-
Notifications
You must be signed in to change notification settings - Fork 427
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: grant privileges to database role resource (#2306)
- Loading branch information
1 parent
da6ca73
commit 0311cf8
Showing
42 changed files
with
3,515 additions
and
112 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,309 @@ | ||
| --- | ||
| # generated by https://github.com/hashicorp/terraform-plugin-docs | ||
| page_title: "snowflake_grant_privileges_to_database_role Resource - terraform-provider-snowflake" | ||
| subcategory: "" | ||
| description: |- | ||
| --- | ||
|
|
||
|
|
||
| !> **Warning** Be careful when using `always_apply` field. It will always produce a plan (even when no changes were made) and can be harmful in some setups. For more details why we decided to introduce it to go our document explaining those design decisions (coming soon). | ||
|
|
||
| # snowflake_grant_privileges_to_database_role (Resource) | ||
|
|
||
|
|
||
|
|
||
| ## Example Usage | ||
|
|
||
| ```terraform | ||
| resource "snowflake_database_role" "db_role" { | ||
| database = "database" | ||
| name = "db_role_name" | ||
| } | ||
| ################################## | ||
| ### on database privileges | ||
| ################################## | ||
| # list of privileges | ||
| resource "snowflake_grant_privileges_to_database_role" "example" { | ||
| privileges = ["CREATE", "MONITOR"] | ||
| database_role_name = "\"${snowflake_database_role.db_role.database}\".\"${snowflake_database_role.db_role.name}\"" | ||
| on_database = snowflake_database_role.db_role.database | ||
| } | ||
| # all privileges + grant option | ||
| resource "snowflake_grant_privileges_to_database_role" "example" { | ||
| database_role_name = "\"${snowflake_database_role.db_role.database}\".\"${snowflake_database_role.db_role.name}\"" | ||
| on_database = snowflake_database_role.db_role.database | ||
| all_privileges = true | ||
| with_grant_option = true | ||
| } | ||
| # all privileges + grant option + always apply | ||
| resource "snowflake_grant_privileges_to_database_role" "example" { | ||
| database_role_name = "\"${snowflake_database_role.db_role.database}\".\"${snowflake_database_role.db_role.name}\"" | ||
| on_database = snowflake_database_role.db_role.database | ||
| always_apply = true | ||
| all_privileges = true | ||
| with_grant_option = true | ||
| } | ||
| ################################## | ||
| ### schema privileges | ||
| ################################## | ||
| # list of privileges | ||
| resource "snowflake_grant_privileges_to_database_role" "example" { | ||
| privileges = ["MODIFY", "CREATE TABLE"] | ||
| database_role_name = "\"${snowflake_database_role.db_role.database}\".\"${snowflake_database_role.db_role.name}\"" | ||
| on_schema { | ||
| schema_name = "\"${snowflake_database_role.db_role.database}\".\"my_schema\"" # note this is a fully qualified name! | ||
| } | ||
| } | ||
| # all privileges + grant option | ||
| resource "snowflake_grant_privileges_to_database_role" "example" { | ||
| database_role_name = "\"${snowflake_database_role.db_role.database}\".\"${snowflake_database_role.db_role.name}\"" | ||
| on_schema { | ||
| schema_name = "\"${snowflake_database_role.db_role.database}\".\"my_schema\"" # note this is a fully qualified name! | ||
| } | ||
| all_privileges = true | ||
| with_grant_option = true | ||
| } | ||
| # all schemas in database | ||
| resource "snowflake_grant_privileges_to_database_role" "example" { | ||
| privileges = ["MODIFY", "CREATE TABLE"] | ||
| database_role_name = "\"${snowflake_database_role.db_role.database}\".\"${snowflake_database_role.db_role.name}\"" | ||
| on_schema { | ||
| all_schemas_in_database = snowflake_database_role.db_role.database | ||
| } | ||
| } | ||
| # future schemas in database | ||
| resource "snowflake_grant_privileges_to_database_role" "example" { | ||
