feat: create snowflake_role_ownership_grant resource

[aidanmelen]

Create a snowflake_role_ownership_grant resource.

Test Plan

• unit tests
• acceptance tests
• tested in my snowflake account
• tested read/update by manually deleting the to_role after creation, the ownership changed back to ACCOUNTADMIN. the following apply rebuilt the role and re-granted role ownership.

References

• (Feature Request) Support for grant ownership on role #460
• https://docs.snowflake.com/en/sql-reference/sql/grant-ownership.html

Example

I created a new example under examples/resources/snowflake_role_ownership_grant

resource "snowflake_role" "role" {
  name    = "rking_test_role"
  comment = "for testing"
}

resource "snowflake_role" "other_role" {
  name = "rking_test_role2"
}

# ensure the Terraform user inherits ownership privileges for the rking_test_role role
# otherwise Terraform will fail to destroy the rking_test_role2 role due to insufficient privileges
resource "snowflake_role_grants" "grants" {
  role_name = snowflake_role.role.name

  roles = [
    "ACCOUNTADMIN",
  ]
}

resource "snowflake_role_ownership_grant" "grant" {
  on_role_name = snowflake_role.role.name
  to_role_name = snowflake_role.other_role.name
  current_grants = "COPY"
}

resulting role ownership:

[aidanmelen]

@alldoami I think this is ready for peer review.

[alldoami]

If we wanted to use this GRANT OWNERSHIP query on other objects ( { ROLE | USER | WAREHOUSE | INTEGRATION | NETWORK POLICY | SESSION POLICY | DATABASE | SCHEMA | TABLE | VIEW | STAGE | FILE FORMAT | STREAM | TASK | MASKING POLICY | ROW ACCESS POLICY | PIPE | FUNCTION | PROCEDURE | SEQUENCE }), do you think we'd need to define new resources to create that? Or could we somehow make this a more generic snowflake_ownership_grant resource that isn't just for role ownership?

[aidanmelen]

If we wanted to use this GRANT OWNERSHIP query on other objects ( { ROLE | USER | WAREHOUSE | INTEGRATION | NETWORK POLICY | SESSION POLICY | DATABASE | SCHEMA | TABLE | VIEW | STAGE | FILE FORMAT | STREAM | TASK | MASKING POLICY | ROW ACCESS POLICY | PIPE | FUNCTION | PROCEDURE | SEQUENCE }), do you think we'd need to define new resources to create that? Or could we somehow make this a more generic snowflake_ownership_grant resource that isn't just for role ownership?

@alldoami I considered adding multiple types but that implementation is very nuanced so I opted to only support on role ownership initially since that is what the #460 called for.

That being said, I wrote this resource so that it could be expanded to support multiple ON object types in the future if that made sense.

Do you want a single resource handling GRANT OWNERSHIP? If so, that could look like this

resource "snowflake_ownership_grant" "role" {
  type      = "ROLE"
  name      = snowflake_role.role.name
  role_name = snowflake_role.other_role.name
}

resource "snowflake_ownership_grant" "user" {
  type      = "USER"
  name      = snowflake_user.user.name
  role_name = snowflake_role.other_role.name
}

However, we won't get much mileage out of the added complexity of this "generic" resource implementation because it would only support ROLE and USER types. Additional objects would collide with functionality offered by other grant resources. For example:

resource "snowflake_ownership_grant" "warehouse" {
  type      = "WAREHOUSE"
  name      = "wh"
  role_name = "role1"
}

would be redundant to the existing snowflake_warehouse_grant resource

resource "snowflake_warehouse_grant" "grant" {
  warehouse_name = "wh"
  privilege      = "OWNERSHIP"

  roles = [
    "role1",
  ]
}

---

Given the considerations above, I think it is best to have two special resources. The snowflake_role_ownership_grant that I am proposing in this PR

# GRANT OWNERSHIP ON ROLE "role" TO ROLE "role1" COPY CURRENT GRANTS 

resource "snowflake_role_ownership_grant" "grant" {
  on_role_name   = "role"
  to_role_name   = "role1",
  current_grants = "COPY"
}

# not to be confused with the existing `snowflake_role_grants` resource which handles `GRANT ROLE`

and a snowflake_user_ownership_grant that I could also add to this PR.

# GRANT OWNERSHIP ON USER "user" TO ROLE "role1" COPY CURRENT GRANTS 

resource "snowflake_user_ownership_grant" "grant" {
  on_user_name   = "user"
  to_role_name   = "role1",
  current_grants = "COPY"
}

Both special resources could share the common pkg/snowflake/snowflake_ownership_grant.go code.

[alldoami]

Got it @aidanmelen, this makes sense. Thank you for contributing!

[alldoami]

/ok-to-test sha=5c1de73

[github-actions]

Integration tests success for 5c1de73

[alldoami]

can you run make docs?

[aidanmelen]

can you run make docs?

I keep trying to add an example to the docs after it generates, but the make docs command eally doesn't like that... I will remove the example and re-run make docs

[aidanmelen]

@alldoami docs should be passing now

[aidanmelen]

Got it @aidanmelen, this makes sense. Thank you for contributing!

That was fun! Thanks for considering my contribution!

[aidanmelen]

I will plan on making another PR for the snowflake_user_ownership_grant resource in the near future.

[alldoami]

/ok-to-test sha=04b1260

[github-actions]

Integration tests success for 04b1260

[alldoami]

@aidanmelen GHA broke today and I think we need to rekick off the GHA jobs, do you think you can commit an empty commit to your branch?

[aidanmelen]

@alldoami done

[alldoami]

/ok-to-test sha=d734035

[github-actions]

Integration tests success for d734035

[alldoami]

/ok-to-test sha=274b54b

[github-actions]

Integration tests failure for 274b54b

[aidanmelen]

Integration tests failure for 274b54b

@alldoami looks like the integration test failure was unrelated to my PR:

all my tests passed:

[alldoami]

/ok-to-test sha=65f7a5b

[github-actions]

Integration tests success for 65f7a5b