From f19c5d7aea9ac41f0a91cc5ee6dd1c733689514c Mon Sep 17 00:00:00 2001 From: Daniel Noworyta Date: Thu, 18 Jul 2024 17:04:33 +0200 Subject: [PATCH 1/8] WIP: combine default and custom roles to single object --- examples/complete/fixtures.tfvars | 2 +- examples/complete/main.tf | 63 +++++++++++++------ locals.tf | 44 ++++++++----- main.tf | 101 +++++++++++++++++++----------- variables.tf | 27 +++++--- 5 files changed, 152 insertions(+), 85 deletions(-) diff --git a/examples/complete/fixtures.tfvars b/examples/complete/fixtures.tfvars index 9f14356..5c706f7 100644 --- a/examples/complete/fixtures.tfvars +++ b/examples/complete/fixtures.tfvars @@ -13,7 +13,7 @@ descriptor_formats = { } snowflake-stage = { labels = ["name", "attributes"] - format = "%v_%v_STAGE" + format = "%v_%v" } } diff --git a/examples/complete/main.tf b/examples/complete/main.tf index adf647a..d2e9b49 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1,23 +1,24 @@ -module "snowflake_admin_role" { - source = "getindata/role/snowflake" - version = "1.0.3" - context = module.this.context - name = "admin" +resource "snowflake_database_role" "db_role_1" { + database = snowflake_database.this.name + name = "DB_ROLE_1" } -module "snowflake_dev_role" { - source = "getindata/role/snowflake" - version = "1.0.3" - context = module.this.context - name = "dev" +resource "snowflake_database_role" "db_role_2" { + database = snowflake_database.this.name + name = "DB_ROLE_2" +} + +resource "snowflake_database_role" "db_role_3" { + database = snowflake_database.this.name + name = "DB_ROLE_3" } resource "snowflake_database" "this" { - name = "MY_DATABASE" + name = "USERS_DB" } resource "snowflake_schema" "this" { - name = "MY_SCHEMA" + name = "TEST_SCHEMA" database = snowflake_database.this.name } @@ -25,19 +26,43 @@ module "internal_stage" { source = "../../" context = module.this.context - name = "my_stage" + name = "INGEST" schema = snowflake_schema.this.name database = snowflake_database.this.name - comment = "This is my stage" + comment = "This is my ingest stage" + + create_default_databse_roles = true - create_default_roles = true roles = { - readonly = { - granted_to_roles = [module.snowflake_dev_role.name] + readonly = { # Modifies readonly default role + parent_database_role = snowflake_database_role.db_role_1.name + granted_database_roles = [ + snowflake_database_role.db_role_2.name, + snowflake_database_role.db_role_3.name + ] + stage_grants = ["READ", "WRITE"] + } + admin = { # Modifies admin default role + granted_database_roles = [ + snowflake_database_role.db_role_2.name + ] } - admin = { - granted_to_roles = [module.snowflake_admin_role.name] + user_1 = { # User created database role + parent_database_role = snowflake_database_role.db_role_3.name + all_privileges = true + with_grant_option = true + on_future = true + on_all = true + } + user_2 = { # User created database role + parent_database_role = snowflake_database_role.db_role_3.name + stage_grants = [ "READ", "WRITE" ] + with_grant_option = false + on_future = true + on_all = false } } + + stage_ownership_grant = "user_1" } diff --git a/locals.tf b/locals.tf index 3ca66e0..e5e9a44 100644 --- a/locals.tf +++ b/locals.tf @@ -4,11 +4,13 @@ locals { name_from_descriptor = module.stage_label.enabled ? trim(replace( lookup(module.stage_label.descriptors, var.descriptor_name, module.stage_label.id), "/${module.stage_label.delimiter}${module.stage_label.delimiter}+/", module.stage_label.delimiter ), module.stage_label.delimiter) : null - create_default_roles = module.this.enabled && var.create_default_roles + create_default_databse_roles = module.this.enabled && var.create_default_databse_roles + + schema_object_stage_name = "\"${one(snowflake_stage.this[*].database)}\".\"${one(snowflake_stage.this[*].schema)}\".\"${one(snowflake_stage.this[*].name)}\"" is_internal = var.url == null - default_roles_definition = { + default_roles_definition = var.create_default_databse_roles ? { readonly = { stage_grants = local.is_internal ? ["READ"] : ["USAGE"] } @@ -16,32 +18,40 @@ locals { stage_grants = local.is_internal ? ["READ", "WRITE"] : ["USAGE"] } admin = { - stage_grants = local.is_internal ? ["READ", "WRITE", "OWNERSHIP"] : ["USAGE", "OWNERSHIP"] + stage_grants = local.is_internal ? ["READ", "WRITE"] : ["USAGE"] } - } + } : {} provided_roles = { for role_name, role in var.roles : role_name => { for k, v in role : k => v if v != null } } + roles_definition = module.roles_deep_merge.merged - default_roles = { - for role_name, role in local.roles_definition : role_name => role - if contains(keys(local.default_roles_definition), role_name) - } - custom_roles = { - for role_name, role in local.roles_definition : role_name => role - if !contains(keys(local.default_roles_definition), role_name) - } + # default_roles = { + # for role_name, role in local.roles_definition : role_name => role + # if contains(keys(local.default_roles_definition), role_name) + # } + + # custom_roles = { + # for role_name, role in local.roles_definition : role_name => role + # if !contains(keys(local.default_roles_definition), role_name) + # } roles = { - for role_name, role in merge( - module.snowflake_default_role, - module.snowflake_custom_role - ) : role_name => role - if role.name != null + for role_name, role in local.roles_definition : role_name => role + # if !contains(keys(local.default_roles_definition), role_name) } + + # roles = { + # for role_name, role in merge( + # # module.snowflake_default_database_role, + # # module.snowflake_custom_database_role + # module.snowflake_database_role + # ) : role_name => role + # if role.name != null + # } } module "roles_deep_merge" { diff --git a/main.tf b/main.tf index 55b218b..8b95165 100644 --- a/main.tf +++ b/main.tf @@ -27,57 +27,82 @@ resource "snowflake_stage" "this" { url = var.url } -module "snowflake_default_role" { - for_each = local.default_roles +# module "snowflake_default_database_role" { - source = "getindata/role/snowflake" - version = "1.0.3" +module "snowflake_database_role" { + # for_each = local.create_default_roles ? local.default_roles : {} + for_each = local.roles + + source = "git::ssh://git@github.com/getindata/terraform-snowflake-database-role.git" + # version = "1.0.0" context = module.this.context - enabled = local.create_default_roles && lookup(each.value, "enabled", true) - name = each.key + database_name = one(snowflake_stage.this[*].database) + name = each.key + + parent_database_role = lookup(each.value, "parent_database_role", null) + granted_database_roles = lookup(each.value, "granted_database_roles", []) + attributes = [ - one(snowflake_stage.this[*].database), one(snowflake_stage.this[*].schema), one(snowflake_stage.this[*].name) ] - role_ownership_grant = lookup(each.value, "role_ownership_grant", "SYSADMIN") - granted_to_users = lookup(each.value, "granted_to_users", []) - granted_to_roles = lookup(each.value, "granted_to_roles", []) - granted_roles = lookup(each.value, "granted_roles", []) + schema_objects_grants = { + "STAGE" = [ + { + privileges = lookup(each.value, "stage_grants", null) + all_privileges = lookup(each.value, "all_privileges", null) + with_grant_option = lookup(each.value, "with_grant_option", false) + on_future = lookup(each.value, "on_future", false) + on_all = lookup(each.value, "on_all", false) + object_name = (lookup(each.value, "on_future", false) || lookup(each.value, "on_all", false)) ? null : one(snowflake_stage.this[*].name) + schema_name = one(snowflake_stage.this[*].schema) + } + ] + } } -module "snowflake_custom_role" { - for_each = local.custom_roles +# module "snowflake_custom_database_role" { +# for_each = local.custom_roles - source = "getindata/role/snowflake" - version = "1.0.3" - context = module.this.context - enabled = module.this.enabled && lookup(each.value, "enabled", true) +# source = "git::ssh://git@github.com/getindata/terraform-snowflake-database-role.git" +# # version = "1.0.0" +# context = module.this.context - name = each.key - attributes = [ - one(snowflake_stage.this[*].database), - one(snowflake_stage.this[*].schema), - one(snowflake_stage.this[*].name) - ] +# database_name = one(snowflake_stage.this[*].database) +# name = each.key - role_ownership_grant = lookup(each.value, "role_ownership_grant", "SYSADMIN") - granted_to_users = lookup(each.value, "granted_to_users", []) - granted_to_roles = lookup(each.value, "granted_to_roles", []) - granted_roles = lookup(each.value, "granted_roles", []) -} +# parent_database_role = lookup(each.value, "parent_database_role", null) +# granted_database_roles = lookup(each.value, "granted_database_roles", []) -resource "snowflake_stage_grant" "this" { - for_each = module.this.enabled ? transpose({ for role_name, role in local.roles : local.roles[role_name].name => - lookup(local.roles_definition[role_name], "stage_grants", []) - if lookup(local.roles_definition[role_name], "enabled", true) - }) : {} +# attributes = [ +# one(snowflake_stage.this[*].schema), +# one(snowflake_stage.this[*].name) +# ] - database_name = one(snowflake_stage.this[*].database) - schema_name = one(snowflake_stage.this[*].schema) - stage_name = one(snowflake_stage.this[*].name) - privilege = each.key - roles = each.value +# schema_objects_grants = { +# "STAGE" = [ +# { +# privileges = lookup(each.value, "stage_grants", null) +# all_privileges = lookup(each.value, "all_privileges", null) +# with_grant_option = lookup(each.value, "with_grant_option", false) +# on_future = lookup(each.value, "on_future", false) +# on_all = lookup(each.value, "on_all", false) +# object_name = (lookup(each.value, "on_future", false) || lookup(each.value, "on_all", false)) ? null : one(snowflake_stage.this[*].name) +# schema_name = one(snowflake_stage.this[*].schema) +# } +# ] +# } +# } + +resource "snowflake_grant_ownership" "stage_ownership" { + count = var.stage_ownership_grant != null ? 1 : 0 + + database_role_name = module.snowflake_database_role[var.stage_ownership_grant].fully_qualified_name + outbound_privileges = "REVOKE" + on { + object_type = "STAGE" + object_name = local.schema_object_stage_name + } } diff --git a/variables.tf b/variables.tf index d89f4f2..7be9f2f 100644 --- a/variables.tf +++ b/variables.tf @@ -74,22 +74,29 @@ variable "url" { default = null } -variable "create_default_roles" { - description = "Whether the default roles should be created" +variable "create_default_databse_roles" { + description = "Whether the default database roles should be created" type = bool default = false } variable "roles" { - description = "Roles created in the database scope" + description = "Database roles created in the stage scope" type = map(object({ - enabled = optional(bool, true) - comment = optional(string) - role_ownership_grant = optional(string) - granted_roles = optional(list(string)) - granted_to_roles = optional(list(string)) - granted_to_users = optional(list(string)) - stage_grants = optional(list(string)) + with_grant_option = optional(bool) + parent_database_role = optional(string) + granted_database_roles = optional(list(string)) + stage_grants = optional(list(string)) + all_privileges = optional(bool) + on_all = optional(bool, false) + schema_name = optional(string) + on_future = optional(bool, false) })) default = {} } + +variable "stage_ownership_grant" { + description = "To which role the stage ownership should be granted" + type = string + default = null +} \ No newline at end of file From 935ec7ad0ef8c6e2ffa46062fb7715613494b386 Mon Sep 17 00:00:00 2001 From: Daniel Noworyta Date: Thu, 18 Jul 2024 17:11:24 +0200 Subject: [PATCH 2/8] WIP: provider version bump --- examples/complete/.env.dist | 1 + examples/complete/versions.tf | 2 +- examples/simple/.env.dist | 1 + examples/simple/versions.tf | 2 +- versions.tf | 2 +- 5 files changed, 5 insertions(+), 3 deletions(-) diff --git a/examples/complete/.env.dist b/examples/complete/.env.dist index 3b3c5af..9bace73 100644 --- a/examples/complete/.env.dist +++ b/examples/complete/.env.dist @@ -2,3 +2,4 @@ SNOWFLAKE_USER= SNOWFLAKE_PASSWORD= SNOWFLAKE_ROLE= SNOWFLAKE_ACCOUNT= +SNOWFLAKE_REGION= \ No newline at end of file diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index beae9eb..33afd12 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { snowflake = { source = "Snowflake-Labs/snowflake" - version = "~> 0.54" + version = "~> 0.90" } } } diff --git a/examples/simple/.env.dist b/examples/simple/.env.dist index 3b3c5af..9bace73 100644 --- a/examples/simple/.env.dist +++ b/examples/simple/.env.dist @@ -2,3 +2,4 @@ SNOWFLAKE_USER= SNOWFLAKE_PASSWORD= SNOWFLAKE_ROLE= SNOWFLAKE_ACCOUNT= +SNOWFLAKE_REGION= \ No newline at end of file diff --git a/examples/simple/versions.tf b/examples/simple/versions.tf index beae9eb..33afd12 100644 --- a/examples/simple/versions.tf +++ b/examples/simple/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { snowflake = { source = "Snowflake-Labs/snowflake" - version = "~> 0.54" + version = "~> 0.90" } } } diff --git a/versions.tf b/versions.tf index beae9eb..33afd12 100644 --- a/versions.tf +++ b/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { snowflake = { source = "Snowflake-Labs/snowflake" - version = "~> 0.54" + version = "~> 0.90" } } } From cfb00374970b76700d1f129b680c38853414c0ed Mon Sep 17 00:00:00 2001 From: Daniel Noworyta Date: Fri, 19 Jul 2024 12:16:33 +0200 Subject: [PATCH 3/8] feat: update module with latest snowflake