| privileges = ["MODIFY", "CREATE TABLE"] | ||
| database_role_name = "\"${snowflake_database_role.db_role.database}\".\"${snowflake_database_role.db_role.name}\"" | ||
| on_schema { | ||
| future_schemas_in_database = snowflake_database_role.db_role.database | ||
| } | ||
| } | ||
| ################################## | ||
| ### schema object privileges | ||
| ################################## | ||
| # list of privileges | ||
| resource "snowflake_grant_privileges_to_database_role" "example" { | ||
| privileges = ["SELECT", "REFERENCES"] | ||
| database_role_name = "\"${snowflake_database_role.db_role.database}\".\"${snowflake_database_role.db_role.name}\"" | ||
| on_schema_object { | ||
| object_type = "VIEW" | ||
| object_name = "\"${snowflake_database_role.db_role.database}\".\"my_schema\".\"my_view\"" # note this is a fully qualified name! | ||
| } | ||
| } | ||
| # all privileges + grant option | ||
| resource "snowflake_grant_privileges_to_database_role" "example" { | ||
| database_role_name = "\"${snowflake_database_role.db_role.database}\".\"${snowflake_database_role.db_role.name}\"" | ||
| on_schema_object { | ||
| object_type = "VIEW" | ||
| object_name = "\"${snowflake_database_role.db_role.database}\".\"my_schema\".\"my_view\"" # note this is a fully qualified name! | ||
| } | ||
| all_privileges = true | ||
| with_grant_option = true | ||
| } | ||
| # all in database | ||
| resource "snowflake_grant_privileges_to_database_role" "example" { | ||
| privileges = ["SELECT", "INSERT"] | ||
| database_role_name = "\"${snowflake_database_role.db_role.database}\".\"${snowflake_database_role.db_role.name}\"" | ||
| on_schema_object { | ||
| all { | ||
| object_type_plural = "TABLES" | ||
| in_database = snowflake_database_role.db_role.database | ||
| } | ||
| } | ||
| } | ||
| # all in schema | ||
| resource "snowflake_grant_privileges_to_database_role" "example" { | ||
| privileges = ["SELECT", "INSERT"] | ||
| database_role_name = "\"${snowflake_database_role.db_role.database}\".\"${snowflake_database_role.db_role.name}\"" | ||
| on_schema_object { | ||
| all { | ||
| object_type_plural = "TABLES" | ||
| in_schema = "\"${snowflake_database_role.db_role.database}\".\"my_schema\"" # note this is a fully qualified name! | ||
| } | ||
| } | ||
| } | ||
| # future in database | ||
| resource "snowflake_grant_privileges_to_database_role" "example" { | ||
| privileges = ["SELECT", "INSERT"] | ||
| database_role_name = "\"${snowflake_database_role.db_role.database}\".\"${snowflake_database_role.db_role.name}\"" | ||
| on_schema_object { | ||
| future { | ||
| object_type_plural = "TABLES" | ||
| in_database = snowflake_database_role.db_role.database | ||
| } | ||
| } | ||
| } | ||
| # future in schema | ||
| resource "snowflake_grant_privileges_to_database_role" "example" { | ||
| privileges = ["SELECT", "INSERT"] | ||
| database_role_name = "\"${snowflake_database_role.db_role.database}\".\"${snowflake_database_role.db_role.name}\"" | ||
| on_schema_object { | ||
| future { | ||
| object_type_plural = "TABLES" | ||
| in_schema = "\"${snowflake_database_role.db_role.database}\".\"my_schema\"" # note this is a fully qualified name! | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| <!-- schema generated by tfplugindocs --> | ||
| ## Schema | ||
|
|
||
| ### Required | ||
|
|
||
| - `database_role_name` (String) The fully qualified name of the database role to which privileges will be granted. | ||
|
|
||
| ### Optional | ||
|
|
||
| - `all_privileges` (Boolean) Grant all privileges on the database role. | ||
| - `always_apply` (Boolean) If true, the resource will always produce a “plan” and on “apply” it will re-grant defined privileges. It is supposed to be used only in “grant privileges on all X’s in database / schema Y” or “grant all privileges to X” scenarios to make sure that every new object in a given database / schema is granted by the account role and every new privilege is granted to the database role. Important note: this flag is not compliant with the Terraform assumptions of the config being eventually convergent (producing an empty plan). | ||
