diff --git a/README.md b/README.md
index c0bc1a1..71e6621 100644
--- a/README.md
+++ b/README.md
@@ -15,11 +15,11 @@
Terraform module for Snowflake stage management.
* Creates Snowflake stage
-* Can create custom Snowflake databse-roles with role-to-role assignments
+* Can create custom Snowflake database-roles with role-to-role assignments
* Can create a set of default roles to simplify access management:
* `READONLY` - granted `USAGE` or `READ` privilages
- * `READWRITE` - granted `WRITE` privilages
- * `ADMIN` - granted `READ`, `WRITE` privilages (role can be additionally granted with `OWNER` attribute when specified)
+ * `READWRITE` - granted `WRITE` privileges
+ * `ADMIN` - granted `READ`, `WRITE` privileges (role can be additionally granted with `OWNER` attribute when specified)
## USAGE
@@ -35,7 +35,7 @@ module "snowflake_stage" {
url = "s3://com.example.bucket/prefix"
credentials = "AWS_KEY_ID='${var.example_aws_key_id}' AWS_SECRET_KEY='${var.example_aws_secret_key}'"
- create_default_roles = true
+ create_default_database_roles = true
}
```
@@ -48,11 +48,11 @@ module "snowflake_stage" {
## Breaking changes in v2.x of the module
Due to breaking changes in Snowflake provider and additional code optimizations, **breaking changes** were introduced in `v2.0.0` version of this module.
-Lst of code and variable (API) changes:
+List of code and variable (API) changes:
- Switched to `snowflake_grant_ownership` resource instead of provider-removed `snowflake_role_ownership_grant`
- Switched to `snowflake_database_role` module to leverage new `database_roles` mechanism
- `default_roles` and `custom_roles` are now combined and managed by single module
-- `create_default_roles` variable was renamed to `create_default_databse_roles`
+- `create_default_roles` variable was renamed to `create_default_database_roles`
- `roles` variable map received following additions:
- `all_privileges` - optional, bool
- `on_all` - optional, bool, defaults to false
@@ -88,7 +88,7 @@ For more information, refer to [variables.tf](variables.tf), list of inputs belo
| [comment](#input\_comment) | Specifies a comment for the stage | `string` | `null` | no |
| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
} | no |
| [copy\_options](#input\_copy\_options) | Specifies the copy options for the stage | `string` | `null` | no |
-| [create\_default\_databse\_roles](#input\_create\_default\_databse\_roles) | Whether the default database roles should be created | `bool` | `false` | no |
+| [create\_default\_database\_roles](#input\_create\_default\_database\_roles) | Whether the default database roles should be created | `bool` | `false` | no |
| [credentials](#input\_credentials) | Specifies the credentials for the stage | `string` | `null` | no |
| [database](#input\_database) | The database in which to create the stage | `string` | n/a | yes |
| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
@@ -107,7 +107,7 @@ For more information, refer to [variables.tf](variables.tf), list of inputs belo
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
-| [roles](#input\_roles) | Database roles created in the stage scope | map(object({
with_grant_option = optional(bool)
granted_to_roles = optional(list(string))
granted_to_database_roles = optional(list(string))
granted_database_roles = optional(list(string))
stage_grants = optional(list(string))
all_privileges = optional(bool)
on_all = optional(bool, false)
schema_name = optional(string)
on_future = optional(bool, false)
})) | `{}` | no |
+| [roles](#input\_roles) | Database roles created in the stage scope | map(object({
enabled = optional(bool, true)
with_grant_option = optional(bool)
granted_to_roles = optional(list(string))
granted_to_database_roles = optional(list(string))
granted_database_roles = optional(list(string))
stage_grants = optional(list(string))
all_privileges = optional(bool)
on_all = optional(bool, false)
schema_name = optional(string)
on_future = optional(bool, false)
})) | `{}` | no |
| [schema](#input\_schema) | The schema in which to create the stage | `string` | n/a | yes |