provider changes - removals and deprecations --- .github/workflows/pre-commit.yml | 4 +- .pre-commit-config.yaml | 12 +-- .terraform-docs.yml | 4 + .tflint.hcl | 16 ---- README.md | 18 ++--- examples/complete/.env.dist | 2 +- examples/complete/README.md | 130 ++++++++++++++++++++----------- examples/complete/main.tf | 2 +- examples/simple/.env.dist | 2 +- examples/simple/README.md | 66 ++++++++++++---- locals.tf | 23 +----- main.tf | 42 +--------- variables.tf | 2 +- 13 files changed, 163 insertions(+), 160 deletions(-) delete mode 100644 .tflint.hcl diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 652dff0..4e06095 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -13,6 +13,6 @@ jobs: main: uses: getindata/github-workflows/.github/workflows/tf-pre-commit.yml@v1 with: - # tflint v0.46.0 is the latest version we can use with pre-commit v0.1.20 + # tflint v0.52.0 is the latest version we can use with pre-commit v0.1.23 # See .pre-commit-config.yaml for more details. - tflint-version: v0.46.0 + tflint-version: v0.52.0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2c59029..1f08dec 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,30 +1,26 @@ repos: - repo: https://github.com/gruntwork-io/pre-commit - # Stick to v0.1.20 until this bug is fixed: https://github.com/gruntwork-io/pre-commit/issues/102 # When updating, also check if tflint version in pre-commit workflow can be updated. - rev: "v0.1.20" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases + rev: "v0.1.23" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases hooks: - id: terraform-validate # It should be the first step as it runs terraform init required by tflint - id: terraform-fmt - id: tflint - args: - - --module - - --config=.tflint.hcl - repo: https://github.com/terraform-docs/terraform-docs - rev: "v0.16.0" # Get the latest from: https://github.com/terraform-docs/terraform-docs/releases + rev: "v0.18.0" # Get the latest from: https://github.com/terraform-docs/terraform-docs/releases hooks: - id: terraform-docs-go args: ["."] - repo: https://github.com/bridgecrewio/checkov.git - rev: "2.5.13" # Get the latest from: https://github.com/bridgecrewio/checkov/releases + rev: "3.2.192" # Get the latest from: https://github.com/bridgecrewio/checkov/releases hooks: - id: checkov args: [--skip-check, "CKV_TF_1"] # Terraform module sources do not use a git url with a commit hash revision - repo: https://github.com/pre-commit/pre-commit-hooks - rev: "v4.5.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases + rev: "v4.6.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases hooks: - id: check-merge-conflict args: ["--assume-in-merge"] diff --git a/.terraform-docs.yml b/.terraform-docs.yml index 5d31cc9..f6ffcef 100644 --- a/.terraform-docs.yml +++ b/.terraform-docs.yml @@ -6,6 +6,10 @@ sections: hide: [] show: [all] +recursive: + enabled: true + path: examples + content: |- {{ .Header }} diff --git a/.tflint.hcl b/.tflint.hcl deleted file mode 100644 index 6a33dcb..0000000 --- a/.tflint.hcl +++ /dev/null @@ -1,16 +0,0 @@ -config { - ignore_module = { - "Invicton-Labs/deepmerge/null" = true - } -} - -plugin "terraform" { - enabled = true - version = "0.5.0" - source = "github.com/terraform-linters/tflint-ruleset-terraform" - preset = "all" -} - -rule "terraform_standard_module_structure" { - enabled = false # Fails on context.tf -} diff --git a/README.md b/README.md index 6222c10..169dcac 100644 --- a/README.md +++ b/README.md @@ -15,11 +15,11 @@ Terraform module for Snowflake stage management. * Creates Snowflake stage -* Can create custom Snowflake roles with role-to-role, role-to-user assignments +* Can create custom Snowflake databse-roles with role-to-role assignments * Can create a set of default roles to simplify access management: * `READONLY` - granted `USAGE` or `READ` privilages * `READWRITE` - granted `WRITE` privilages - * `ADMIN` - Full access, including schema options like `url` and `credentials` + * `ADMIN` - ## USAGE @@ -59,7 +59,7 @@ module "snowflake_stage" { | [comment](#input\_comment) | Specifies a comment for the stage | `string` | `null` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | | [copy\_options](#input\_copy\_options) | Specifies the copy options for the stage | `string` | `null` | no | -| [create\_default\_roles](#input\_create\_default\_roles) | Whether the default roles should be created | `bool` | `false` | no | +| [create\_default\_databse\_roles](#input\_create\_default\_databse\_roles) | Whether the default database roles should be created | `bool` | `false` | no | | [credentials](#input\_credentials) | Specifies the credentials for the stage | `string` | `null` | no | | [database](#input\_database) | The database in which to create the stage | `string` | n/a | yes | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | @@ -78,10 +78,11 @@ module "snowflake_stage" { | [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | | [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [roles](#input\_roles) | Roles created in the database scope | 
map(object({
    enabled              = optional(bool, true)
    comment              = optional(string)
    role_ownership_grant = optional(string)
    granted_roles        = optional(list(string))
    granted_to_roles     = optional(list(string))
    granted_to_users     = optional(list(string))
    stage_grants         = optional(list(string))
  }))
| `{}` | no | +| [roles](#input\_roles) | Database roles created in the stage scope | 
map(object({
    with_grant_option      = optional(bool)
    parent_database_role   = optional(string)
    granted_database_roles = optional(list(string))
    stage_grants           = optional(list(string))
    all_privileges         = optional(bool)
    on_all                 = optional(bool, false)
    schema_name            = optional(string)
    on_future              = optional(bool, false)
  }))
