feat: tag based masking policy

.github/workflows/integration.yml

@@ -57,6 +57,7 @@ jobs:
           SNOWFLAKE_PASSWORD: ${{ secrets.SNOWFLAKE_PASSWORD }}
           SNOWFLAKE_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}
           SNOWFLAKE_ROLE: ${{ secrets.SNOWFLAKE_ROLE }}
+          SNOWFLAKE_WAREHOUSE: ${{ secrets.SNOWFLAKE_WAREHOUSE }}
         run: make lint-ci
 
       - name: make test-acceptance integration
@@ -67,6 +68,7 @@ jobs:
           SNOWFLAKE_PASSWORD: ${{ secrets.SNOWFLAKE_PASSWORD }}
           SNOWFLAKE_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}
           SNOWFLAKE_ROLE: ${{ secrets.SNOWFLAKE_ROLE }}
+          SNOWFLAKE_WAREHOUSE: ${{ secrets.SNOWFLAKE_WAREHOUSE }}
           SNOWFLAKE_ACCOUNT_SECOND: ${{ secrets.SNOWFLAKE_ACCOUNT_SECOND }}
           SNOWFLAKE_ACCOUNT_THIRD: ${{ secrets.SNOWFLAKE_ACCOUNT_THIRD }}
         run: make test-acceptance

docs/resources/tag_masking_policy_association.md

@@ -0,0 +1,81 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "snowflake_tag_masking_policy_association Resource - terraform-provider-snowflake"
+subcategory: ""
+description: |-
+
+---
+
+# snowflake_tag_masking_policy_association (Resource)
+
+
+
+## Example Usage
+
+```terraform
+# Note: Currently this feature is only available to accounts that are Enterprise Edition (or higher)
+
+resource "snowflake_database" "test" {
+  name                        = "TEST_DB1"
+  data_retention_time_in_days = 1
+}
+
+resource "snowflake_database" "test2" {
+  name                        = "TEST_DB2"
+  data_retention_time_in_days = 1
+}
+
+
+resource "snowflake_schema" "test2" {
+  database            = snowflake_database.test2.name
+  name                = "FOOBAR2"
+  data_retention_days = snowflake_database.test2.data_retention_time_in_days
+}
+
+resource "snowflake_schema" "test" {
+  database            = snowflake_database.test.name
+  name                = "FOOBAR"
+  data_retention_days = snowflake_database.test.data_retention_time_in_days
+}
+
+resource "snowflake_tag" "this" {
+  name     = upper("test_tag")
+  database = snowflake_database.test2.name
+  schema   = snowflake_schema.test2.name
+}
+
+resource "snowflake_masking_policy" "example_masking_policy" {
+  name               = "EXAMPLE_MASKING_POLICY"
+  database           = snowflake_database.test.name
+  schema             = snowflake_schema.test.name
+  value_data_type    = "string"
+  masking_expression = "case when current_role() in ('ACCOUNTADMIN') then val else sha2(val, 512) end"
+  return_data_type   = "string"
+}
+
+resource "snowflake_tag_masking_policy_association" "name" {
+  tag_id                  = snowflake_tag.this.id
+  masking_policy_id       = snowflake_masking_policy.example_masking_policy.id
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `masking_policy_id` (String) The the resource id of the masking policy
+- `tag_id` (String) Specifies the identifier for the tag. Note: format must follow: "databaseName"."schemaName"."tagName" or "databaseName.schemaName.tagName" or "databaseName|schemaName.tagName" (snowflake_tag.tag.id)
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# format is tag database name | tag schema name | tag name | masking policy database | masking policy schema | masking policy name
+terraform import snowflake_tag_masking_policy_association.example 'tag_db|tag_schema|tag_name|mp_db|mp_schema|mp_name'
+```

examples/resources/snowflake_tag_masking_policy_association/import.sh

@@ -0,0 +1,2 @@
+# format is tag database name | tag schema name | tag name | masking policy database | masking policy schema | masking policy name
+terraform import snowflake_tag_masking_policy_association.example 'tag_db|tag_schema|tag_name|mp_db|mp_schema|mp_name'

examples/resources/snowflake_tag_masking_policy_association/resource.tf

@@ -0,0 +1,44 @@
+# Note: Currently this feature is only available to accounts that are Enterprise Edition (or higher)
+
+resource "snowflake_database" "test" {
+  name                        = "TEST_DB1"
+  data_retention_time_in_days = 1
+}
+
+resource "snowflake_database" "test2" {
+  name                        = "TEST_DB2"
+  data_retention_time_in_days = 1
+}
+
+
+resource "snowflake_schema" "test2" {
+  database            = snowflake_database.test2.name
+  name                = "FOOBAR2"
+  data_retention_days = snowflake_database.test2.data_retention_time_in_days
+}
+
+resource "snowflake_schema" "test" {
+  database            = snowflake_database.test.name
+  name                = "FOOBAR"
+  data_retention_days = snowflake_database.test.data_retention_time_in_days
+}
+
+resource "snowflake_tag" "this" {
+  name     = upper("test_tag")
+  database = snowflake_database.test2.name
+  schema   = snowflake_schema.test2.name
+}
+
+resource "snowflake_masking_policy" "example_masking_policy" {
+  name               = "EXAMPLE_MASKING_POLICY"
+  database           = snowflake_database.test.name
+  schema             = snowflake_schema.test.name
+  value_data_type    = "string"
+  masking_expression = "case when current_role() in ('ACCOUNTADMIN') then val else sha2(val, 512) end"
+  return_data_type   = "string"
+}
+
+resource "snowflake_tag_masking_policy_association" "name" {
+  tag_id                  = snowflake_tag.this.id
+  masking_policy_id       = snowflake_masking_policy.example_masking_policy.id
+}

