changes after review

Snowflake-Labs · Jan 31, 2024 · d1be669 · d1be669
1 parent 8181051
commit d1be669
Show file tree

Hide file tree

Showing 34 changed files with 280 additions and 200 deletions.
diff --git a/docs/resources/grant_privileges_to_share.md b/docs/resources/grant_privileges_to_share.md
@@ -18,7 +18,7 @@ description: |-
 ##################################
 
 resource "snowflake_grant_privileges_to_share" "example" {
-  share_name  = snowflake_share.example.name
+  to_share    = snowflake_share.example.name
   privileges  = ["USAGE"]
   on_database = snowflake_database.example.name
 }
@@ -30,7 +30,7 @@ resource "snowflake_grant_privileges_to_share" "example" {
 ##################################
 
 resource "snowflake_grant_privileges_to_share" "example" {
-  share_name = snowflake_share.example.name
+  to_share   = snowflake_share.example.name
   privileges = ["USAGE"]
   on_schema  = "${snowflake_database.example.name}.${snowflake_schema.example.name}"
 }
@@ -42,7 +42,7 @@ resource "snowflake_grant_privileges_to_share" "example" {
 ##################################
 
 resource "snowflake_grant_privileges_to_share" "example" {
-  share_name = snowflake_share.example.name
+  to_share   = snowflake_share.example.name
   privileges = ["SELECT"]
   on_table   = "${snowflake_database.example.name}.${snowflake_schema.example.name}.${snowflake_table.example.name}"
 }
@@ -54,7 +54,7 @@ resource "snowflake_grant_privileges_to_share" "example" {
 ##################################
 
 resource "snowflake_grant_privileges_to_share" "example" {
-  share_name              = snowflake_share.example.name
+  to_share                = snowflake_share.example.name
   privileges              = ["SELECT"]
   on_all_tables_in_schema = "${snowflake_database.example.name}.${snowflake_schema.example.name}"
 }
@@ -66,7 +66,7 @@ resource "snowflake_grant_privileges_to_share" "example" {
 ##################################
 
 resource "snowflake_grant_privileges_to_share" "example" {
-  share_name = snowflake_share.example.name
+  to_share   = snowflake_share.example.name
   privileges = ["READ"]
   on_tag     = "${snowflake_database.example.name}.${snowflake_schema.example.name}.${snowflake_tag.example.name}"
 }
@@ -78,7 +78,7 @@ resource "snowflake_grant_privileges_to_share" "example" {
 ##################################
 
 resource "snowflake_grant_privileges_to_share" "example" {
-  share_name = snowflake_share.example.name
+  to_share   = snowflake_share.example.name
   privileges = ["SELECT"]
   on_view    = "${snowflake_database.example.name}.${snowflake_schema.example.name}.${snowflake_view.example.name}"
 }
@@ -91,17 +91,17 @@ resource "snowflake_grant_privileges_to_share" "example" {
 
 ### Required
 
-- `privileges` (Set of String) The privileges to grant on the share.
-- `share_name` (String) The fully qualified name of the share on which privileges will be granted.
+- `privileges` (Set of String) The privileges to grant on the share. See available list of privileges: https://docs.snowflake.com/en/sql-reference/sql/grant-privilege-share#syntax
+- `to_share` (String) The fully qualified name of the share on which privileges will be granted.
 
 ### Optional
 
-- `all_tables_in_schema` (String) The fully qualified identifier for the schema for which the specified privilege will be granted for all tables.
-- `database_name` (String) The fully qualified name of the database on which privileges will be granted.
-- `schema_name` (String) The fully qualified name of the schema on which privileges will be granted.
-- `table_name` (String) The fully qualified name of the table on which privileges will be granted.
-- `tag_name` (String) The fully qualified name of the tag on which privileges will be granted.
-- `view_name` (String) The fully qualified name of the view on which privileges will be granted.
+- `on_all_tables_in_schema` (String) The fully qualified identifier for the schema for which the specified privilege will be granted for all tables.
+- `on_database` (String) The fully qualified name of the database on which privileges will be granted.
+- `on_schema` (String) The fully qualified name of the schema on which privileges will be granted.
+- `on_table` (String) The fully qualified name of the table on which privileges will be granted.
+- `on_tag` (String) The fully qualified name of the tag on which privileges will be granted.
+- `on_view` (String) The fully qualified name of the view on which privileges will be granted.
 