| `{}` | no | | [schema](#input\_schema) | The schema in which to create the stage | `string` | n/a | yes | | [snowflake\_iam\_user](#input\_snowflake\_iam\_user) | Specifies the Snowflake IAM user | `string` | `null` | no | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [stage\_ownership\_grant](#input\_stage\_ownership\_grant) | To which role the stage ownership should be granted | `string` | `null` | no | | [storage\_integration](#input\_storage\_integration) | Specifies the name of the storage integration used to delegate authentication responsibility for external cloud storage to a Snowflake identity and access management (IAM) entity | `string` | `null` | no | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | @@ -92,8 +93,7 @@ module "snowflake_stage" { | Name | Source | Version | |------|--------|---------| | [roles\_deep\_merge](#module\_roles\_deep\_merge) | Invicton-Labs/deepmerge/null | 0.1.5 | -| [snowflake\_custom\_role](#module\_snowflake\_custom\_role) | getindata/role/snowflake | 1.0.3 | -| [snowflake\_default\_role](#module\_snowflake\_default\_role) | getindata/role/snowflake | 1.0.3 | +| [snowflake\_database\_role](#module\_snowflake\_database\_role) | getindata/database-role/snowflake | 1.0.0 | | [stage\_label](#module\_stage\_label) | cloudposse/label/null | 0.25.0 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | @@ -108,21 +108,21 @@ module "snowflake_stage" { | Name | Version | |------|---------| -| [snowflake](#provider\_snowflake) | ~> 0.54 | +| [snowflake](#provider\_snowflake) | ~> 0.90 | ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3 | -| [snowflake](#requirement\_snowflake) | ~> 0.54 | +| [snowflake](#requirement\_snowflake) | ~> 0.90 | ## Resources | Name | Type | |------|------| +| [snowflake_grant_ownership.stage_ownership](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_ownership) | resource | | [snowflake_stage.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/stage) | resource | -| [snowflake_stage_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/stage_grant) | resource | ## CONTRIBUTING diff --git a/examples/complete/.env.dist b/examples/complete/.env.dist index 9bace73..7776535 100644 --- a/examples/complete/.env.dist +++ b/examples/complete/.env.dist @@ -2,4 +2,4 @@ SNOWFLAKE_USER= SNOWFLAKE_PASSWORD= SNOWFLAKE_ROLE= SNOWFLAKE_ACCOUNT= -SNOWFLAKE_REGION= \ No newline at end of file +SNOWFLAKE_REGION= diff --git a/examples/complete/README.md b/examples/complete/README.md index 5beace4..e056d4f 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -1,56 +1,92 @@ # Complete Example -```terraform -module "snowflake_admin_role" { - source = "getindata/role/snowflake" - version = "1.0.3" - context = module.this.context - name = "admin" -} - -module "snowflake_dev_role" { - source = "getindata/role/snowflake" - version = "1.0.3" - context = module.this.context - name = "dev" -} - -resource "snowflake_database" "this" { - name = "MY_DATABASE" -} - -resource "snowflake_schema" "this" { - name = "MY_SCHEMA" - database = snowflake_database.this.name -} - -module "internal_stage" { - source = "../../" - context = module.this.context - - name = "my_stage" - schema = snowflake_schema.this.name - database = snowflake_database.this.name - - comment = "This is my stage" - - create_default_roles = true - roles = { - readonly = { - granted_to_roles = [module.snowflake_dev_role.name] - } - admin = { - granted_to_roles = [module.snowflake_admin_role.name] - } - } -} -``` +This is complete usage example of `snowflake-stage` terraform module. ## Usage Populate `.env` file with Snowflake credentials and make sure it's sourced to your shell. +## How to plan + +```shell +terraform init +terraform plan -var-file=fixtures.tfvars ``` + +## How to apply + +```shell terraform init -terraform plan -var-file fixtures.tfvars -out tfplan -terraform apply tfplan +terraform apply -var-file=fixtures.tfvars +``` + +## How to destroy +If `stage_ownership_grant` was used, first you need to hash out this line, `terraform apply -var-file=fixtures.tfvars` and then: +```shell +terraform destroy -var-file=fixtures.tfvars ``` + + + + + + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
  "default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [internal\_stage](#module\_internal\_stage) | ../../ | n/a | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | + +## Outputs + +| Name | Description | +|------|-------------| +| [internal\_stage](#output\_internal\_stage) | Internal stage module outputs | + +## Providers + +| Name | Version | +|------|---------| +| [snowflake](#provider\_snowflake) | ~> 0.90 | + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3 | +| [snowflake](#requirement\_snowflake) | ~> 0.90 | + +## Resources + +| Name | Type | +|------|------| +| [snowflake_database.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database) | resource | +| [snowflake_database_role.db_role_1](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database_role) | resource | +| [snowflake_database_role.db_role_2](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database_role) | resource | +| [snowflake_database_role.db_role_3](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database_role) | resource | +| [snowflake_schema.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/schema) | resource | + diff --git a/examples/complete/main.tf b/examples/complete/main.tf index d2e9b49..9f8784d 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -57,7 +57,7 @@ module "internal_stage" { } user_2 = { # User created database role parent_database_role = snowflake_database_role.db_role_3.name - stage_grants = [ "READ", "WRITE" ] + stage_grants = ["READ", "WRITE"] with_grant_option = false on_future = true on_all = false diff --git a/examples/simple/.env.dist b/examples/simple/.env.dist index 9bace73..7776535 100644 --- a/examples/simple/.env.dist +++ b/examples/simple/.env.dist @@ -2,4 +2,4 @@ SNOWFLAKE_USER= SNOWFLAKE_PASSWORD= SNOWFLAKE_ROLE= SNOWFLAKE_ACCOUNT= -SNOWFLAKE_REGION= \ No newline at end of file +SNOWFLAKE_REGION= diff --git a/examples/simple/README.md b/examples/simple/README.md index e6c2767..6062554 100644 --- a/examples/simple/README.md +++ b/examples/simple/README.md @@ -1,20 +1,60 @@ -# Simple Example +# Simple example -```terraform -module "internal_stage" { - source = "../../" +This is simple usage example of `snowflake-stage` terraform module. - name = "my_stage" - schema = "my_schema" - database = "my_db" -} +## How to plan + +```shell +terraform init +terraform plan ``` -## Usage -Populate `.env` file with Snowflake credentials and make sure it's sourced to your shell. +## How to apply -``` +```shell terraform init -terraform plan -out tfplan -terraform apply tfplan +terraform apply +``` + +## How to destroy + +```shell +terraform destroy ``` + + + + + + +## Inputs + +No inputs. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [internal\_stage](#module\_internal\_stage) | ../../ | n/a | + +## Outputs + +| Name | Description | +|------|-------------| +| [internal\_stage](#output\_internal\_stage) | Internal stage module outputs | + +## Providers + +No providers. + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3 | +| [snowflake](#requirement\_snowflake) | ~> 0.90 | + +## Resources + +No resources. + diff --git a/locals.tf b/locals.tf index e5e9a44..3b79b8e 100644 --- a/locals.tf +++ b/locals.tf @@ -4,7 +4,6 @@ locals { name_from_descriptor = module.stage_label.enabled ? trim(replace( lookup(module.stage_label.descriptors, var.descriptor_name, module.stage_label.id), "/${module.stage_label.delimiter}${module.stage_label.delimiter}+/", module.stage_label.delimiter ), module.stage_label.delimiter) : null - create_default_databse_roles = module.this.enabled && var.create_default_databse_roles schema_object_stage_name = "\"${one(snowflake_stage.this[*].database)}\".