Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: create snowflake_role_ownership_grant resource #917

Merged
merged 19 commits into from
Mar 21, 2022
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
re-ran make docs. I also fixed a tiny bug in the unittest
aidanmelen committed Mar 15, 2022
commit 8473b43966c5d866e59658624290b6c6c80a6715
8 changes: 0 additions & 8 deletions docs/resources/role_ownership_grant.md
Original file line number Diff line number Diff line change
@@ -8,37 +8,29 @@ description: |-

# snowflake_role_ownership_grant (Resource)


## Example Usage

```terraform
resource "snowflake_role" "role" {
name = "rking_test_role"
comment = "for testing"
}

resource "snowflake_role" "other_role" {
name = "rking_test_role2"
}

# ensure the Terraform user inherits ownership privileges for the rking_test_user role
# otherwise Terraform will fail to destroy the rking_test_role2 role due to insufficient privileges
resource "snowflake_role_grants" "grants" {
role_name = snowflake_role.role.name

roles = [
"ACCOUNTADMIN",
]
}

resource "snowflake_role_ownership_grant" "grant" {
on_role_name = snowflake_role.role.name
to_role_name = snowflake_role.other_role.name
current_grants = "COPY"
}
```


<!-- schema generated by tfplugindocs -->
## Schema

Original file line number Diff line number Diff line change
@@ -7,7 +7,7 @@ resource "snowflake_role" "other_role" {
name = "rking_test_role2"
}

# ensure the Terraform user inherits ownership privileges for the rking_test_user role
# ensure the Terraform user inherits ownership privileges for the rking_test_role role
# otherwise Terraform will fail to destroy the rking_test_role2 role due to insufficient privileges
resource "snowflake_role_grants" "grants" {
role_name = snowflake_role.role.name
86 changes: 43 additions & 43 deletions pkg/resources/role_ownership_grant.go
Original file line number Diff line number Diff line change
@@ -11,45 +11,45 @@ import (
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
)

var roleOwnershipGrantSchema = map[string]*schema.Schema{
"on_role_name": {
Type: schema.TypeString,
Elem: &schema.Schema{Type: schema.TypeString},
Required: true,
Description: "The name of the role ownership is granted on.",
ValidateFunc: func(val interface{}, key string) ([]string, []error) {
return snowflake.ValidateIdentifier(val)
},
},
"to_role_name": {
Type: schema.TypeString,
Elem: &schema.Schema{Type: schema.TypeString},
Required: true,
Description: "The name of the role to grant ownership. Please ensure that the role that terraform is using is granted access.",
ValidateFunc: func(val interface{}, key string) ([]string, []error) {
return snowflake.ValidateIdentifier(val)
},
},
"current_grants": {
Type: schema.TypeString,
Elem: &schema.Schema{Type: schema.TypeString},
Optional: true,
Description: "Specifies whether to remove or transfer all existing outbound privileges on the object when ownership is transferred to a new role.",
Default: "COPY",
ValidateFunc: validation.StringInSlice([]string{
"COPY",
"REVOKE",
}, true),
},
}

func RoleOwnershipGrant() *schema.Resource {
return &schema.Resource{
Create: CreateRoleOwnershipGrant,
Read: ReadRoleOwnershipGrant,
Delete: DeleteRoleOwnershipGrant,
Update: UpdateRoleOwnershipGrant,

Schema: map[string]*schema.Schema{
"on_role_name": {
Type: schema.TypeString,
Elem: &schema.Schema{Type: schema.TypeString},
Required: true,
Description: "The name of the role ownership is granted on.",
ValidateFunc: func(val interface{}, key string) ([]string, []error) {
return snowflake.ValidateIdentifier(val)
},
},
"to_role_name": {
Type: schema.TypeString,
Elem: &schema.Schema{Type: schema.TypeString},
Required: true,
Description: "The name of the role to grant ownership. Please ensure that the role that terraform is using is granted access.",
ValidateFunc: func(val interface{}, key string) ([]string, []error) {
return snowflake.ValidateIdentifier(val)
},
},
"current_grants": {
Type: schema.TypeString,
Elem: &schema.Schema{Type: schema.TypeString},
Optional: true,
Description: "Specifies whether to remove or transfer all existing outbound privileges on the object when ownership is transferred to a new role.",
Default: "COPY",
ValidateFunc: validation.StringInSlice([]string{
"COPY",
"REVOKE",
}, true),
},
},