| - `always_apply_trigger` (String) This field should not be set and its main purpose is to achieve the functionality described by always_apply field. This is value will be flipped to the opposite value on every terraform apply, thus creating a new plan that will re-apply grants. | ||
| - `on_database` (String) The fully qualified name of the database on which privileges will be granted. | ||
| - `on_schema` (Block List, Max: 1) Specifies the schema on which privileges will be granted. (see [below for nested schema](#nestedblock--on_schema)) | ||
| - `on_schema_object` (Block List, Max: 1) Specifies the schema object on which privileges will be granted. (see [below for nested schema](#nestedblock--on_schema_object)) | ||
| - `privileges` (Set of String) The privileges to grant on the database role. | ||
| - `with_grant_option` (Boolean) If specified, allows the recipient role to grant the privileges to other roles. | ||
|
|
||
| ### Read-Only | ||
|
|
||
| - `id` (String) The ID of this resource. | ||
|
|
||
| <a id="nestedblock--on_schema"></a> | ||
| ### Nested Schema for `on_schema` | ||
|
|
||
| Optional: | ||
|
|
||
| - `all_schemas_in_database` (String) The fully qualified name of the database. | ||
| - `future_schemas_in_database` (String) The fully qualified name of the database. | ||
| - `schema_name` (String) The fully qualified name of the schema. | ||
|
|
||
|
|
||
| <a id="nestedblock--on_schema_object"></a> | ||
| ### Nested Schema for `on_schema_object` | ||
|
|
||
| Optional: | ||
|
|
||
| - `all` (Block List, Max: 1) Configures the privilege to be granted on all objects in either a database or schema. (see [below for nested schema](#nestedblock--on_schema_object--all)) | ||
| - `future` (Block List, Max: 1) Configures the privilege to be granted on future objects in either a database or schema. (see [below for nested schema](#nestedblock--on_schema_object--future)) | ||
| - `object_name` (String) The fully qualified name of the object on which privileges will be granted. | ||
| - `object_type` (String) The object type of the schema object on which privileges will be granted. Valid values are: ALERT | DYNAMIC TABLE | EVENT TABLE | FILE FORMAT | FUNCTION | PROCEDURE | SECRET | SEQUENCE | PIPE | MASKING POLICY | PASSWORD POLICY | ROW ACCESS POLICY | SESSION POLICY | TAG | STAGE | STREAM | TABLE | EXTERNAL TABLE | TASK | VIEW | MATERIALIZED VIEW | NETWORK RULE | PACKAGES POLICY | ICEBERG TABLE | ||
|
|
||
| <a id="nestedblock--on_schema_object--all"></a> | ||
| ### Nested Schema for `on_schema_object.all` | ||
|
|
||
| Required: | ||
|
|
||
| - `object_type_plural` (String) The plural object type of the schema object on which privileges will be granted. Valid values are: ALERTS | DYNAMIC TABLES | EVENT TABLES | FILE FORMATS | FUNCTIONS | PROCEDURES | SECRETS | SEQUENCES | PIPES | MASKING POLICIES | PASSWORD POLICIES | ROW ACCESS POLICIES | SESSION POLICIES | TAGS | STAGES | STREAMS | TABLES | EXTERNAL TABLES | TASKS | VIEWS | MATERIALIZED VIEWS | NETWORK RULES | PACKAGES POLICIES | ICEBERG TABLES | ||
|
|
||
| Optional: | ||
|
|
||
| - `in_database` (String) | ||
| - `in_schema` (String) | ||
|
|
||
|
|
||
| <a id="nestedblock--on_schema_object--future"></a> | ||
| ### Nested Schema for `on_schema_object.future` | ||
|
|
||
| Required: | ||
|
|
||
| - `object_type_plural` (String) The plural object type of the schema object on which privileges will be granted. Valid values are: ALERTS | DYNAMIC TABLES | EVENT TABLES | FILE FORMATS | FUNCTIONS | PROCEDURES | SECRETS | SEQUENCES | PIPES | MASKING POLICIES | PASSWORD POLICIES | ROW ACCESS POLICIES | SESSION POLICIES | TAGS | STAGES | STREAMS | TABLES | EXTERNAL TABLES | TASKS | VIEWS | MATERIALIZED VIEWS | NETWORK RULES | PACKAGES POLICIES | ICEBERG TABLES | ||