\"${one(snowflake_stage.this[*].schema)}\".\"${one(snowflake_stage.this[*].name)}\"" @@ -26,32 +25,12 @@ locals { for k, v in role : k => v if v != null } } - - roles_definition = module.roles_deep_merge.merged - - # default_roles = { - # for role_name, role in local.roles_definition : role_name => role - # if contains(keys(local.default_roles_definition), role_name) - # } - # custom_roles = { - # for role_name, role in local.roles_definition : role_name => role - # if !contains(keys(local.default_roles_definition), role_name) - # } + roles_definition = module.roles_deep_merge.merged roles = { for role_name, role in local.roles_definition : role_name => role - # if !contains(keys(local.default_roles_definition), role_name) } - - # roles = { - # for role_name, role in merge( - # # module.snowflake_default_database_role, - # # module.snowflake_custom_database_role - # module.snowflake_database_role - # ) : role_name => role - # if role.name != null - # } } module "roles_deep_merge" { diff --git a/main.tf b/main.tf index 8b95165..9d3eea2 100644 --- a/main.tf +++ b/main.tf @@ -27,14 +27,11 @@ resource "snowflake_stage" "this" { url = var.url } -# module "snowflake_default_database_role" { - module "snowflake_database_role" { - # for_each = local.create_default_roles ? local.default_roles : {} for_each = local.roles - source = "git::ssh://git@github.com/getindata/terraform-snowflake-database-role.git" - # version = "1.0.0" + source = "getindata/database-role/snowflake" + version = "1.0.0" context = module.this.context database_name = one(snowflake_stage.this[*].database) @@ -63,43 +60,10 @@ module "snowflake_database_role" { } } -# module "snowflake_custom_database_role" { -# for_each = local.custom_roles - -# source = "git::ssh://git@github.com/getindata/terraform-snowflake-database-role.git" -# # version = "1.0.0" -# context = module.this.context - -# database_name = one(snowflake_stage.this[*].database) -# name = each.key - -# parent_database_role = lookup(each.value, "parent_database_role", null) -# granted_database_roles = lookup(each.value, "granted_database_roles", []) - -# attributes = [ -# one(snowflake_stage.this[*].schema), -# one(snowflake_stage.this[*].name) -# ] - -# schema_objects_grants = { -# "STAGE" = [ -# { -# privileges = lookup(each.value, "stage_grants", null) -# all_privileges = lookup(each.value, "all_privileges", null) -# with_grant_option = lookup(each.value, "with_grant_option", false) -# on_future = lookup(each.value, "on_future", false) -# on_all = lookup(each.value, "on_all", false) -# object_name = (lookup(each.value, "on_future", false) || lookup(each.value, "on_all", false)) ? null : one(snowflake_stage.this[*].name) -# schema_name = one(snowflake_stage.this[*].schema) -# } -# ] -# } -# } - resource "snowflake_grant_ownership" "stage_ownership" { count = var.stage_ownership_grant != null ? 1 : 0 - database_role_name = module.snowflake_database_role[var.stage_ownership_grant].fully_qualified_name + database_role_name = module.snowflake_database_role[var.stage_ownership_grant].fully_qualified_name outbound_privileges = "REVOKE" on { object_type = "STAGE" diff --git a/variables.tf b/variables.tf index 7be9f2f..3c2c40f 100644 --- a/variables.tf +++ b/variables.tf @@ -99,4 +99,4 @@ variable "stage_ownership_grant" { description = "To which role the stage ownership should be granted" type = string default = null -} \ No newline at end of file +} From 8bf01a6dbde7f10e77a3341d6b5709f08b195fcf Mon Sep 17 00:00:00 2001 From: Daniel Noworyta Date: Fri, 19 Jul 2024 12:20:47 +0200 Subject: [PATCH 4/8] docs: README.md update --- README.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/README.md b/README.md index 169dcac..63be45b 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,36 @@ module "snowflake_stage" { - [Simple](examples/simple) - Basic usage of the module - [Complete](examples/complete) - Advanced usage of the module + +## Breaking changes in v2.x of the module +Due to breaking changes in Snowflake provider and additional code optimizations, **breaking changes** were introduced in `v2.0.0` version of this module. + +Lst of code and variable (API) changes: +- Switched to `snowflake_grant_ownership` resource instead of provider-removed `snowflake_role_ownership_grant` +- Switched to `snowflake_database_role` module to leverage new `database_roles` mechanism +- `default_roles` and `custom_roles` are now combined and managed by single module +- `create_default_roles` variable was renamed to `create_default_databse_roles` +- `roles` variable map received following additions: + - `all_privileges` - optional, bool + - `on_all` - optional, bool, defaults to false + - `on_future` - optional, bool, defaults to false + - `with_grant_option` - optional, bool + - `parent_database_role` - optional, string + - `granted_database_roles` - optional, list of strings + +- and got following items removed: + - `enabled` + - `comment` + - `role_ownership_grant` + - `granted_roles` + - `granted_to_roles` + - `granted_to_users` + + +When upgrading from `v1.x`, expect most of the resources to be recreated - if recreation is impossible, then it is possible to import some existing resources. + +For more information, refer to [variables.tf](variables.tf), list of inputs below and Snowflake provider documentation + From cf18b3f3259ec267546036b7a2c2d19a043fed84 Mon Sep 17 00:00:00 2001 From: Daniel Noworyta Date: Fri, 19 Jul 2024 12:22:55 +0200 Subject: [PATCH 5/8] docs: README.md update --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 63be45b..d2bedc0 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ Terraform module for Snowflake stage management. * Can create a set of default roles to simplify access management: * `READONLY` - granted `USAGE` or `READ` privilages * `READWRITE` - granted `WRITE` privilages - * `ADMIN` - + * `ADMIN` - granted `READ`, `WRITE` privilages (role can be additionally granted with `OWNER` attribute when specified) ## USAGE From 310c5dc56df9e53c818f6f86e7ccdea3fde114ec Mon Sep 17 00:00:00 2001 From: Daniel Noworyta Date: Fri, 19 Jul 2024 16:51:14 +0200 Subject: [PATCH 6/8] chore: align to changes introduced in getindata/database-role/snowflake v1.1.0 --- README.md | 9 +++---- examples/complete/README.md | 3 ++- examples/complete/main.tf | 53 +++++++++++++++++++++---------------- examples/simple/README.md | 9 +++++-- examples/simple/main.tf | 13 +++++++-- main.tf | 7 ++--- outputs.tf | 2 +- variables.tf | 17 ++++++------ 8 files changed, 68 insertions(+), 45 deletions(-) diff --git a/README.md b/README.md index d2bedc0..c0bc1a1 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ Lst of code and variable (API) changes: - `on_all` - optional, bool, defaults to false - `on_future` - optional, bool, defaults to false - `with_grant_option` - optional, bool - - `parent_database_role` - optional, string + - `granted_to_database_roles` - optional, string - `granted_database_roles` - optional, list of strings - and got following items removed: @@ -66,7 +66,6 @@ Lst of code and variable (API) changes: - `comment` - `role_ownership_grant` - `granted_roles` - - `granted_to_roles` - `granted_to_users` @@ -108,7 +107,7 @@ For more information, refer to [variables.tf](variables.tf), list of inputs belo | [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | | [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [roles](#input\_roles) | Database roles created in the stage scope | 
map(object({
    with_grant_option      = optional(bool)
    parent_database_role   = optional(string)
    granted_database_roles = optional(list(string))
    stage_grants           = optional(list(string))
    all_privileges         = optional(bool)
    on_all                 = optional(bool, false)
    schema_name            = optional(string)
    on_future              = optional(bool, false)
  }))
| `{}` | no | +| [roles](#input\_roles) | Database roles created in the stage scope | 
map(object({
    with_grant_option         = optional(bool)
    granted_to_roles          = optional(list(string))
    granted_to_database_roles = optional(list(string))
    granted_database_roles    = optional(list(string))
    stage_grants              = optional(list(string))
    all_privileges            = optional(bool)
    on_all                    = optional(bool, false)
    schema_name               = optional(string)
    on_future                 = optional(bool, false)
  }))
| `{}` | no | | [schema](#input\_schema) | The schema in which to create the stage | `string` | n/a | yes | | [snowflake\_iam\_user](#input\_snowflake\_iam\_user) | Specifies the Snowflake IAM user | `string` | `null` | no | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | @@ -123,7 +122,7 @@ For more information, refer to [variables.tf](variables.tf), list of inputs belo | Name | Source | Version | |------|--------|---------| | [roles\_deep\_merge](#module\_roles\_deep\_merge) | Invicton-Labs/deepmerge/null | 0.1.5 | -| [snowflake\_database\_role](#module\_snowflake\_database\_role) | getindata/database-role/snowflake | 1.0.0 | +| [snowflake\_database\_role](#module\_snowflake\_database\_role) | getindata/database-role/snowflake | 1.1.0 | | [stage\_label](#module\_stage\_label) | cloudposse/label/null | 0.25.0 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | @@ -131,8 +130,8 @@ For more information, refer to [variables.tf](variables.tf), list of inputs belo | Name | Description | |------|-------------| +| [databse\_roles](#output\_databse\_roles) | This stage access roles | | [name](#output\_name) | Name of the stage | -| [roles](#output\_roles) | This stage access roles | ## Providers diff --git a/examples/complete/README.md b/examples/complete/README.md index e056d4f..e7b7e75 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -20,7 +20,7 @@ terraform apply -var-file=fixtures.tfvars ``` ## How to destroy -If `stage_ownership_grant` was used, first you need to hash out this line, `terraform apply -var-file=fixtures.tfvars` and then: +If `stage_ownership_grant` was used, first you need to hash out this line, run `terraform apply -var-file=fixtures.tfvars` and then: ```shell terraform destroy -var-file=fixtures.tfvars ``` @@ -88,5 +88,6 @@ terraform destroy -var-file=fixtures.tfvars | [snowflake_database_role.db_role_1](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database_role) | resource | | [snowflake_database_role.db_role_2](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database_role) | resource | | [snowflake_database_role.db_role_3](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database_role) | resource | +| [snowflake_role.role_1](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role) | resource | | [snowflake_schema.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/schema) | resource | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 9f8784d..a62b4bf 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1,3 +1,16 @@ +resource "snowflake_database" "this" { + name = "USERS_DB" +} + +resource "snowflake_schema" "this" { + name = "TEST_SCHEMA" + database = snowflake_database.this.name +} + +resource "snowflake_role" "role_1" { + name = "ROLE_1" +} + resource "snowflake_database_role" "db_role_1" { database = snowflake_database.this.name name = "DB_ROLE_1" @@ -13,15 +26,6 @@ resource "snowflake_database_role" "db_role_3" { name = "DB_ROLE_3" } -resource "snowflake_database" "this" { - name = "USERS_DB" -} - -resource "snowflake_schema" "this" { - name = "TEST_SCHEMA" - database = snowflake_database.this.name -} - module "internal_stage" { source = "../../" context = module.this.context @@ -36,31 +40,34 @@ module "internal_stage" { roles = { readonly = { # Modifies readonly default role - parent_database_role = snowflake_database_role.db_role_1.name + granted_to_database_roles = [ + "${snowflake_database.this.name}.${snowflake_database_role.db_role_1.name}" + ] granted_database_roles = [ - snowflake_database_role.db_role_2.name, - snowflake_database_role.db_role_3.name + "${snowflake_database.this.name}.${snowflake_database_role.db_role_2.name}", + "${snowflake_database.this.name}.${snowflake_database_role.db_role_3.name}" ] stage_grants = ["READ", "WRITE"] } admin = { # Modifies admin default role granted_database_roles = [ - snowflake_database_role.db_role_2.name + "${snowflake_database.this.name}.${snowflake_database_role.db_role_2.name}", ] } user_1 = { # User created database role - parent_database_role = snowflake_database_role.db_role_3.name - all_privileges = true - with_grant_option = true - on_future = true - on_all = true + granted_to_roles = [snowflake_role.role_1.name] + granted_to_database_roles = ["${snowflake_database.this.name}.${snowflake_database_role.db_role_3.name}"] + all_privileges = true + with_grant_option = true + on_future = true + on_all = true } user_2 = { # User created database role - parent_database_role = snowflake_database_role.db_role_3.name - stage_grants = ["READ", "WRITE"] - with_grant_option = false - on_future = true - on_all = false + granted_to_database_roles = ["${snowflake_database.this.name}.