Merge pull request #6 from getindata/feat/add-view-grant

feat: Add view grants
getindata · Jul 12, 2023 · ef664d7 · ef664d7
2 parents 8fd6be2 + b760d4b
commit ef664d7
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 7 deletions.
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -8,6 +8,7 @@ on:
 
 env:
   TERRAFORM_DOCS_VERSION: v0.16.0
+  TFLINT_VERSION: v0.43.0
 
 jobs:
   collectInputs:
@@ -43,15 +44,15 @@ jobs:
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory !=  '.' }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.6.0
         with:
           terraform-version: ${{ steps.minMax.outputs.minVersion }}
           args: 'terraform-validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory ==  '.' }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.6.0
         with:
           terraform-version: ${{ steps.minMax.outputs.minVersion }}
           args: 'terraform-validate --color=always --show-diff-on-failure --files $(ls *.tf)'
@@ -75,7 +76,8 @@ jobs:
       - run: terraform init
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.6.0
         with:
           terraform-version: ${{ steps.minMax.outputs.maxVersion }}
           terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
+          tflint-version: ${{ env.TFLINT_VERSION }}
diff --git a/README.md b/README.md
@@ -77,7 +77,7 @@ module "snowflake_role" {
 | <a name="input_descriptor_name"></a> [descriptor\_name](#input\_descriptor\_name) | Name of the descriptor used to form a resource name | `string` | `"snowflake-role"` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
-| <a name="input_external_table_grants"></a> [external\_table\_grants](#input\_external\_table\_grants) | Grants on a external table level | <pre>list(object({<br>    database_name       = string<br>    schema_name         = string<br>    external_table_name = optional(string)<br>    on_future           = optional(bool, false)<br>    privileges          = list(string)<br>  }))</pre> | `[]` | no |
+| <a name="input_external_table_grants"></a> [external\_table\_grants](#input\_external\_table\_grants) | Grants on a external table level | <pre>list(object({<br>    database_name       = string<br>    schema_name         = string<br>    external_table_name = optional(string)<br>    on_future           = optional(bool)<br>    privileges          = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_granted_roles"></a> [granted\_roles](#input\_granted\_roles) | Roles granted to this role | `list(string)` | `[]` | no |
 | <a name="input_granted_to_roles"></a> [granted\_to\_roles](#input\_granted\_to\_roles) | Roles which this role is granted to | `list(string)` | `[]` | no |
 | <a name="input_granted_to_users"></a> [granted\_to\_users](#input\_granted\_to\_users) | Users which this role is granted to | `list(string)` | `[]` | no |
@@ -92,9 +92,10 @@ module "snowflake_role" {
 | <a name="input_role_ownership_grant"></a> [role\_ownership\_grant](#input\_role\_ownership\_grant) | The name of the role to grant ownership | `string` | `null` | no |
 | <a name="input_schema_grants"></a> [schema\_grants](#input\_schema\_grants) | Grants on a schema level | <pre>list(object({<br>    database_name = string<br>    schema_name   = string<br>    privileges    = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
-| <a name="input_table_grants"></a> [table\_grants](#input\_table\_grants) | Grants on a table level | <pre>list(object({<br>    database_name = string<br>    schema_name   = string<br>    table_name    = optional(string)<br>    on_future     = optional(bool, false)<br>    privileges    = list(string)<br>  }))</pre> | `[]` | no |
+| <a name="input_table_grants"></a> [table\_grants](#input\_table\_grants) | Grants on a table level | <pre>list(object({<br>    database_name = string<br>    schema_name   = string<br>    table_name    = optional(string)<br>    on_future     = optional(bool)<br>    privileges    = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
 | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
+| <a name="input_view_grants"></a> [view\_grants](#input\_view\_grants) | Grants on a view level | <pre>list(object({<br>    database_name = string<br>    schema_name   = string<br>    view_name     = optional(string)<br>    on_future     = optional(bool)<br>    privileges    = list(string)<br>  }))</pre> | `[]` | no |
 
 ## Modules
 
@@ -135,6 +136,7 @@ module "snowflake_role" {
 | [snowflake_role_ownership_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_ownership_grant) | resource |
 | [snowflake_schema_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/schema_grant) | resource |
 | [snowflake_table_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/table_grant) | resource |
+| [snowflake_view_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/view_grant) | resource |
 <!-- END_TF_DOCS -->
 
 ## CONTRIBUTING

diff --git a/locals.tf b/locals.tf
@@ -43,4 +43,14 @@ locals {
       privilege           = privilege
     }
   }]...)
+
+  view_grants = merge([for view_grant in var.view_grants : {
+    for privilege in view_grant.privileges : "${view_grant.database_name}/${view_grant.schema_name}/${coalesce(view_grant.view_name, "on_future")}/${privilege}" => {
+      database_name = view_grant.database_name
+      schema_name   = view_grant.schema_name
+      view_name     = view_grant.view_name
+      on_future     = view_grant.on_future
+      privilege     = privilege
+    }
+  }]...)
 }
diff --git a/main.tf b/main.tf
@@ -76,6 +76,17 @@ resource "snowflake_external_table_grant" "this" {
   roles               = [one(snowflake_role.this[*].name)]
 }
 
+resource "snowflake_view_grant" "this" {
+  for_each = module.this.enabled ? local.view_grants : {}
+
+  database_name = each.value.database_name
+  schema_name   = each.value.schema_name
+  view_name     = each.value.view_name
+  privilege     = each.value.privilege
+  on_future     = each.value.on_future
+  roles         = [one(snowflake_role.this[*].name)]
+}
+
 resource "snowflake_account_grant" "this" {
   for_each = toset(module.this.enabled ? var.account_grants : [])
 

diff --git a/variables.tf b/variables.tf
@@ -59,7 +59,7 @@ variable "table_grants" {
     database_name = string
     schema_name   = string
     table_name    = optional(string)
-    on_future     = optional(bool, false)
+    on_future     = optional(bool)
     privileges    = list(string)
   }))
   default = []
@@ -71,12 +71,24 @@ variable "external_table_grants" {
     database_name       = string
     schema_name         = string
     external_table_name = optional(string)
-    on_future           = optional(bool, false)
+    on_future           = optional(bool)
     privileges          = list(string)
   }))
   default = []
 }
 
+variable "view_grants" {
+  description = "Grants on a view level"
+  type = list(object({
+    database_name = string
+    schema_name   = string
+    view_name     = optional(string)
+    on_future     = optional(bool)
+    privileges    = list(string)
+  }))
+  default = []
+}
+
 variable "descriptor_name" {
   description = "Name of the descriptor used to form a resource name"
   type        = string