|
|
||
| Optional: | ||
|
|
||
| - `in_database` (String) | ||
| - `in_schema` (String) | ||
|
|
||
| ## Import | ||
|
|
||
| ~> **Note** All the ..._name parts should be fully qualified names, e.g. for database object it is `"<database_name>"."<object_name>"` | ||
| ~> **Note** To import all_privileges write ALL or ALL PRIVILEGES in place of `<privileges>` | ||
|
|
||
| Import is supported using the following syntax: | ||
|
|
||
| `terraform import "<database_role_name>|<with_grant_option>|<always_apply>|<privileges>|<grant_type>|<grant_data>"` | ||
|
|
||
| where: | ||
| - database_role_name - fully qualified identifier | ||
| - with_grant_option - boolean | ||
| - always_apply - boolean | ||
| - privileges - list of privileges, comma separated; to import all_privileges write "ALL" or "ALL PRIVILEGES" | ||
| - grant_type - enum | ||
| - grant_data - enum data | ||
|
|
||
| It has varying number of parts, depending on grant_type. All the possible types are: | ||
|
|
||
| ### OnDatabase | ||
| `terraform import "<database_role_name>|<with_grant_option>|<always_apply>|<privileges>|OnDatabase|<database_name>"` | ||
|
|
||
| ### OnSchema | ||
|
|
||
| On schema contains inner types for all options. | ||
|
|
||
| #### OnSchema | ||
| `terraform import "<database_role_name>|<with_grant_option>|<always_apply>|<privileges>|OnSchema|OnSchema|<schema_name>"` | ||
|
|
||
| #### OnAllSchemasInDatabase | ||
| `terraform import "<database_role_name>|<with_grant_option>|<always_apply>|<privileges>|OnSchema|OnAllSchemasInDatabase|<database_name>"` | ||
|
|
||
| #### OnFutureSchemasInDatabase | ||
| `terraform import "<database_role_name>|<with_grant_option>|<always_apply>|<privileges>|OnSchema|OnFutureSchemasInDatabase|<database_name>"` | ||
|
|
||
| ### OnSchemaObject | ||
|
|
||
| On schema object contains inner types for all options. | ||
|
|
||
| #### OnObject | ||
| `terraform import "<database_role_name>|<with_grant_option>|<always_apply>|<privileges>|OnSchemaObject|OnObject|<object_type>|<object_name>"` | ||
|
|
||
| #### OnAll | ||
|
|
||
| On all contains inner types for all options. | ||
|
|
||
| ##### InDatabase | ||
| `terraform import "<database_role_name>|<with_grant_option>|<always_apply>|<privileges>|OnSchemaObject|OnAll|<object_type_plural>|InDatabase|<identifier>"` | ||
|
|
||
| ##### InSchema | ||
| `terraform import "<database_role_name>|<with_grant_option>|<always_apply>|<privileges>|OnSchemaObject|OnAll|<object_type_plural>|InSchema|<identifier>"` | ||
|
|
||
| #### OnFuture | ||
|
|
||
| On future contains inner types for all options. | ||
|
|
||
| ##### InDatabase | ||
| `terraform import "<database_role_name>|<with_grant_option>|<always_apply>|<privileges>|OnSchemaObject|OnFuture|<object_type_plural>|InDatabase|<identifier>"` | ||
|
|
||
| ##### InSchema | ||
| `terraform import "<database_role_name>|<with_grant_option>|<always_apply>|<privileges>|OnSchemaObject|OnFuture|<object_type_plural>|InSchema|<identifier>"` | ||
|
|
||
| ### Import examples | ||
|
|
||
| #### Grant all privileges OnDatabase | ||
| `terraform import "\"test_db\".\"test_db_role\"|false|false|ALL|OnDatabase|\"test_db\""` | ||
|
|
||
| #### Grant list of privileges OnAllSchemasInDatabase | ||
| `terraform import "\"test_db\".\"test_db_role\"|false|false|CREATE TAG,CREATE TABLE|OnSchema|OnAllSchemasInDatabase|\"test_db\""` | ||
|
|
||
| #### Grant list of privileges on table | ||
| `terraform import "\"test_db\".\"test_db_role\"|false|false|SELECT,DELETE,INSERT|OnSchemaObject|OnObject|TABLE|\"test_db\".\"test_schema\".\"test_table\""` | ||
|
|
||
| #### Grant list of privileges OnAll tables in schema | ||
| `terraform import "\"test_db\".\"test_db_role\"|false|false|SELECT,DELETE,INSERT|OnSchemaObject|OnAll|TABLES|InSchema|\"test_db\".\"test_schema\""` | ||
|
|
Oops, something went wrong.