${snowflake_database_role.db_role_3.name}"] + stage_grants = ["READ", "WRITE"] + with_grant_option = false + on_future = true + on_all = false } } diff --git a/examples/simple/README.md b/examples/simple/README.md index 6062554..93b6890 100644 --- a/examples/simple/README.md +++ b/examples/simple/README.md @@ -45,7 +45,9 @@ No inputs. ## Providers -No providers. +| Name | Version | +|------|---------| +| [snowflake](#provider\_snowflake) | ~> 0.90 | ## Requirements @@ -56,5 +58,8 @@ No providers. ## Resources -No resources. +| Name | Type | +|------|------| +| [snowflake_database.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database) | resource | +| [snowflake_schema.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/schema) | resource | diff --git a/examples/simple/main.tf b/examples/simple/main.tf index dbff1d3..1da3e4b 100644 --- a/examples/simple/main.tf +++ b/examples/simple/main.tf @@ -1,7 +1,16 @@ +resource "snowflake_database" "this" { + name = "USERS_DB" +} + +resource "snowflake_schema" "this" { + name = "TEST_SCHEMA" + database = snowflake_database.this.name +} + module "internal_stage" { source = "../../" name = "my_stage" - schema = "my_schema" - database = "my_db" + schema = snowflake_schema.this.name + database = snowflake_database.this.name } diff --git a/main.tf b/main.tf index 9d3eea2..50555c5 100644 --- a/main.tf +++ b/main.tf @@ -31,14 +31,15 @@ module "snowflake_database_role" { for_each = local.roles source = "getindata/database-role/snowflake" - version = "1.0.0" + version = "1.1.0" context = module.this.context database_name = one(snowflake_stage.this[*].database) name = each.key - parent_database_role = lookup(each.value, "parent_database_role", null) - granted_database_roles = lookup(each.value, "granted_database_roles", []) + granted_to_roles = lookup(each.value, "granted_to_roles", []) + granted_to_database_roles = lookup(each.value, "granted_to_database_roles", []) + granted_database_roles = lookup(each.value, "granted_database_roles", []) attributes = [ one(snowflake_stage.this[*].schema), diff --git a/outputs.tf b/outputs.tf index e0d273d..dfe3467 100644 --- a/outputs.tf +++ b/outputs.tf @@ -3,7 +3,7 @@ output "name" { value = one(snowflake_stage.this[*].name) } -output "roles" { +output "databse_roles" { description = "This stage access roles" value = local.roles } diff --git a/variables.tf b/variables.tf index 3c2c40f..c9bd7f7 100644 --- a/variables.tf +++ b/variables.tf @@ -83,14 +83,15 @@ variable "create_default_databse_roles" { variable "roles" { description = "Database roles created in the stage scope" type = map(object({ - with_grant_option = optional(bool) - parent_database_role = optional(string) - granted_database_roles = optional(list(string)) - stage_grants = optional(list(string)) - all_privileges = optional(bool) - on_all = optional(bool, false) - schema_name = optional(string) - on_future = optional(bool, false) + with_grant_option = optional(bool) + granted_to_roles = optional(list(string)) + granted_to_database_roles = optional(list(string)) + granted_database_roles = optional(list(string)) + stage_grants = optional(list(string)) + all_privileges = optional(bool) + on_all = optional(bool, false) + schema_name = optional(string) + on_future = optional(bool, false) })) default = {} } From 44a72f6db622eb53e7fe21c61666cb6bb77758b2 Mon Sep 17 00:00:00 2001 From: Daniel Noworyta Date: Mon, 22 Jul 2024 17:25:59 +0200 Subject: [PATCH 7/8] chore: role name change to not confuse user in examples/complete --- examples/complete/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/complete/main.tf b/examples/complete/main.tf index a62b4bf..eb2e489 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -54,7 +54,7 @@ module "internal_stage" { "${snowflake_database.this.name}.${snowflake_database_role.db_role_2.name}", ] } - user_1 = { # User created database role + role_1 = { # User created database role granted_to_roles = [snowflake_role.role_1.name] granted_to_database_roles = ["${snowflake_database.this.name}.${snowflake_database_role.db_role_3.name}"] all_privileges = true @@ -62,7 +62,7 @@ module "internal_stage" { on_future = true on_all = true } - user_2 = { # User created database role + role_2 = { # User created database role granted_to_database_roles = ["${snowflake_database.this.name}.${snowflake_database_role.db_role_3.name}"] stage_grants = ["READ", "WRITE"] with_grant_option = false @@ -71,5 +71,5 @@ module "internal_stage" { } } - stage_ownership_grant = "user_1" + stage_ownership_grant = "role_1" } From 80e5dcc280c1069b15fb513b24c0b35d24f88c1a Mon Sep 17 00:00:00 2001 From: Daniel Noworyta Date: Wed, 24 Jul 2024 16:21:00 +0200 Subject: [PATCH 8/8] chore: added enabled flag (bool) to database role creation --- README.md | 18 +++++++++--------- examples/complete/main.tf | 15 +++++++++------ locals.tf | 10 ++++++---- outputs.tf | 2 +- variables.tf | 3 ++- 5 files changed, 27 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index c0bc1a1..71e6621 100644 --- a/README.md +++ b/README.md @@ -15,11 +15,11 @@ Terraform module for Snowflake stage management. * Creates Snowflake stage -* Can create custom Snowflake databse-roles with role-to-role assignments +* Can create custom Snowflake database-roles with role-to-role assignments * Can create a set of default roles to simplify access management: * `READONLY` - granted `USAGE` or `READ` privilages - * `READWRITE` - granted `WRITE` privilages - * `ADMIN` - granted `READ`, `WRITE` privilages (role can be additionally granted with `OWNER` attribute when specified) + * `READWRITE` - granted `WRITE` privileges + * `ADMIN` - granted `READ`, `WRITE` privileges (role can be additionally granted with `OWNER` attribute when specified) ## USAGE @@ -35,7 +35,7 @@ module "snowflake_stage" { url = "s3://com.example.bucket/prefix" credentials = "AWS_KEY_ID='${var.example_aws_key_id}' AWS_SECRET_KEY='${var.example_aws_secret_key}'" - create_default_roles = true + create_default_database_roles = true } ``` @@ -48,11 +48,11 @@ module "snowflake_stage" { ## Breaking changes in v2.x of the module Due to breaking changes in Snowflake provider and additional code optimizations, **breaking changes** were introduced in `v2.0.0` version of this module. -Lst of code and variable (API) changes: +List of code and variable (API) changes: - Switched to `snowflake_grant_ownership` resource instead of provider-removed `snowflake_role_ownership_grant` - Switched to `snowflake_database_role` module to leverage new `database_roles` mechanism - `default_roles` and `custom_roles` are now combined and managed by single module -- `create_default_roles` variable was