go.mod

@@ -110,4 +110,4 @@ require (
 
 exclude github.co/mattn/go-ieproxy v0.0.3
 
-exclude github.co/mattn/go-ieproxy v0.0.2
+exclude github.co/mattn/go-ieproxy v0.0.2

pkg/provider/provider.go

@@ -194,44 +194,45 @@ func GetGrantResources() resources.TerraformGrantResources {
 func getResources() map[string]*schema.Resource {
 	// NOTE(): do not add grant resources here
 	others := map[string]*schema.Resource{
-		"snowflake_api_integration":            resources.APIIntegration(),
-		"snowflake_database":                   resources.Database(),
-		"snowflake_external_function":          resources.ExternalFunction(),
-		"snowflake_file_format":                resources.FileFormat(),
-		"snowflake_function":                   resources.Function(),
-		"snowflake_managed_account":            resources.ManagedAccount(),
-		"snowflake_masking_policy":             resources.MaskingPolicy(),
-		"snowflake_materialized_view":          resources.MaterializedView(),
-		"snowflake_network_policy_attachment":  resources.NetworkPolicyAttachment(),
-		"snowflake_network_policy":             resources.NetworkPolicy(),
-		"snowflake_oauth_integration":          resources.OAuthIntegration(),
-		"snowflake_external_oauth_integration": resources.ExternalOauthIntegration(),
-		"snowflake_pipe":                       resources.Pipe(),
-		"snowflake_procedure":                  resources.Procedure(),
-		"snowflake_resource_monitor":           resources.ResourceMonitor(),
-		"snowflake_role":                       resources.Role(),
-		"snowflake_role_grants":                resources.RoleGrants(),
-		"snowflake_role_ownership_grant":       resources.RoleOwnershipGrant(),
-		"snowflake_row_access_policy":          resources.RowAccessPolicy(),
-		"snowflake_saml_integration":           resources.SAMLIntegration(),
-		"snowflake_schema":                     resources.Schema(),
-		"snowflake_scim_integration":           resources.SCIMIntegration(),
-		"snowflake_sequence":                   resources.Sequence(),
-		"snowflake_share":                      resources.Share(),
-		"snowflake_stage":                      resources.Stage(),
-		"snowflake_storage_integration":        resources.StorageIntegration(),
-		"snowflake_notification_integration":   resources.NotificationIntegration(),
-		"snowflake_stream":                     resources.Stream(),
-		"snowflake_table":                      resources.Table(),
-		"snowflake_external_table":             resources.ExternalTable(),
-		"snowflake_tag":                        resources.Tag(),
-		"snowflake_tag_association":            resources.TagAssociation(),
-		"snowflake_task":                       resources.Task(),
-		"snowflake_user":                       resources.User(),
-		"snowflake_user_ownership_grant":       resources.UserOwnershipGrant(),
-		"snowflake_user_public_keys":           resources.UserPublicKeys(),
-		"snowflake_view":                       resources.View(),
-		"snowflake_warehouse":                  resources.Warehouse(),
+		"snowflake_api_integration":                resources.APIIntegration(),
+		"snowflake_database":                       resources.Database(),
+		"snowflake_external_function":              resources.ExternalFunction(),
+		"snowflake_file_format":                    resources.FileFormat(),
+		"snowflake_function":                       resources.Function(),
+		"snowflake_managed_account":                resources.ManagedAccount(),
+		"snowflake_masking_policy":                 resources.MaskingPolicy(),
+		"snowflake_materialized_view":              resources.MaterializedView(),
+		"snowflake_network_policy_attachment":      resources.NetworkPolicyAttachment(),
+		"snowflake_network_policy":                 resources.NetworkPolicy(),
+		"snowflake_oauth_integration":              resources.OAuthIntegration(),
+		"snowflake_external_oauth_integration":     resources.ExternalOauthIntegration(),
+		"snowflake_pipe":                           resources.Pipe(),
+		"snowflake_procedure":                      resources.Procedure(),
+		"snowflake_resource_monitor":               resources.ResourceMonitor(),
+		"snowflake_role":                           resources.Role(),
+		"snowflake_role_grants":                    resources.RoleGrants(),
+		"snowflake_role_ownership_grant":           resources.RoleOwnershipGrant(),
+		"snowflake_row_access_policy":              resources.RowAccessPolicy(),
+		"snowflake_saml_integration":               resources.SAMLIntegration(),
+		"snowflake_schema":                         resources.Schema(),
+		"snowflake_scim_integration":               resources.SCIMIntegration(),
+		"snowflake_sequence":                       resources.Sequence(),
+		"snowflake_share":                          resources.Share(),
+		"snowflake_stage":                          resources.Stage(),
+		"snowflake_storage_integration":            resources.StorageIntegration(),
+		"snowflake_notification_integration":       resources.NotificationIntegration(),
+		"snowflake_stream":                         resources.Stream(),
+		"snowflake_table":                          resources.Table(),
+		"snowflake_external_table":                 resources.ExternalTable(),
+		"snowflake_tag":                            resources.Tag(),
+		"snowflake_tag_association":                resources.TagAssociation(),
+		"snowflake_tag_masking_policy_association": resources.TagMaskingPolicyAssociation(),
+		"snowflake_task":                           resources.Task(),
+		"snowflake_user":                           resources.User(),
+		"snowflake_user_ownership_grant":           resources.UserOwnershipGrant(),
+		"snowflake_user_public_keys":               resources.UserPublicKeys(),
+		"snowflake_view":                           resources.View(),
+		"snowflake_warehouse":                      resources.Warehouse(),
 	}
 
 	return mergeSchemas(