feat: add resource snowflake_user_password_policy_attachment (#2162) #2307
Conversation
raulbonet
changed the title
raulbonet
changed the title
|
Hey @raulbonet. Thanks for the PR. To merge it, we require a few more things:
The reason for that is that publishing a partially implemented/not thoroughly tested resource will result in more issues being created. We want to avoid that. Would you be willing to introduce these changes? Alternatively, we can merge it as a separate branch and add the missing parts ourselves (but probably not earlier than Feb-Mar). |
|
Hello @sfc-gh-asawicki Thanks for coming back to me. About your comments, I am happy to do all of this myself, but I want to make sure we are in the same page. As I was mentioning in the OP:
|
|
Hey @raulbonet. That's great to hear that! I've included my answers below.
Maybe not a bug, but an imperfection. :) It should be implemented too, but this is low on our roadmap. As you may have noticed, the team changed in the past few months. The resource was introduced earlier in a rushed way. We follow a bit different development cycle now. In other words, we try to avoid introducing missing/untested functionalities and are slowly correcting the buggy/incomplete ones. You can add it too, if you want. But please do it as a separate PR (we prefer PRs targeting one issue only).
We are merging stuff in iterations, but only in certain cases. One example would be when we introduce a new resource in the SDK. It does not change the provider's behavior and can be later used in a separate PR to migrate the resource from the old snowflake one to the new SDK client. Here, the situation is different. An entirely new resource would be introduced, so people would start using it. And that may result in more issues being reported. We want to limit possible problems by correctly preparing the resource.
It is not implemented in the SDK but was already used for testing. It is here with a TODO comment to make it a not-test-only resource: .
Yes. But let's limit it just to POLICY REFERENCES (the ENTITY syntax; I think we don't need the POLICY NAME one).
For now, you can go with 3.2.a -> e.g. PolicyReferences#GetForEntity. You can either reuse the existing implementation (we have one like that for system functions: ) but preferably we would like to stick with the syntax using opts and request (likeCreateDatabaseRoleRequest and createDatabaseRoleOptions). We will accept either way.
We tend to add unit tests (like If you have any more questions (or more questions will appear during the implementation), feel free to ask them! And so you know: we are aware that we lack clear contributing guidelines. We are currently working on transparency, so we should have an updated contributing guide ready in the upcoming weeks. |
… the policy reference was saved
…licy in favour of database, schema, name
|
@raulbonet, thanks for all the changes you made after our reviews! It's very helpful for us to receive help with the implementation. Before we proceed, please answer my comment: #2307 (comment), the part about unit and integration tests. We can write or help you write them, but we need a consensus here because we can only merge the change with them. |
|
Hello @sfc-gh-asawicki
|
| }, | ||
| }, | ||
| } | ||
| assertOptsValidAndSQLEquals(t, opts, "SELECT * FROM TABLE (SNOWFLAKE.INFORMATION_SCHEMA.POLICY_REFERENCES (ref_entity_name => '%s', ref_entity_domain => 'user'))", strings.ReplaceAll(userName.FullyQualifiedName(), `"`, `\"`)) |
There was a problem hiding this comment.
About the delimiters: the sqlBuilder transforms the " into \" . I guess the problem comes from the workaround we used because the builder does not support both single quotations and double quotations at the same time: so, the sqlBuilder interprets the quotes " as a string, and prefixes them with a backslash.
I solved it with this workaround you see:
strings.ReplaceAll(userName.FullyQualifiedName(), `"`, `\"`)
There was a problem hiding this comment.
Seems fine, we will check the statement execution with the integration tests and change the sqlbuilder behavior or opts config if needed.
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| - | Generic Password | 25e6a2c | pkg/resources/managed_account_test.go | View secret | |
| - | Generic Password | 25e6a2c | pkg/resources/managed_account_test.go | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Our GitHub checks need improvements? Share your feedbacks!
|
/ok-to-test sha=25e6a2c76a138bc3d4b58d6d959d713192d1a7d3 |
|
@raulbonet Thanks for the contribution one more time! We decided to merge it and add the integration tests on our side. If we uncover any problems with the generated statements we will just fix them. Merging without them should not affect anyone because we plan the next release for Wednesday/Thursday next week. We may also adjust the resource schema to what we discussed (single fully qualified id instead of 3 parts but it is yet to be decided). |
|
Integration tests failure for 25e6a2c76a138bc3d4b58d6d959d713192d1a7d3 |
🤖 I have created a release *beep* *boop* --- # Release notes [0.86.0](v0.85.0...v0.86.0) (2024-02-15) ## 🎉 **What's new** * add refresh_mode and initialize to dynamic tables ([#2437](#2437)) ([d301b20](d301b20)) * add resource snowflake_user_password_policy_attachment ([#2162](#2162)) ([#2307](#2307)) ([93af462](93af462)) * create a workaround for granting privileges on all pipes ([#2477](#2477)) ([64f2346](64f2346)) * Handle IMPORTED PRIVILEGES privileges in privilege-to-role granting resources ([#2471](#2471)) ([eb20051](eb20051)) * use external functions ([#2454](#2454)) ([417d473](417d473)) * use funcs from sdk ([#2462](#2462)) ([a5f969c](a5f969c)) * use sdk for procedures ([#2450](#2450)) ([94ac78a](94ac78a)) * Use sdk in table constraint resource ([#2466](#2466)) ([d685603](d685603)) * Use tables from SDK ([#2453](#2453)) ([fdb4f88](fdb4f88)) ## 🔧 **Misc** * Add migration notes to the docs and change jira integration ([#2497](#2497)) ([b17f1af](b17f1af)) * Change email and issue reporter ([#2470](#2470)) ([5865655](5865655)) * Grants migration guide ([#2455](#2455)) ([62c70fd](62c70fd)) * Remove unused old implementation from snowflake pkg ([#2458](#2458)) ([2d0e508](2d0e508)) * update password policy attachment ([#2485](#2485)) ([6ec9ff7](6ec9ff7)) ## 🐛 **Bug fixes** * allow DT warehouse to be updated in-place ([#2439](#2439)) ([d565af1](d565af1)) * correct test dependencies ([#2493](#2493)) ([dfb247f](dfb247f)) * FileFormat not detecting changes correctly ([#2436](#2436)) ([018bb74](018bb74)) * Fix few smaller issues ([#2507](#2507)) ([a836871](a836871)) * Fix functions and small other fixes ([#2503](#2503)) ([0d4aba4](0d4aba4)), closes [#2490](#2490) * Fix tag tests in view and in materialized view ([#2457](#2457)) ([2de942a](2de942a)) * Fix task related issues ([#2479](#2479)) ([0385650](0385650)) * Fix tests that base on default data retention ([#2465](#2465)) ([682e28c](682e28c)) * grant privileges to share test terraform dependencies ([#2473](#2473)) ([ede8d95](ede8d95)) * parameter issues ([#2463](#2463)) ([7ee4986](7ee4986)) * parse dynamic table query from DDL ([#2438](#2438)) ([d76815c](d76815c)) * Remove title and body temporarily from jira integration ([#2499](#2499)) ([672c97d](672c97d)) * SHOW GRANTS mapping for share data type ([#2508](#2508)) ([feb4d44](feb4d44)) * user error handling ([#2486](#2486)) ([dfa52b2](dfa52b2)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: snowflake-release-please[bot] <105954990+snowflake-release-please[bot]@users.noreply.github.com>
Description
ref #2162
This PR creates the new resource
snowflake_user_password_policy_attachment. The implementation mimics the one of its brother,snowflake_account_password_policy_attachment