feat: add GRANT ... ON ALL TABLES IN ... (#1626)

* feat: (WIP) added all_grants * fix: removed new code, which is broken (for the time being) * fix: added (dummy) onAll flag to other grants * feat: finalized prototype of select all table grant * fix: typo and unnecessary code --------- Co-authored-by: Arkadius Schuchhardt <[email protected]> Co-authored-by: Scott Winkler <[email protected]>
Snowflake-Labs · Mar 24, 2023 · 505a5f3 · 505a5f3
1 parent 56a9b2e
commit 505a5f3
Show file tree

Hide file tree

Showing 27 changed files with 631 additions and 80 deletions.
diff --git a/pkg/resources/account_grant.go b/pkg/resources/account_grant.go
@@ -205,7 +205,7 @@ func ReadAccountGrant(d *schema.ResourceData, meta interface{}) error {
 		return err
 	}
 
-	return readGenericGrant(d, meta, accountGrantSchema, builder, false, validAccountPrivileges)
+	return readGenericGrant(d, meta, accountGrantSchema, builder, false, false, validAccountPrivileges)
 }
 
 // DeleteAccountGrant implements schema.DeleteFunc.

diff --git a/pkg/resources/database_grant.go b/pkg/resources/database_grant.go
@@ -145,7 +145,7 @@ func ReadDatabaseGrant(d *schema.ResourceData, meta interface{}) error {
 	}
 
 	builder := snowflake.DatabaseGrant(grantID.DatabaseName)
-	return readGenericGrant(d, meta, databaseGrantSchema, builder, false, validDatabasePrivileges)
+	return readGenericGrant(d, meta, databaseGrantSchema, builder, false, false, validDatabasePrivileges)
 }
 
 // DeleteDatabaseGrant implements schema.DeleteFunc.

diff --git a/pkg/resources/external_table_grant.go b/pkg/resources/external_table_grant.go
@@ -203,8 +203,10 @@ func ReadExternalTableGrant(d *schema.ResourceData, meta interface{}) error {
 	} else {
 		builder = snowflake.ExternalTableGrant(grantID.DatabaseName, grantID.SchemaName, grantID.ObjectName)
 	}
+	// TODO
+	onAll := false
 
-	return readGenericGrant(d, meta, externalTableGrantSchema, builder, onFuture, validExternalTablePrivileges)
+	return readGenericGrant(d, meta, externalTableGrantSchema, builder, onFuture, onAll, validExternalTablePrivileges)
 }
 
 // DeleteExternalTableGrant implements schema.DeleteFunc.

diff --git a/pkg/resources/file_format_grant.go b/pkg/resources/file_format_grant.go
@@ -165,8 +165,10 @@ func ReadFileFormatGrant(d *schema.ResourceData, meta interface{}) error {
 	} else {
 		builder = snowflake.FileFormatGrant(grantID.DatabaseName, grantID.SchemaName, grantID.ObjectName)
 	}
+	// TODO
+	onAll := false
 
-	return readGenericGrant(d, meta, fileFormatGrantSchema, builder, onFuture, validFileFormatPrivileges)
+	return readGenericGrant(d, meta, fileFormatGrantSchema, builder, onFuture, onAll, validFileFormatPrivileges)
 }
 
 // DeleteFileFormatGrant implements schema.DeleteFunc.

diff --git a/pkg/resources/function_grant.go b/pkg/resources/function_grant.go
@@ -255,8 +255,10 @@ func ReadFunctionGrant(d *schema.ResourceData, meta interface{}) error {
 	} else {
 		builder = snowflake.FunctionGrant(grantID.DatabaseName, grantID.SchemaName, grantID.ObjectName, grantID.ArgumentDataTypes)
 	}
+	// TODO
+	onAll := false
 
-	return readGenericGrant(d, meta, functionGrantSchema, builder, onFuture, validFunctionPrivileges)
+	return readGenericGrant(d, meta, functionGrantSchema, builder, onFuture, onAll, validFunctionPrivileges)
 }
 
 // DeleteFunctionGrant implements schema.DeleteFunc.

diff --git a/pkg/resources/grant_helpers.go b/pkg/resources/grant_helpers.go
@@ -112,13 +112,18 @@ func readGenericGrant(
 	grantSchema map[string]*schema.Schema,
 	builder snowflake.GrantBuilder,
 	futureObjects bool,
+	allObjects bool,
 	validPrivileges PrivilegeSet,
 ) error {
 	db := meta.(*sql.DB)
 	var grants []*grant
 	var err error
 	if futureObjects {
 		grants, err = readGenericFutureGrants(db, builder)
+	} else if allObjects {
+		// When running e.g. GRANT SELECT ON ALL TABLES IN ..., then Snowflake creates a grant for each individual existing table.
+		// There is no way to attribute existing table grants to a GRANT SELECT ON ALL TABLES grant. Thus they cannot be checked (or removed).
+		return nil
 	} else {
 		grants, err = readGenericCurrentGrants(db, builder)
 	}

diff --git a/pkg/resources/integration_grant.go b/pkg/resources/integration_grant.go
@@ -106,7 +106,7 @@ func ReadIntegrationGrant(d *schema.ResourceData, meta interface{}) error {
 
 	builder := snowflake.IntegrationGrant(grantID.ObjectName)
 
