feat: tag based masking policy

[berosen]

• Adds the ability to attach a masking policy to a tag

closes #1116

Note SNOWFLAKE_WAREHOUSE needs to be provided for this resource to query the POLICY_REFERENCES table function.

Test Plan

• acceptance tests
• unit tests

Tested with TF_ACC=1 go test -v ./... -run TestAcc_TagMaskingPolicyAssociation

References

• https://docs.snowflake.com/en/user-guide/tag-based-masking-policies.html

[sfc-gh-swinkler]

sorry for the long delay in responding to this PR, my wife died in July and I was on grievance leave. I have been catching up over the past couple weeks. This is a complicated PR so i have been thinking about it for a few days now.

We are actually in the process of changing how tags work in the provider. It won't break backwards compatibility, but it does affect how new resources that involved tagging should be implemented. What I would like to do is wait until we get the change implemented, which should be later this week, and then address this masking policy attachment after that. I do like this PR, but there will need to be a few changes to get it to align with the new model. If you are not able to make the change, then i can take over and make sure this gets done in the next sprint.

[berosen]

sorry for the long delay in responding to this PR, my wife died in July and I was on grievance leave. I have been catching up over the past couple weeks. This is a complicated PR so i have been thinking about it for a few days now.

We are actually in the process of changing how tags work in the provider. It won't break backwards compatibility, but it does affect how new resources that involved tagging should be implemented. What I would like to do is wait until we get the change implemented, which should be later this week, and then address this masking policy attachment after that. I do like this PR, but there will need to be a few changes to get it to align with the new model. If you are not able to make the change, then i can take over and make sure this gets done in the next sprint.

I'm really sorry to hear that, sending you my condolences.

Sounds good to me. Feel free to keep me posted with what changes need to be made once the implementation change is complete. I'll let you know if I'm unable to work on them in a timely manner. Thank you for taking a look at this.

[sfc-gh-swinkler]

basically how it will work is that there is a new resource called "snowflake_tag_attachment". it will replace the current tag schema on each resource. below is sample configuration

resource "snowflake_tag_attachment" "cost_center_tag_attachment" {
tag_id = snowflake_tag.cost_center.id
value = "finance"
resource_id = snowflake_database.my_db.id
resource_type = "DATABASE"
}

as you can see we are using a tag_id rather than database, schema and name. the tag_id is a string which has the same infomration, and is flexible in the way that the data is passed in, for example:
"database"."schema"."name"
"database.schema.name"
"database|schema.name" (structure of the snowflake_tag resource id)

are all allowed.

We should be getting this PR done either tomorrow or Monday.

[sfc-gh-swinkler]

looking good, looking real good. as long as this passes integration tests i will merge this

[sfc-gh-swinkler]

/ok-to-test sha=32e493e

[github-actions]

Integration tests failure for 32e493e

[berosen]

@sfc-gh-swinkler I've updated the CI here to include SNOWFLAKE_WAREHOUSE. Could you add a value for this in your CI secrets? That should fix the failing test.

[sfc-gh-swinkler]

@berosen that environment variable is already set

[sfc-gh-swinkler]

/ok-to-test sha=227a37f

[github-actions]

Integration tests failure for 227a37f

[github-actions]

Integration tests failure for 227a37f

[sfc-gh-swinkler]

/ok-to-test sha=227a37f

[github-actions]

Integration tests failure for 227a37f

[sfc-gh-swinkler]

not sure what is going on here. the SNOWFLAKE_WAREHOUSE environment variable is definitely set on the repo settings. I also updated it just in case

Its also not clear to me why this even needs to be set for the masking policy association. Nowhere in the documentation does it state that this needs to be set: https://docs.snowflake.com/en/user-guide/tag-based-masking-policies.html. As far as i know this only needs to be set for Python UDF. Are you setting this locally when you test the resource? If so, what exact line is causing this to fail if the environment variable is not set? Maybe can add some debugging there to figure out what the problem is. Because default warehouse gets set in the provider from environment variable here:
https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/pkg/provider/provider.go#L366

[github-actions]

Integration tests failure for 227a37f

[berosen]

hmm that's odd. Yes I'm setting that variable locally. The line that needs the warehouse is this one because it uses the policy_references table function described in the docs here in step 5. I'm not super familiar with GitHub actions but I'm wondering if this is what's going on and the CI change just isn't being picked up.

[sfc-gh-swinkler]

going to merge this and try to figure out what the problem is on my own. i think you are right, that its probably not picking up the changes.

[sfc-gh-swinkler]

thank you for your contribution

[berosen]

Thanks @sfc-gh-swinkler , look like that was the issue and ended up passing here. Appreciate your help on this.