| [snowflake\_iam\_user](#input\_snowflake\_iam\_user) | Specifies the Snowflake IAM user | `string` | `null` | no |
| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
@@ -130,7 +130,7 @@ For more information, refer to [variables.tf](variables.tf), list of inputs belo
| Name | Description |
|------|-------------|
-| [databse\_roles](#output\_databse\_roles) | This stage access roles |
+| [database\_roles](#output\_database\_roles) | This stage access roles |
| [name](#output\_name) | Name of the stage |
## Providers
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index eb2e489..19af777 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -36,10 +36,10 @@ module "internal_stage" {
comment = "This is my ingest stage"
- create_default_databse_roles = true
+ create_default_database_roles = true
roles = {
- readonly = { # Modifies readonly default role
+ readonly = { # Modifies readonly default database role
granted_to_database_roles = [
"${snowflake_database.this.name}.${snowflake_database_role.db_role_1.name}"
]
@@ -49,12 +49,15 @@ module "internal_stage" {
]
stage_grants = ["READ", "WRITE"]
}
- admin = { # Modifies admin default role
+ admin = { # Modifies admin default database role
granted_database_roles = [
"${snowflake_database.this.name}.${snowflake_database_role.db_role_2.name}",
]
}
- role_1 = { # User created database role
+ readwrite = {
+ enabled = false # Disables readwrite default database role creation
+ }
+ role_1 = { # Database role created by user input
granted_to_roles = [snowflake_role.role_1.name]
granted_to_database_roles = ["${snowflake_database.this.name}.${snowflake_database_role.db_role_3.name}"]
all_privileges = true
@@ -62,7 +65,7 @@ module "internal_stage" {
on_future = true
on_all = true
}
- role_2 = { # User created database role
+ role_2 = { # Database role created by user input
granted_to_database_roles = ["${snowflake_database.this.name}.${snowflake_database_role.db_role_3.name}"]
stage_grants = ["READ", "WRITE"]
with_grant_option = false
@@ -71,5 +74,5 @@ module "internal_stage" {
}
}
- stage_ownership_grant = "role_1"
+ stage_ownership_grant = "role_1" # When destroying, please read README.md
}
diff --git a/locals.tf b/locals.tf
index 3b79b8e..eaf792a 100644
--- a/locals.tf
+++ b/locals.tf
@@ -9,14 +9,17 @@ locals {
is_internal = var.url == null
- default_roles_definition = var.create_default_databse_roles ? {
+ default_roles_definition = var.create_default_database_roles ? {
readonly = {
+ enabled = true
stage_grants = local.is_internal ? ["READ"] : ["USAGE"]
}
readwrite = {
+ enabled = true
stage_grants = local.is_internal ? ["READ", "WRITE"] : ["USAGE"]
}
admin = {
+ enabled = true
stage_grants = local.is_internal ? ["READ", "WRITE"] : ["USAGE"]
}
} : {}
@@ -26,10 +29,9 @@ locals {
if v != null
} }
- roles_definition = module.roles_deep_merge.merged
-
roles = {
- for role_name, role in local.roles_definition : role_name => role
+ for role_name, role in module.roles_deep_merge.merged : role_name => role
+ if role_name != null && role.enabled
}
}
diff --git a/outputs.tf b/outputs.tf
index dfe3467..7d65885 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -3,7 +3,7 @@ output "name" {
value = one(snowflake_stage.this[*].name)
}
-output "databse_roles" {
+output "database_roles" {
description = "This stage access roles"
value = local.roles
}
diff --git a/variables.tf b/variables.tf
index c9bd7f7..964e76d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -74,7 +74,7 @@ variable "url" {
default = null
}
-variable "create_default_databse_roles" {
+variable "create_default_database_roles" {
description = "Whether the default database roles should be created"
type = bool
default = false
@@ -83,6 +83,7 @@ variable "create_default_databse_roles" {
variable "roles" {
description = "Database roles created in the stage scope"
type = map(object({
+ enabled = optional(bool, true)
with_grant_option = optional(bool)
granted_to_roles = optional(list(string))
granted_to_database_roles = optional(list(string))