 ### Read-Only
 

diff --git a/examples/resources/snowflake_grant_privileges_to_share/resource.tf b/examples/resources/snowflake_grant_privileges_to_share/resource.tf
@@ -3,7 +3,7 @@
 ##################################
 
 resource "snowflake_grant_privileges_to_share" "example" {
-  share_name  = snowflake_share.example.name
+  to_share    = snowflake_share.example.name
   privileges  = ["USAGE"]
   on_database = snowflake_database.example.name
 }
@@ -15,7 +15,7 @@ resource "snowflake_grant_privileges_to_share" "example" {
 ##################################
 
 resource "snowflake_grant_privileges_to_share" "example" {
-  share_name = snowflake_share.example.name
+  to_share   = snowflake_share.example.name
   privileges = ["USAGE"]
   on_schema  = "${snowflake_database.example.name}.${snowflake_schema.example.name}"
 }
@@ -27,7 +27,7 @@ resource "snowflake_grant_privileges_to_share" "example" {
 ##################################
 
 resource "snowflake_grant_privileges_to_share" "example" {
-  share_name = snowflake_share.example.name
+  to_share   = snowflake_share.example.name
   privileges = ["SELECT"]
   on_table   = "${snowflake_database.example.name}.${snowflake_schema.example.name}.${snowflake_table.example.name}"
 }
@@ -39,7 +39,7 @@ resource "snowflake_grant_privileges_to_share" "example" {
 ##################################
 
 resource "snowflake_grant_privileges_to_share" "example" {
-  share_name              = snowflake_share.example.name
+  to_share                = snowflake_share.example.name
   privileges              = ["SELECT"]
   on_all_tables_in_schema = "${snowflake_database.example.name}.${snowflake_schema.example.name}"
 }
@@ -51,7 +51,7 @@ resource "snowflake_grant_privileges_to_share" "example" {
 ##################################
 
 resource "snowflake_grant_privileges_to_share" "example" {
-  share_name = snowflake_share.example.name
+  to_share   = snowflake_share.example.name
   privileges = ["READ"]
   on_tag     = "${snowflake_database.example.name}.${snowflake_schema.example.name}.${snowflake_tag.example.name}"
 }
@@ -63,7 +63,7 @@ resource "snowflake_grant_privileges_to_share" "example" {
 ##################################
 
 resource "snowflake_grant_privileges_to_share" "example" {
-  share_name = snowflake_share.example.name
+  to_share   = snowflake_share.example.name
   privileges = ["SELECT"]
   on_view    = "${snowflake_database.example.name}.${snowflake_schema.example.name}.${snowflake_view.example.name}"
 }

diff --git a/pkg/resources/grant_privileges_to_share.go b/pkg/resources/grant_privileges_to_share.go
@@ -13,37 +13,38 @@ import (
 )
 
 var grantPrivilegesToShareGrantExactlyOneOfValidation = []string{
-	"database_name",
-	"schema_name",
-	// "function_name",
-	"table_name",
-	"all_tables_in_schema",
-	"tag_name",
-	"view_name",
+	"on_database",
+	"on_schema",
+	// TODO(SNOW-990811): "function_name",
+	"on_table",
+	"on_all_tables_in_schema",
+	"on_tag",
+	"on_view",
 }
 
