
diff --git a/variables.tf b/variables.tf
@@ -64,8 +64,17 @@ variable "warehouses" {
 
 variable "roles" {
   description = "Roles created on the Resource Monitor level"
-  type        = any
-  default     = {}
+  type = map(object({
+    enabled                 = optional(bool, true)
+    descriptor_name         = optional(string, "snowflake-role")
+    comment                 = optional(string)
+    role_ownership_grant    = optional(string)
+    granted_roles           = optional(list(string))
+    granted_to_roles        = optional(list(string))
+    granted_to_users        = optional(list(string))
+    resource_monitor_grants = optional(list(string))
+  }))
+  default = {}
 }
 
 variable "create_default_roles" {

diff --git a/versions.tf b/versions.tf
@@ -3,7 +3,7 @@ terraform {
   required_providers {
     snowflake = {
       source  = "Snowflake-Labs/snowflake"
-      version = "~> 0.51"
+      version = "~> 0.54"
     }
   }
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,7 +8,6 @@ on: @@
     env:
       TERRAFORM_DOCS_VERSION: v0.16.0
-      TFLINT_VERSION: v0.41.0
     jobs:
       collectInputs:
@@ Expand Down @@
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		#Override defaults
		command -v dotenv && test -f .env && dotenv