-	return readGenericGrant(d, meta, integrationGrantSchema, builder, false, validIntegrationPrivileges)
+	return readGenericGrant(d, meta, integrationGrantSchema, builder, false, false, validIntegrationPrivileges)
 }
 
 // DeleteIntegrationGrant implements schema.DeleteFunc.

diff --git a/pkg/resources/masking_policy_grant.go b/pkg/resources/masking_policy_grant.go
@@ -129,7 +129,7 @@ func ReadMaskingPolicyGrant(d *schema.ResourceData, meta interface{}) error {
 
 	builder := snowflake.MaskingPolicyGrant(grantID.DatabaseName, grantID.SchemaName, grantID.ObjectName)
 
-	return readGenericGrant(d, meta, maskingPolicyGrantSchema, builder, false, validMaskingPoilcyPrivileges)
+	return readGenericGrant(d, meta, maskingPolicyGrantSchema, builder, false, false, validMaskingPoilcyPrivileges)
 }
 
 // DeleteMaskingPolicyGrant implements schema.DeleteFunc.

diff --git a/pkg/resources/materialized_view_grant.go b/pkg/resources/materialized_view_grant.go
@@ -86,7 +86,7 @@ var materializedViewGrantSchema = map[string]*schema.Schema{
 	},
 }
 
-// ViewGrant returns a pointer to the resource representing a view grant.
+// MaterializedViewGrant returns a pointer to the resource representing a view grant.
 func MaterializedViewGrant() *TerraformGrantResource {
 	return &TerraformGrantResource{
 		Resource: &schema.Resource{
@@ -131,7 +131,7 @@ func MaterializedViewGrant() *TerraformGrantResource {
 	}
 }
 
-// CreateViewGrant implements schema.CreateFunc.
+// CreateMaterializedViewGrant implements schema.CreateFunc.
 func CreateMaterializedViewGrant(d *schema.ResourceData, meta interface{}) error {
 	var materializedViewName string
 	if name, ok := d.GetOk("materialized_view_name"); ok {
@@ -173,7 +173,7 @@ func CreateMaterializedViewGrant(d *schema.ResourceData, meta interface{}) error
 	return ReadMaterializedViewGrant(d, meta)
 }
 
-// ReadViewGrant implements schema.ReadFunc.
+// ReadMaterializedViewGrant implements schema.ReadFunc.
 func ReadMaterializedViewGrant(d *schema.ResourceData, meta interface{}) error {
 	grantID, err := ParseMaterializedViewGrantID(d.Id())
 	if err != nil {
@@ -208,11 +208,13 @@ func ReadMaterializedViewGrant(d *schema.ResourceData, meta interface{}) error {
 	} else {
 		builder = snowflake.MaterializedViewGrant(grantID.DatabaseName, grantID.SchemaName, grantID.ObjectName)
 	}
+	// TODO
+	onAll := false
 
-	return readGenericGrant(d, meta, materializedViewGrantSchema, builder, futureMaterializedViewsEnabled, validMaterializedViewPrivileges)
+	return readGenericGrant(d, meta, materializedViewGrantSchema, builder, futureMaterializedViewsEnabled, onAll, validMaterializedViewPrivileges)
 }
 
-// DeleteViewGrant implements schema.DeleteFunc.
+// DeleteMaterializedViewGrant implements schema.DeleteFunc.
 func DeleteMaterializedViewGrant(d *schema.ResourceData, meta interface{}) error {
 	grantID, err := ParseMaterializedViewGrantID(d.Id())
 	if err != nil {

diff --git a/pkg/resources/pipe_grant.go b/pkg/resources/pipe_grant.go
@@ -166,8 +166,10 @@ func ReadPipeGrant(d *schema.ResourceData, meta interface{}) error {
 	} else {
 		builder = snowflake.PipeGrant(grantID.DatabaseName, grantID.SchemaName, grantID.ObjectName)
 	}
+	// TODO
+	onAll := false
 
-	return readGenericGrant(d, meta, pipeGrantSchema, builder, onFuture, validPipePrivileges)
+	return readGenericGrant(d, meta, pipeGrantSchema, builder, onFuture, onAll, validPipePrivileges)
 }
 
 // DeletePipeGrant implements schema.DeleteFunc.

diff --git a/pkg/resources/procedure_grant.go b/pkg/resources/procedure_grant.go
@@ -261,8 +261,10 @@ func ReadProcedureGrant(d *schema.ResourceData, meta interface{}) error {
 	} else {
 		builder = snowflake.ProcedureGrant(grantID.DatabaseName, grantID.SchemaName, grantID.ObjectName, grantID.ArgumentDataTypes)
 	}
+	// TODO
+	onAll := false
 