 var grantPrivilegesToShareSchema = map[string]*schema.Schema{
-	"share_name": {
-		Type:        schema.TypeString,
-		Required:    true,
-		ForceNew:    true,
-		Description: "The fully qualified name of the share on which privileges will be granted.",
+	"to_share": {
+		Type:             schema.TypeString,
+		Required:         true,
+		ForceNew:         true,
+		Description:      "The fully qualified name of the share on which privileges will be granted.",
+		ValidateDiagFunc: IsValidIdentifier[sdk.AccountObjectIdentifier](),
 	},
 	"privileges": {
 		Type:        schema.TypeSet,
 		Required:    true,
-		Description: "The privileges to grant on the share.",
+		Description: "The privileges to grant on the share. See available list of privileges: https://docs.snowflake.com/en/sql-reference/sql/grant-privilege-share#syntax",
 		Elem:        &schema.Schema{Type: schema.TypeString},
 	},
-	"database_name": {
+	"on_database": {
 		Type:             schema.TypeString,
 		Optional:         true,
 		ForceNew:         true,
 		Description:      "The fully qualified name of the database on which privileges will be granted.",
 		ValidateDiagFunc: IsValidIdentifier[sdk.AccountObjectIdentifier](),
 		ExactlyOneOf:     grantPrivilegesToShareGrantExactlyOneOfValidation,
 	},
-	"schema_name": {
+	"on_schema": {
 		Type:             schema.TypeString,
 		Optional:         true,
 		ForceNew:         true,
@@ -60,31 +61,31 @@ var grantPrivilegesToShareSchema = map[string]*schema.Schema{
 	//	ValidateDiagFunc: IsValidIdentifier[sdk.FunctionIdentifier](),
 	//	ExactlyOneOf: grantPrivilegesToShareGrantExactlyOneOfValidation,
 	// },
-	"table_name": {
+	"on_table": {
 		Type:             schema.TypeString,
 		Optional:         true,
 		ForceNew:         true,
 		Description:      "The fully qualified name of the table on which privileges will be granted.",
 		ValidateDiagFunc: IsValidIdentifier[sdk.SchemaObjectIdentifier](),
 		ExactlyOneOf:     grantPrivilegesToShareGrantExactlyOneOfValidation,
 	},
-	"all_tables_in_schema": {
+	"on_all_tables_in_schema": {
 		Type:             schema.TypeString,
 		Optional:         true,
 		ForceNew:         true,
 		Description:      "The fully qualified identifier for the schema for which the specified privilege will be granted for all tables.",
 		ValidateDiagFunc: IsValidIdentifier[sdk.DatabaseObjectIdentifier](),
 		ExactlyOneOf:     grantPrivilegesToShareGrantExactlyOneOfValidation,
 	},
-	"tag_name": {
+	"on_tag": {
 		Type:             schema.TypeString,
 		Optional:         true,
 		ForceNew:         true,
 		Description:      "The fully qualified name of the tag on which privileges will be granted.",
 		ValidateDiagFunc: IsValidIdentifier[sdk.SchemaObjectIdentifier](),
 		ExactlyOneOf:     grantPrivilegesToShareGrantExactlyOneOfValidation,
 	},
-	"view_name": {
+	"on_view": {
 		Type:             schema.TypeString,
 		Optional:         true,
 		ForceNew:         true,
@@ -114,7 +115,7 @@ func ImportGrantPrivilegesToShare() func(ctx context.Context, d *schema.Resource
 		if err != nil {
 			return nil, err
 		}
-		if err := d.Set("share_name", id.ShareName.Name()); err != nil {
+		if err := d.Set("to_share", id.ShareName.Name()); err != nil {
 			return nil, err
 		}
 		if err := d.Set("privileges", id.Privileges); err != nil {
@@ -123,31 +124,31 @@ func ImportGrantPrivilegesToShare() func(ctx context.Context, d *schema.Resource
 
