-
Notifications
You must be signed in to change notification settings - Fork 427
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature] Network Policy Resource #271
[feature] Network Policy Resource #271
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! This looks great.
A few minor bits of feedback and this should be good to go.
Thanks for writing acceptance tests.
name = "%v" | ||
comment = "%v" | ||
allowed_ip_list = ["192.168.0.100/24", "29.254.123.20"] | ||
blocked_ip_list = ["192.168.0.101"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably include testing adding to users here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added a users
list to the test network policy resource definition (and a dummy user resource definition) so at least the user-granting code should be executing during this acceptance test now.
However, (as far as I can tell) I have to define:
ImportStateVerifyIgnore: []string{"set_for_account", "users"},
because nowhere in ReadNetworkPolicy
is there:
data.Set("set_for_account", ...)
or
data.Set("users", ...)
This is the case because there doesn't appear to be a way in Snowflake to do "get all users with this Network Policy set" or "tell me if this network policy is set for the Snowflake account". Neither SHOW
nor DESC
returns any information about the active/applied status of a given Network Policy:
- Show: https://docs.snowflake.com/en/sql-reference/sql/show-network-policies.html
- Describe: https://docs.snowflake.com/en/sql-reference/sql/desc-network-policy.html
Is it acceptable to leave those out of ReadNetworkPolicy
(and thus having to include them in ImportStateVerifyIgnore
)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW this is why I had to write this resource with ForceNew: true
for those two fields, with the "exclusive assignment" explanation in the docs — the simplest way I could figure out how to deal with this is to just always destroy/recreate and re-grant to users or re-set on account
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah that makes sense!
Thinking about this a bit more, I think we should consider separating the attachment to a separate resource. This should allow us to avoid the scenario where we need to recreate the network policy resource every time one of the attachments changes. Of course the attachments may need to be recreated, but that might be tolerable. What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm on board with this — a separate attachment resource was my original plan, but I moved away from it because I (erroneously) observed that if you dropped a network policy, the users with that policy set continued to be restricted by the policy. Hence, I thought we needed to keep the attachment tightly coupled with the resource.
However, I tested this understanding again and it turns out there's just a bit of lag (not more than a minute) between dropping the network policy and the user then being able to open a session from any IP address
So this approach should work. I'll update PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess one thing to think about is that if we do this, the snowflake_network_policy_attachment
resource wouldn't behave like the similar *_grant resources (e.g. warehouse/database/etc) and create exclusive attachments
Because there's not a way of getting existing attachments from SHOW
/DESC
ing network policies/users/accounts, a network policy could be attached to a user outside of Terraform, and then changes to the snowflake_network_policy_attachment
wouldn't destroy that attachment. That's probably fine? We should just document it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I think that is fine given the limitations we are working with.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done — the one thing I'm unsure about is ReadNetworkPolicyAttachment
— given above limitations, there's no way to actually implement schema.ReadFunc
for the attachment resource. I don't think I actually need ReadNetworkPolicyAttachment
implemented for this, but InternalValidate
fails without it. To get around that, I just implemented a dummy func 🤷
lmk if there's a better way to handle this!
Note that I am seeing some acceptance test failures, running
It seems that the select query needs a warehouse, which means we would need to add that to the provider configuration. In the past we've mostly avoided that and instead dealt with the the annoyances of working with just |
Similar to my reply on your other comment — the issue here is that Snowflake's implementation of Network Policies is weird/somewhat different than other object types. More specifically in this case, I think we have to do the
Thus, in order to get the current I worked around this by setting |
^ while writing that I realized that I can probably just refactor to do the SHOW/DESC post-processing in Go instead of in Snowflake SQL, thus bypassing the Still posted as it's useful context, but I'll take a stab at that refactor now |
Okay, updated and ready for another look @ryanking! |
thanks for working on this feature @grahamplace and @ryanking! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ran test-acceptancec-ci
locally and passed all the test! Thanks for the work! 🥳 I'll let @ryanking take one more look, but LGTM!
Thanks for the review @alldoami! Per Ryan's suggestion, I still need to refactor this to move the attachment into a separate resource. That work is on my todo list for today, so hopefully I can put that change up and tag you both for another look |
Done! Ready for another look @ryanking @alldoami 🙂 Would appreciate input on this bit: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am currently getting acceptance test failures too:
pkg/resources/network_policy_attachment_acceptance_test.go:12:6: TestAccNetworkPolicyAttachment redeclared in this block
previous declaration at pkg/resources/network_policy_acceptance_test.go:12:40
pkg/resources/network_policy_attachment_acceptance_test.go:40:6: networkPolicyAttachmentConfig redeclared in this block
previous declaration at pkg/resources/network_policy_acceptance_test.go:40:55
{ | ||
ResourceName: "snowflake_network_policy_attachment.test", | ||
ImportState: true, | ||
ImportStateVerify: false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason for this to be false?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I set this to false while developing because I wasn't able to get it to work, I thought due to the inability to actually implement ReadNetworkPolicyAttachment
But it looks like it works now so switching it back to true
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
annnd I was wrong -- it's actually still not working:
=== RUN TestAccNetworkPolicyAttachment
TestAccNetworkPolicyAttachment: testing.go:683: Step 1 error: ImportStateVerify attributes not equivalent. Difference is shown below. Top is actual, bottom is expected.
(map[string]string) {
}
(map[string]string) (len=5) {
(string) (len=19) "network_policy_name": (string) (len=10) "uowauijhoy",
(string) (len=15) "set_for_account": (string) (len=5) "false",
(string) (len=7) "users.#": (string) (len=1) "2",
(string) (len=16) "users.2494182523": (string) (len=10) "test-user1",
(string) (len=16) "users.3213322168": (string) (len=10) "test-user2"
}
--- FAIL: TestAccNetworkPolicyAttachment (7.03s)
I think because ReadNetworkPolicyAttachment
isn't really implemented?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah its fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thanks for all the help getting this merged!
Ah oops, I accidentally overwrote |
Adds support for managing Snowflake Network Policy objects via the new `snowflake_network_policy` resource type. <!-- detail ways in which this PR has been tested or needs to be tested --> * [x] acceptance tests <!-- add more below if you think they are relevant --> * [x] tested built provider locally with trial Snowflake account <!-- issues documentation links, etc --> * Issue: Snowflake-Labs#221 * https://docs.snowflake.com/en/sql-reference/sql/create-network-policy.html
Adds support for managing Snowflake Network Policy objects via the new `snowflake_network_policy` resource type. ## Test Plan <!-- detail ways in which this PR has been tested or needs to be tested --> * [x] acceptance tests <!-- add more below if you think they are relevant --> * [x] tested built provider locally with trial Snowflake account ## References <!-- issues documentation links, etc --> * Issue: Snowflake-Labs#221 * https://docs.snowflake.com/en/sql-reference/sql/create-network-policy.html
Adds support for managing Snowflake Network Policy objects via the new `snowflake_network_policy` resource type. <!-- detail ways in which this PR has been tested or needs to be tested --> * [x] acceptance tests <!-- add more below if you think they are relevant --> * [x] tested built provider locally with trial Snowflake account <!-- issues documentation links, etc --> * Issue: Snowflake-Labs#221 * https://docs.snowflake.com/en/sql-reference/sql/create-network-policy.html
Adds support for managing Snowflake Network Policy objects via the new
snowflake_network_policy
resource type.Test Plan
References