Schema: roleOwnershipGrantSchema,
Importer: &schema.ResourceImporter{
StateContext: schema.ImportStatePassthroughContext,
},
@@ -119,34 +119,34 @@ func ReadRoleOwnershipGrant(d *schema.ResourceData, meta interface{}) error {
return nil
}

func DeleteRoleOwnershipGrant(d *schema.ResourceData, meta interface{}) error {
func UpdateRoleOwnershipGrant(d *schema.ResourceData, meta interface{}) error {
db := meta.(*sql.DB)
onRoleName := d.Get("on_role_name").(string)
toRoleName := d.Get("to_role_name").(string)
currentGrants := d.Get("current_grants").(string)

d.SetId(fmt.Sprintf(`%s|%s|%s`, onRoleName, toRoleName, currentGrants))

g := snowflake.RoleOwnershipGrant(onRoleName, currentGrants)
err := snowflake.Exec(db, g.Role("ACCOUNTADMIN").Revoke())
err := snowflake.Exec(db, g.Role(toRoleName).Grant())
if err != nil {
return err
}

d.SetId("")
return nil
return ReadRoleOwnershipGrant(d, meta)
}

func UpdateRoleOwnershipGrant(d *schema.ResourceData, meta interface{}) error {
func DeleteRoleOwnershipGrant(d *schema.ResourceData, meta interface{}) error {
db := meta.(*sql.DB)
onRoleName := d.Get("on_role_name").(string)
toRoleName := d.Get("to_role_name").(string)
currentGrants := d.Get("current_grants").(string)

d.SetId(fmt.Sprintf(`%s|%s|%s`, onRoleName, toRoleName, currentGrants))

g := snowflake.RoleOwnershipGrant(onRoleName, currentGrants)
err := snowflake.Exec(db, g.Role(toRoleName).Revoke())
err := snowflake.Exec(db, g.Role("ACCOUNTADMIN").Revoke())
if err != nil {
return err
}

return ReadRoleOwnershipGrant(d, meta)
d.SetId("")
return nil
}
4 changes: 2 additions & 2 deletions pkg/resources/role_ownership_grants_test.go
Original file line number Diff line number Diff line change
@@ -27,7 +27,7 @@ func TestRoleOwnershipGrantCreate(t *testing.T) {
})

WithMockDb(t, func(db *sql.DB, mock sqlmock.Sqlmock) {
mock.ExpectExec(`GRANT OWNERSHIP ON ROLE "good_name" TO ROLE "other_good_name"`).WillReturnResult(sqlmock.NewResult(1, 1))
mock.ExpectExec(`GRANT OWNERSHIP ON ROLE "good_name" TO ROLE "other_good_name" COPY CURRENT GRANTS`).WillReturnResult(sqlmock.NewResult(1, 1))
expectReadRoleOwnershipGrant(mock)
err := resources.CreateRoleOwnershipGrant(d, db)
r.NoError(err)
@@ -77,7 +77,7 @@ func TestRoleOwnershipGrantDelete(t *testing.T) {

WithMockDb(t, func(db *sql.DB, mock sqlmock.Sqlmock) {

mock.ExpectExec(`GRANT OWNERSHIP ON ROLE "good_name" TO ROLE "ACCOUNTADMIN"`).WillReturnResult(sqlmock.NewResult(1, 1))
mock.ExpectExec(`GRANT OWNERSHIP ON ROLE "good_name" TO ROLE "ACCOUNTADMIN" COPY CURRENT GRANTS`).WillReturnResult(sqlmock.NewResult(1, 1))
err := resources.DeleteRoleOwnershipGrant(d, db)
r.NoError(err)
})