 		switch id.Kind {
 		case OnDatabaseShareGrantKind:
-			if err := d.Set("database_name", id.Identifier.Name()); err != nil {
+			if err := d.Set("on_database", id.Identifier.Name()); err != nil {
 				return nil, err
 			}
 		case OnSchemaShareGrantKind:
-			if err := d.Set("schema_name", id.Identifier.FullyQualifiedName()); err != nil {
+			if err := d.Set("on_schema", id.Identifier.FullyQualifiedName()); err != nil {
 				return nil, err
 			}
-		// case OnFunctionShareGrantKind:
+		// TODO(SNOW-990811) case OnFunctionShareGrantKind:
 		//	if err := d.Set("function_name", id.Identifier.FullyQualifiedName()); err != nil {
 		//		return nil, err
 		//	}
 		case OnTableShareGrantKind:
-			if err := d.Set("table_name", id.Identifier.FullyQualifiedName()); err != nil {
+			if err := d.Set("on_table", id.Identifier.FullyQualifiedName()); err != nil {
 				return nil, err
 			}
 		case OnAllTablesInSchemaShareGrantKind:
-			if err := d.Set("all_tables_in_schema", id.Identifier.FullyQualifiedName()); err != nil {
+			if err := d.Set("on_all_tables_in_schema", id.Identifier.FullyQualifiedName()); err != nil {
 				return nil, err
 			}
 		case OnTagShareGrantKind:
-			if err := d.Set("tag_name", id.Identifier.FullyQualifiedName()); err != nil {
+			if err := d.Set("on_tag", id.Identifier.FullyQualifiedName()); err != nil {
 				return nil, err
 			}
 		case OnViewShareGrantKind:
-			if err := d.Set("view_name", id.Identifier.FullyQualifiedName()); err != nil {
+			if err := d.Set("on_view", id.Identifier.FullyQualifiedName()); err != nil {
 				return nil, err
 			}
 		}
@@ -194,9 +195,9 @@ func UpdateGrantPrivilegesToShare(ctx context.Context, d *schema.ResourceData, m
 	}
 
 	if d.HasChange("privileges") {
-		before, after := d.GetChange("privileges")
-		privilegesBeforeChange := expandStringList(before.(*schema.Set).List())
-		privilegesAfterChange := expandStringList(after.(*schema.Set).List())
+		oldPrivileges, newPrivileges := d.GetChange("privileges")
+		privilegesBeforeChange := expandStringList(oldPrivileges.(*schema.Set).List())
+		privilegesAfterChange := expandStringList(newPrivileges.(*schema.Set).List())
 
 		var privilegesToAdd, privilegesToRemove []sdk.ObjectPrivilege
 
@@ -328,14 +329,16 @@ func ReadGrantPrivilegesToShare(ctx context.Context, d *schema.ResourceData, met
 		if !slices.Contains(id.Privileges, grant.Privilege) {
 			continue
 		}
-		if grant.GranteeName.Name() == id.ShareName.Name() { // TODO: id.ShareName should be outside resource identifier (forgot the name)
+		if grant.GranteeName.Name() == id.ShareName.Name() {
 			if grantedOn == grant.GrantedOn {
 				privileges = append(privileges, grant.Privilege)
 			}
 		}
 	}
 
-	// It's a pseudo-role, so we have to append it whenever it's specified in the configuration
+	// REFERENCE_USAGE is a special pseudo-privilege that you can grant or revoke,
+	// but it won't show up when querying privileges (not returned by show grants ... query).
+	// That's why we have to check it manually outside the loop and append it whenever it's specified in the configuration.
 	if slices.Contains(id.Privileges, sdk.ObjectPrivilegeReferenceUsage.String()) {
 		privileges = append(privileges, sdk.ObjectPrivilegeReferenceUsage.String())
 	}
@@ -355,16 +358,16 @@ func ReadGrantPrivilegesToShare(ctx context.Context, d *schema.ResourceData, met
 
 func createGrantPrivilegesToShareIdFromSchema(d *schema.ResourceData) *GrantPrivilegesToShareId {
 	id := new(GrantPrivilegesToShareId)
-	id.ShareName = sdk.NewAccountObjectIdentifier(d.Get("share_name").(string))
+	id.ShareName = sdk.NewAccountObjectIdentifier(d.Get("to_share").(string))
 	id.Privileges = expandStringList(d.Get("privileges").(*schema.Set).List())
 