renamed to `create_default_databse_roles` +- `create_default_roles` variable was renamed to `create_default_database_roles` - `roles` variable map received following additions: - `all_privileges` - optional, bool - `on_all` - optional, bool, defaults to false @@ -88,7 +88,7 @@ For more information, refer to [variables.tf](variables.tf), list of inputs belo | [comment](#input\_comment) | Specifies a comment for the stage | `string` | `null` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | | [copy\_options](#input\_copy\_options) | Specifies the copy options for the stage | `string` | `null` | no | -| [create\_default\_databse\_roles](#input\_create\_default\_databse\_roles) | Whether the default database roles should be created | `bool` | `false` | no | +| [create\_default\_database\_roles](#input\_create\_default\_database\_roles) | Whether the default database roles should be created | `bool` | `false` | no | | [credentials](#input\_credentials) | Specifies the credentials for the stage | `string` | `null` | no | | [database](#input\_database) | The database in which to create the stage | `string` | n/a | yes | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | @@ -107,7 +107,7 @@ For more information, refer to [variables.tf](variables.tf), list of inputs belo | [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | | [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [roles](#input\_roles) | Database roles created in the stage scope | 
map(object({
    with_grant_option         = optional(bool)
    granted_to_roles          = optional(list(string))
    granted_to_database_roles = optional(list(string))
    granted_database_roles    = optional(list(string))
    stage_grants              = optional(list(string))
    all_privileges            = optional(bool)
    on_all                    = optional(bool, false)
    schema_name               = optional(string)
    on_future                 = optional(bool, false)
  }))
| `{}` | no | +| [roles](#input\_roles) | Database roles created in the stage scope | 
map(object({
    enabled                   = optional(bool, true)
    with_grant_option         = optional(bool)
    granted_to_roles          = optional(list(string))
    granted_to_database_roles = optional(list(string))
    granted_database_roles    = optional(list(string))
    stage_grants              = optional(list(string))
    all_privileges            = optional(bool)
    on_all                    = optional(bool, false)
    schema_name               = optional(string)
    on_future                 = optional(bool, false)
  }))
| `{}` | no | | [schema](#input\_schema) | The schema in which to create the stage | `string` | n/a | yes | | [snowflake\_iam\_user](#input\_snowflake\_iam\_user) | Specifies the Snowflake IAM user | `string` | `null` | no | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | @@ -130,7 +130,7 @@ For more information, refer to [variables.tf](variables.tf), list of inputs belo | Name | Description | |------|-------------| -| [databse\_roles](#output\_databse\_roles) | This stage access roles | +| [database\_roles](#output\_database\_roles) | This stage access roles | | [name](#output\_name) | Name of the stage | ## Providers diff --git a/examples/complete/main.tf b/examples/complete/main.tf index eb2e489..19af777 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -36,10 +36,10 @@ module "internal_stage" { comment = "This is my ingest stage" - create_default_databse_roles = true + create_default_database_roles = true roles = { - readonly = { # Modifies readonly default role + readonly = { # Modifies readonly default database role granted_to_database_roles = [ "${snowflake_database.this.name}.${snowflake_database_role.db_role_1.name}" ] @@ -49,12 +49,15 @@ module "internal_stage" { ] stage_grants = ["READ", "WRITE"] } - admin = { # Modifies admin default role + admin = { # Modifies admin default database role granted_database_roles = [ "${snowflake_database.this.name}.${snowflake_database_role.db_role_2.name}", ] } - role_1 = { # User created database role + readwrite = { + enabled = false # Disables readwrite default database role creation + } + role_1 = { # Database role created by user input granted_to_roles = [snowflake_role.role_1.name] granted_to_database_roles = ["${snowflake_database.this.name}.${snowflake_database_role.db_role_3.name}"] all_privileges = true @@ -62,7 +65,7 @@ module "internal_stage" { on_future = true on_all = true } - role_2 = { # User created database role + role_2 = { # Database role created by user input granted_to_database_roles = ["${snowflake_database.this.name}.${snowflake_database_role.db_role_3.name}"] stage_grants = ["READ", "WRITE"] with_grant_option = false @@ -71,5 +74,5 @@ module "internal_stage" { } } - stage_ownership_grant = "role_1" + stage_ownership_grant = "role_1" # When destroying, please read README.md } diff --git a/locals.tf b/locals.tf index 3b79b8e..eaf792a 100644 --- a/locals.tf +++ b/locals.tf @@ -9,14 +9,17 @@ locals { is_internal = var.url == null - default_roles_definition = var.create_default_databse_roles ? { + default_roles_definition = var.create_default_database_roles ? { readonly = { + enabled = true stage_grants = local.is_internal ? ["READ"] : ["USAGE"] } readwrite = { + enabled = true stage_grants = local.is_internal ? ["READ", "WRITE"] : ["USAGE"] } admin = { + enabled = true stage_grants = local.is_internal ? ["READ", "WRITE"] : ["USAGE"] } } : {} @@ -26,10 +29,9 @@ locals { if v != null } } - roles_definition = module.roles_deep_merge.merged - roles = { - for role_name, role in local.roles_definition : role_name => role + for role_name, role in module.roles_deep_merge.merged : role_name => role + if role_name != null && role.enabled } } diff --git a/outputs.tf b/outputs.tf index dfe3467..7d65885 100644 --- a/outputs.tf +++ b/outputs.tf @@ -3,7 +3,7 @@ output "name" { value = one(snowflake_stage.this[*].name) } -output "databse_roles" { +output "database_roles" { description = "This stage access roles" value = local.roles } diff --git a/variables.tf b/variables.tf index c9bd7f7..964e76d 100644 --- a/variables.tf +++ b/variables.tf @@ -74,7 +74,7 @@ variable "url" { default = null } -variable "create_default_databse_roles" { +variable "create_default_database_roles" { description = "Whether the default database roles should be created" type = bool default = false @@ -83,6 +83,7 @@ variable "create_default_databse_roles" { variable "roles" { description = "Database roles created in the stage scope" type = map(object({ + enabled = optional(bool, true) with_grant_option = optional(bool) granted_to_roles = optional(list(string)) granted_to_database_roles = optional(list(string))