From 78a7399c9be7d593c2c9d54dc79919f89b54bd1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Gniewek-W=C4=99grzyn?= Date: Mon, 29 Jul 2024 15:10:53 +0200 Subject: [PATCH] feat: align module with changes to snowflake provider --- .github/workflows/pre-commit.yml | 4 --- .pre-commit-config.yaml | 13 ++++----- .tflint.hcl | 10 +++---- README.md | 18 ++++++------- examples/complete/main.tf | 18 +++++++++---- examples/complete/providers.tf | 3 --- examples/complete/versions.tf | 2 +- examples/simple/providers.tf | 3 --- examples/simple/versions.tf | 7 ----- locals.tf | 18 ++++++++++--- main.tf | 45 ++++++++++++++++++++------------ variables.tf | 12 ++++++--- versions.tf | 2 +- 13 files changed, 85 insertions(+), 70 deletions(-) delete mode 100644 examples/complete/providers.tf delete mode 100644 examples/simple/providers.tf diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 652dff0..3363345 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -12,7 +12,3 @@ on: jobs: main: uses: getindata/github-workflows/.github/workflows/tf-pre-commit.yml@v1 - with: - # tflint v0.46.0 is the latest version we can use with pre-commit v0.1.20 - # See .pre-commit-config.yaml for more details. - tflint-version: v0.46.0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2c59029..b88dcab 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,30 +1,27 @@ repos: - repo: https://github.com/gruntwork-io/pre-commit - # Stick to v0.1.20 until this bug is fixed: https://github.com/gruntwork-io/pre-commit/issues/102 - # When updating, also check if tflint version in pre-commit workflow can be updated. - rev: "v0.1.20" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases + rev: "v0.1.23" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases hooks: - id: terraform-validate # It should be the first step as it runs terraform init required by tflint - id: terraform-fmt - id: tflint args: - - --module - - --config=.tflint.hcl + - "--config=__GIT_ROOT__/.tflint.hcl" - repo: https://github.com/terraform-docs/terraform-docs - rev: "v0.16.0" # Get the latest from: https://github.com/terraform-docs/terraform-docs/releases + rev: "v0.18.0" # Get the latest from: https://github.com/terraform-docs/terraform-docs/releases hooks: - id: terraform-docs-go args: ["."] - repo: https://github.com/bridgecrewio/checkov.git - rev: "2.5.13" # Get the latest from: https://github.com/bridgecrewio/checkov/releases + rev: "3.2.213" # Get the latest from: https://github.com/bridgecrewio/checkov/releases hooks: - id: checkov args: [--skip-check, "CKV_TF_1"] # Terraform module sources do not use a git url with a commit hash revision - repo: https://github.com/pre-commit/pre-commit-hooks - rev: "v4.5.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases + rev: "v4.6.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases hooks: - id: check-merge-conflict args: ["--assume-in-merge"] diff --git a/.tflint.hcl b/.tflint.hcl index 6a33dcb..eee7847 100644 --- a/.tflint.hcl +++ b/.tflint.hcl @@ -5,12 +5,12 @@ config { } plugin "terraform" { - enabled = true - version = "0.5.0" - source = "github.com/terraform-linters/tflint-ruleset-terraform" - preset = "all" + enabled = true + version = "0.5.0" + source = "github.com/terraform-linters/tflint-ruleset-terraform" + preset = "all" } rule "terraform_standard_module_structure" { - enabled = false # Fails on context.tf + enabled = false # Fails on context.tf } diff --git a/README.md b/README.md index b91bc05..0d2c3ea 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,6 @@ Terraform module for Snowflake Warehouse management * Can create custom Snowflake Roles with role-to-role, role-to-user assignments * Can create a set of default, functional roles to simplify access management: * `ADMIN` - full access - * `MODIFY` - abillity to modify warehouse * `MONITOR` - abillity to monitor warehouse * `USAGE` - abillity to use warehouse @@ -56,7 +55,7 @@ module "terraform_snowflake_warehouse" { ## NOTES -_Additional information