-	databaseName, databaseNameOk := d.GetOk("database_name")
-	schemaName, schemaNameOk := d.GetOk("schema_name")
-	// functionName, functionNameOk := d.GetOk("function_name")
-	tableName, tableNameOk := d.GetOk("table_name")
-	allTablesInSchema, allTablesInSchemaOk := d.GetOk("all_tables_in_schema")
-	tagName, tagNameOk := d.GetOk("tag_name")
-	viewName, viewNameOk := d.GetOk("view_name")
+	databaseName, databaseNameOk := d.GetOk("on_database")
+	schemaName, schemaNameOk := d.GetOk("on_schema")
+	// TODO(SNOW-990811) functionName, functionNameOk := d.GetOk("function_name")
+	tableName, tableNameOk := d.GetOk("on_table")
+	allTablesInSchema, allTablesInSchemaOk := d.GetOk("on_all_tables_in_schema")
+	tagName, tagNameOk := d.GetOk("on_tag")
+	viewName, viewNameOk := d.GetOk("on_view")
 
 	switch {
 	case databaseNameOk:
@@ -373,7 +376,7 @@ func createGrantPrivilegesToShareIdFromSchema(d *schema.ResourceData) *GrantPriv
 	case schemaNameOk:
 		id.Kind = OnSchemaShareGrantKind
 		id.Identifier = sdk.NewDatabaseObjectIdentifierFromFullyQualifiedName(schemaName.(string))
-	// case functionNameOk:
+	// TODO(SNOW-990811) case functionNameOk:
 	//	id.Kind = OnFunctionShareGrantKind
 	//	id.Identifier = sdk.NewSchemaObjectIdentifierFromFullyQualifiedName(functionName.(string))
 	case tableNameOk:
@@ -405,20 +408,20 @@ func getObjectPrivilegesFromSchema(d *schema.ResourceData) []sdk.ObjectPrivilege
 func getShareGrantOn(d *schema.ResourceData) *sdk.ShareGrantOn {
 	grantOn := new(sdk.ShareGrantOn)
 
-	databaseName, databaseNameOk := d.GetOk("database_name")
-	schemaName, schemaNameOk := d.GetOk("schema_name")
-	// functionName, functionNameOk := d.GetOk("table_name")
-	tableName, tableNameOk := d.GetOk("table_name")
-	allTablesInSchema, allTablesInSchemaOk := d.GetOk("all_tables_in_schema")
-	tagName, tagNameOk := d.GetOk("tag_name")
-	viewName, viewNameOk := d.GetOk("view_name")
+	databaseName, databaseNameOk := d.GetOk("on_database")
+	schemaName, schemaNameOk := d.GetOk("on_schema")
+	// TODO(SNOW-990811) functionName, functionNameOk := d.GetOk("on_function")
+	tableName, tableNameOk := d.GetOk("on_table")
+	allTablesInSchema, allTablesInSchemaOk := d.GetOk("on_all_tables_in_schema")
+	tagName, tagNameOk := d.GetOk("on_tag")
+	viewName, viewNameOk := d.GetOk("on_view")
 
 	switch {
 	case len(databaseName.(string)) > 0 && databaseNameOk:
 		grantOn.Database = sdk.NewAccountObjectIdentifierFromFullyQualifiedName(databaseName.(string))
 	case len(schemaName.(string)) > 0 && schemaNameOk:
 		grantOn.Schema = sdk.NewDatabaseObjectIdentifierFromFullyQualifiedName(schemaName.(string))
-	// case len(functionName.(string)) > 0 && functionNameOk:
+	// TODO(SNOW-990811) case len(functionName.(string)) > 0 && functionNameOk:
 	//	grantOn.Function = sdk.NewSchemaObjectIdentifierFromFullyQualifiedName(functionName.(string))
 	case len(tableName.(string)) > 0 && tableNameOk:
 		grantOn.Table = &sdk.OnTable{