-	return readGenericGrant(d, meta, procedureGrantSchema, builder, onFuture, validProcedurePrivileges)
+	return readGenericGrant(d, meta, procedureGrantSchema, builder, onFuture, onAll, validProcedurePrivileges)
 }
 
 // DeleteProcedureGrant implements schema.DeleteFunc.

diff --git a/pkg/resources/resource_monitor_grant.go b/pkg/resources/resource_monitor_grant.go
@@ -104,7 +104,7 @@ func ReadResourceMonitorGrant(d *schema.ResourceData, meta interface{}) error {
 	}
 
 	builder := snowflake.ResourceMonitorGrant(grantID.ObjectName)
-	return readGenericGrant(d, meta, resourceMonitorGrantSchema, builder, false, validResourceMonitorPrivileges)
+	return readGenericGrant(d, meta, resourceMonitorGrantSchema, builder, false, false, validResourceMonitorPrivileges)
 }
 
 // DeleteResourceMonitorGrant implements schema.DeleteFunc.

diff --git a/pkg/resources/row_access_policy_grant.go b/pkg/resources/row_access_policy_grant.go
@@ -132,7 +132,7 @@ func ReadRowAccessPolicyGrant(d *schema.ResourceData, meta interface{}) error {
 
 	builder := snowflake.RowAccessPolicyGrant(grantID.DatabaseName, grantID.SchemaName, grantID.ObjectName)
 
-	return readGenericGrant(d, meta, rowAccessPolicyGrantSchema, builder, false, validRowAccessPoilcyPrivileges)
+	return readGenericGrant(d, meta, rowAccessPolicyGrantSchema, builder, false, false, validRowAccessPoilcyPrivileges)
 }
 
 // DeleteRowAccessPolicyGrant implements schema.DeleteFunc.

diff --git a/pkg/resources/schema_grant.go b/pkg/resources/schema_grant.go
@@ -263,7 +263,10 @@ func ReadSchemaGrant(d *schema.ResourceData, meta interface{}) error {
 	} else {
 		builder = snowflake.SchemaGrant(grantID.DatabaseName, grantID.SchemaName)
 	}
-	return readGenericGrant(d, meta, schemaGrantSchema, builder, onFuture, validSchemaPrivileges)
+	// TODO
+	onAll := false
+
+	return readGenericGrant(d, meta, schemaGrantSchema, builder, onFuture, onAll, validSchemaPrivileges)
 }
 
 // DeleteSchemaGrant implements schema.DeleteFunc.

diff --git a/pkg/resources/sequence_grant.go b/pkg/resources/sequence_grant.go
@@ -191,8 +191,10 @@ func ReadSequenceGrant(d *schema.ResourceData, meta interface{}) error {
 	} else {
 		builder = snowflake.SequenceGrant(grantID.DatabaseName, grantID.SchemaName, grantID.ObjectName)
 	}
+	// TODO
+	onAll := false
 
-	return readGenericGrant(d, meta, sequenceGrantSchema, builder, onFuture, validSequencePrivileges)
+	return readGenericGrant(d, meta, sequenceGrantSchema, builder, onFuture, onAll, validSequencePrivileges)
 }
 
 // DeleteSequenceGrant implements schema.DeleteFunc.

diff --git a/pkg/resources/stage_grant.go b/pkg/resources/stage_grant.go
@@ -194,8 +194,10 @@ func ReadStageGrant(d *schema.ResourceData, meta interface{}) error {
 	} else {
 		builder = snowflake.StageGrant(grantID.DatabaseName, grantID.SchemaName, grantID.ObjectName)
 	}
+	// TODO
+	onAll := false
 
-	return readGenericGrant(d, meta, stageGrantSchema, builder, onFuture, validStagePrivileges)
+	return readGenericGrant(d, meta, stageGrantSchema, builder, onFuture, onAll, validStagePrivileges)
 }
 
 // UpdateStageGrant implements schema.UpdateFunc.

diff --git a/pkg/resources/stream.go b/pkg/resources/stream.go
@@ -200,7 +200,8 @@ func CreateStream(d *schema.ResourceData, meta interface{}) error {
 
 	onTable, onTableSet := d.GetOk("on_table")
 	onView, onViewSet := d.GetOk("on_view")
-	onStage, onStageSet := d.GetOk("on_stage")
+	// TODO removed for the time being as new code was buggy
+	//onStage, onStageSet := d.GetOk("on_stage")
 
 	switch {
 	case onTableSet:

diff --git a/pkg/resources/stream_grant.go b/pkg/resources/stream_grant.go
@@ -171,8 +171,10 @@ func ReadStreamGrant(d *schema.ResourceData, meta interface{}) error {
 	} else {
 		builder = snowflake.StreamGrant(grantID.DatabaseName, grantID.SchemaName, grantID.ObjectName)
 	}
+	// TODO
+	onAll := false
 
-	return readGenericGrant(d, meta, streamGrantSchema, builder, onFuture, validStreamPrivileges)
+	return readGenericGrant(d, meta, streamGrantSchema, builder, onFuture, onAll, validStreamPrivileges)
 }
 
 // DeleteStreamGrant implements schema.DeleteFunc.