that should be made public, for ex. how to solve known issues, additional descriptions/suggestions_ +When upgrading to version `v2.2.x` - all `default_roles` will be recreated using new terraform resources. ## EXAMPLES @@ -99,14 +98,14 @@ _Additional information that should be made public, for ex. how to solve known i | [query\_acceleration\_max\_scale\_factor](#input\_query\_acceleration\_max\_scale\_factor) | Specifies the maximum scale factor for leasing compute resources for query acceleration. The scale factor is used as a multiplier based on warehouse size. | `number` | `null` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | | [resource\_monitor](#input\_resource\_monitor) | Specifies the name of a resource monitor that is explicitly assigned to the warehouse. | `string` | `null` | no | -| [roles](#input\_roles) | Roles created on the warehouse level | 
map(object({
    enabled              = optional(bool, true)
    descriptor_name      = optional(string, "snowflake-role")
    comment              = optional(string)
    role_ownership_grant = optional(string)
    granted_roles        = optional(list(string))
    granted_to_roles     = optional(list(string))
    granted_to_users     = optional(list(string))
    warehouse_grants     = optional(list(string))
  }))
| `{}` | no | -| [scaling\_policy](#input\_scaling\_policy) | Specifies the policy for automatically starting and shutting down clusters in a multi-cluster warehouse running in Auto-scale mode. | `string` | `null` | no | +| [roles](#input\_roles) | Account roles created on the warehouse level | 
map(object({
    enabled              = optional(bool, true)
    descriptor_name      = optional(string, "snowflake-role")
    comment              = optional(string)
    role_ownership_grant = optional(string)
    granted_roles        = optional(list(string))
    granted_to_roles     = optional(list(string))
    granted_to_users     = optional(list(string))
    warehouse_grants = optional(object({
      all_privileges    = optional(bool)
      with_grant_option = optional(bool, false)
      privileges        = optional(list(string))
    }))
  }))
| `{}` | no | +| [scaling\_policy](#input\_scaling\_policy) | Specifies the policy for automatically starting and shutting down clusters in a multi-cluster warehouse running in Auto-scale mode. Valid values are `STANDARD` and `ECONOMY`. | `string` | `null` | no | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | | [statement\_queued\_timeout\_in\_seconds](#input\_statement\_queued\_timeout\_in\_seconds) | Object parameter that specifies the time, in seconds, a SQL statement (query, DDL, DML, etc.) can be queued on a warehouse before it is canceled by the system. | `number` | `null` | no | | [statement\_timeout\_in\_seconds](#input\_statement\_timeout\_in\_seconds) | Specifies the time, in seconds, after which a running SQL statement (query, DDL, DML, etc.) is canceled by the system | `number` | `null` | no | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [warehouse\_size](#input\_warehouse\_size) | Specifies the size of the virtual warehouse. | `string` | `"X-Small"` | no | +| [warehouse\_size](#input\_warehouse\_size) | Specifies the size of the virtual warehouse. Possible values are: XSMALL, X-SMALL, SMALL, MEDIUM, LARGE, XLARGE, X-LARGE, XXLARGE, X2LARGE, 2X-LARGE, XXXLARGE, X3LARGE, 3X-LARGE, X4LARGE, 4X-LARGE, X5LARGE, 5X-LARGE, X6LARGE, 6X-LARGE. | `string` | `"X-Small"` | no | | [warehouse\_type](#input\_warehouse\_type) | Specifies the type of the virtual warehouse. | `string` | `"STANDARD"` | no | ## Modules @@ -114,8 +113,8 @@ _Additional information that should be made public, for ex. how to solve known i | Name | Source | Version | |------|--------|---------| | [roles\_deep\_merge](#module\_roles\_deep\_merge) | Invicton-Labs/deepmerge/null | 0.1.5 | -| [snowflake\_custom\_role](#module\_snowflake\_custom\_role) | getindata/role/snowflake | 1.0.3 | -| [snowflake\_default\_role](#module\_snowflake\_default\_role) | getindata/role/snowflake | 1.0.3 | +| [snowflake\_custom\_role](#module\_snowflake\_custom\_role) | getindata/role/snowflake | 2.1.0 | +| [snowflake\_default\_role](#module\_snowflake\_default\_role) | getindata/role/snowflake | 2.1.0 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | | [warehouse\_label](#module\_warehouse\_label) | cloudposse/label/null | 0.25.0 | @@ -130,21 +129,20 @@ _Additional information that should be made public, for ex. how to solve known i | Name | Version | |------|---------| -| [snowflake](#provider\_snowflake) | ~> 0.53 | +| [snowflake](#provider\_snowflake) | ~> 0.94 | ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3 | -| [snowflake](#requirement\_snowflake) | ~> 0.53 | +| [snowflake](#requirement\_snowflake) | ~> 0.94 | ## Resources | Name | Type | |------|------| | [snowflake_warehouse.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/warehouse) | resource | -| [snowflake_warehouse_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/warehouse_grant) | resource | ## CONTRIBUTING diff --git a/examples/complete/main.tf b/examples/complete/main.tf index a1c163d..ead32f0 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -1,9 +1,9 @@ -resource "snowflake_role" "this_admin" { +resource "snowflake_account_role" "this_admin" { name = "WAREHOUSE_ADMIN" comment = "Role for Snowflake Administrators" } -resource "snowflake_role" "this_dev" { +resource "snowflake_account_role" "this_dev" { name = "WAREHOUSE_DEV" comment = "Role for Snowflake Developers" } @@ -59,11 +59,19 @@ module "terraform_snowflake_warehouse" { roles = { admin = { - granted_to_roles = [snowflake_role.this_admin.name] + granted_to_roles = [snowflake_account_role.this_admin.name] } custom_role = { - warehouse_grants = ["USAGE", "MODIFY"] - granted_to_roles = [snowflake_role.this_dev.name] + warehouse_grants = { + privileges = ["USAGE", "MODIFY"] + } + granted_to_roles = [snowflake_account_role.this_dev.name] } } + + depends_on = [ + snowflake_account_role.this_admin, + snowflake_account_role.this_dev, + snowflake_resource_monitor.this + ] } diff --git a/examples/complete/providers.tf b/examples/complete/providers.tf deleted file mode 100644 index a1a962e..0000000 --- a/examples/complete/providers.tf +++ /dev/null @@ -1,3 +0,0 @@ -provider "snowflake" { - # Configuration options -} diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index dd2b661..28b216f 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { snowflake = { source = "Snowflake-Labs/snowflake" - version = "~> 0.47" + version = "~> 0.94" } } } diff --git a/examples/simple/providers.tf b/examples/simple/providers.tf deleted file mode 100644 index a1a962e..0000000 --- a/examples/simple/providers.tf +++ /dev/null @@ -1,3 +0,0 @@ -provider "snowflake" { - # Configuration options -} diff --git a/examples/simple/versions.tf b/examples/simple/versions.tf index dd2b661..6964268 100644 --- a/examples/simple/versions.tf +++ b/examples/simple/versions.tf @@ -1,10 +1,3 @@ terraform { required_version = ">= 1.3" - - required_providers { - snowflake = { - source = "Snowflake-Labs/snowflake" - version = "~> 0.47" - } - } } diff --git a/locals.tf b/locals.tf index 674c690..4bcf77d 100644 --- a/locals.tf +++ b/locals.tf @@ -8,13 +8,25 @@ locals { default_roles_definition = { usage = { - warehouse_grants = ["USAGE", "OPERATE"] + warehouse_grants = { + all_privileges = null + privileges = ["USAGE", "OPERATE"] + with_grant_option = false + } } monitor = { - warehouse_grants = ["MONITOR"] + warehouse_grants = { + privileges = ["MONITOR"] + all_privileges = null + with_grant_option = false + } } admin = { - warehouse_grants = ["MODIFY", "MONITOR", "USAGE", "OPERATE", "OWNERSHIP"] + warehouse_grants = { + all_privileges = true + privileges = null + with_grant_option = false + } } } diff --git a/main.tf b/main.tf index ccb83f7..e072102 100644 --- a/main.tf +++ b/main.tf @@ -40,7 +40,8 @@ module "snowflake_default_role" { for_each = local.default_roles source = "getindata/role/snowflake" - version = "1.0.3" + version = "2.1.0" + context = module.this.context name = each.key @@ -52,13 +53,27 @@ module "snowflake_default_role" { granted_to_users = lookup(each.value, "granted_to_users", []) granted_to_roles = lookup(each.value, "granted_to_roles", []) granted_roles = lookup(each.value, "granted_roles", []) + + account_objects_grants = { + WAREHOUSE = [{ + all_privileges = each.value.warehouse_grants.all_privileges + privileges = each.value.warehouse_grants.privileges + with_grant_option = each.value.warehouse_grants.with_grant_option + object_name = one(snowflake_warehouse.this[*].name) + }] + } + + depends_on = [ + snowflake_warehouse.this + ] } module "snowflake_custom_role" { for_each = local.custom_roles source = "getindata/role/snowflake" - version = "1.0.3" + version = "2.1.0" + context = module.this.context name = each.key @@ -70,19 +85,17 @@ module "snowflake_custom_role" { granted_to_users = lookup(each.value, "granted_to_users", []) granted_to_roles = lookup(each.value, "granted_to_roles", []) granted_roles = lookup(each.value, "granted_roles", []) -} -resource "snowflake_warehouse_grant" "this" { - for_each = local.enabled ? transpose({ for role_name, role in local.roles : local.roles[role_name].name => - lookup(local.roles_definition[role_name], "warehouse_grants", []) - if lookup(local.roles_definition[role_name], "enabled", true) - }) : {} - warehouse_name = one(resource.snowflake_warehouse.this[*]).name - privilege = each.key - roles = each.value - - # Whole configuration should be maintained "as Code" so below - # options should be disabled in all use-cases - enable_multiple_grants = false - with_grant_option = false + account_objects_grants = { + WAREHOUSE = [{ + all_privileges = each.value.warehouse_grants.all_privileges + privileges = each.value.warehouse_grants.privileges + with_grant_option = each.value.warehouse_grants.with_grant_option + object_name = one(snowflake_warehouse.this[*].name) + }] + } + + depends_on = [ + snowflake_warehouse.this + ] } diff --git a/variables.tf b/variables.tf index 91d68e4..d68399c 100644 --- a/variables.tf +++ b/variables.tf @@ -5,7 +5,7 @@ variable "comment" { } variable "warehouse_size" { - description = "Specifies the size of the virtual warehouse." + description = "Specifies the size of the virtual warehouse. Possible values are: XSMALL, X-SMALL, SMALL, MEDIUM, LARGE, XLARGE, X-LARGE, XXLARGE, X2LARGE, 2X-LARGE, XXXLARGE, X3LARGE, 3X-LARGE, X4LARGE, 4X-LARGE, X5LARGE, 5X-LARGE, X6LARGE, 6X-LARGE." type = string default = "X-Small" } @@ -51,7 +51,7 @@ variable "max_cluster_count" { } variable "scaling_policy" { - description = "Specifies the policy for automatically starting and shutting down clusters in a multi-cluster warehouse running in Auto-scale mode." + description = "Specifies the policy for automatically starting and shutting down clusters in a multi-cluster warehouse running in Auto-scale mode. Valid values are `STANDARD` and `ECONOMY`." type = string default = null } @@ -93,7 +93,7 @@ variable "resource_monitor" { } variable "roles" { - description = "Roles created on the warehouse level" + description = "Account roles created on the warehouse level" type = map(object({ enabled = optional(bool, true) descriptor_name = optional(string, "snowflake-role") @@ -102,7 +102,11 @@ variable "roles" { granted_roles = optional(list(string)) granted_to_roles = optional(list(string)) granted_to_users = optional(list(string)) - warehouse_grants = optional(list(string)) + warehouse_grants = optional(object({ + all_privileges = optional(bool) + with_grant_option = optional(bool, false) + privileges = optional(list(string)) + })) })) default = {} } diff --git a/versions.tf b/versions.tf index c91c1ba..a30ce17 100644 --- a/versions.tf +++ b/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { snowflake = { source = "Snowflake-Labs/snowflake" - version = "~> 0.53" + version = "~> 0.94" } } }