diff --git a/README.md b/README.md
index 31485ae..0999afc 100644
--- a/README.md
+++ b/README.md
@@ -109,7 +109,7 @@ which can be executed manually in Snowflake account.
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
-| [roles](#input\_roles) | Roles created in the scheme scope | map(object({
enabled = optional(bool, true)
comment = optional(string)
role_ownership_grant = optional(string)
granted_roles = optional(list(string))
granted_to_roles = optional(list(string))
granted_to_users = optional(list(string))
add_grants_to_existing_objects = optional(bool)
schema_grants = optional(list(string))
table_grants = optional(list(string))
external_table_grants = optional(list(string))
view_grants = optional(list(string))
materialized_view_grants = optional(list(string))
file_format_grants = optional(list(string))
function_grants = optional(list(string))
stage_grants = optional(list(string))
task_grants = optional(list(string))
procedure_grants = optional(list(string))
sequence_grants = optional(list(string))
stream_grants = optional(list(string))
})) | `{}` | no |
+| [roles](#input\_roles) | Roles created in the scheme scope | map(object({
enabled = optional(bool, true)
comment = optional(string)
role_ownership_grant = optional(string)
granted_roles = optional(list(string))
granted_to_roles = optional(list(string))
granted_to_users = optional(list(string))
add_grants_to_existing_objects = optional(bool)
schema_grants = optional(list(string))
table_grants = optional(list(string))
dynamic_table_grants = optional(list(string))
external_table_grants = optional(list(string))
view_grants = optional(list(string))
materialized_view_grants = optional(list(string))
file_format_grants = optional(list(string))
function_grants = optional(list(string))
stage_grants = optional(list(string))
task_grants = optional(list(string))
procedure_grants = optional(list(string))
sequence_grants = optional(list(string))
stream_grants = optional(list(string))
})) | `{}` | no |
| [skip\_schema\_creation](#input\_skip\_schema\_creation) | Should schema creation be skipped but allow all other resources to be created. Useful if schema already exsists but you want to add e.g. access roles | `bool` | `false` | no |
| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
| [stages](#input\_stages) | Stages to be created in the schema | map(object({
enabled = optional(bool, true)
descriptor_name = optional(string, "snowflake-stage")
aws_external_id = optional(string)
comment = optional(string)
copy_options = optional(string)
credentials = optional(string)
directory = optional(string)
encryption = optional(string)
file_format = optional(string)
snowflake_iam_user = optional(string)
storage_integration = optional(string)
url = optional(string)
create_default_roles = optional(bool)
roles = optional(map(object({
enabled = optional(bool, true)
comment = optional(string)
role_ownership_grant = optional(string)
granted_roles = optional(list(string))
granted_to_roles = optional(list(string))
granted_to_users = optional(list(string))
stage_grants = optional(list(string))
})), {})
})) | `{}` | no |
@@ -122,8 +122,8 @@ which can be executed manually in Snowflake account.
|------|--------|---------|
| [roles\_deep\_merge](#module\_roles\_deep\_merge) | Invicton-Labs/deepmerge/null | 0.1.5 |
| [schema\_label](#module\_schema\_label) | cloudposse/label/null | 0.25.0 |
-| [snowflake\_custom\_role](#module\_snowflake\_custom\_role) | getindata/role/snowflake | 1.0.3 |
-| [snowflake\_default\_role](#module\_snowflake\_default\_role) | getindata/role/snowflake | 1.0.3 |
+| [snowflake\_custom\_role](#module\_snowflake\_custom\_role) | getindata/role/snowflake | 1.3.0 |
+| [snowflake\_default\_role](#module\_snowflake\_default\_role) | getindata/role/snowflake | 1.3.0 |
| [snowflake\_stage](#module\_snowflake\_stage) | getindata/stage/snowflake | 1.0.0 |
| [this](#module\_this) | cloudposse/label/null | 0.25.0 |
@@ -137,8 +137,6 @@ which can be executed manually in Snowflake account.
| [is\_transient](#output\_is\_transient) | Is schema transient |
| [name](#output\_name) | Name of the schema |
| [roles](#output\_roles) | Snowflake Roles |
-| [roles\_grant\_on\_all\_statements](#output\_roles\_grant\_on\_all\_statements) | Generates GRANT ON ALL type of statements according to provided role definitions.
This is useful if the module is created with `skip_schema_creation` option in cases like zero-copy clone
and all access roles are meant to be created.
Related Snowflake provider GitHub issue:
https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/250 |
-| [roles\_revoke\_on\_all\_statements](#output\_roles\_revoke\_on\_all\_statements) | Generates REVOKE ON ALL type of statements according to provided role definitions.
This is useful if the module is created with `skip_schema_creation` option in cases like zero-copy clone
and all access roles are meant to be created.
Related Snowflake provider GitHub issue:
https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/250 |
| [stages](#output\_stages) | Schema stages |
## Providers
@@ -160,25 +158,30 @@ which can be executed manually in Snowflake account.
|------|------|
| [snowflake_external_table_grant.existing](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/external_table_grant) | resource |
| [snowflake_external_table_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/external_table_grant) | resource |
+| [snowflake_file_format_grant.existing](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/file_format_grant) | resource |
| [snowflake_file_format_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/file_format_grant) | resource |
+| [snowflake_function_grant.existing](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/function_grant) | resource |
| [snowflake_function_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/function_grant) | resource |
+| [snowflake_grant_privileges_to_role.dynamic_table](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_role) | resource |
+| [snowflake_grant_privileges_to_role.existing_dynamic_table](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_role) | resource |
| [snowflake_materialized_view_grant.existing](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/materialized_view_grant) | resource |
| [snowflake_materialized_view_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/materialized_view_grant) | resource |
+| [snowflake_procedure_grant.existing](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/procedure_grant) | resource |
| [snowflake_procedure_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/procedure_grant) | resource |
| [snowflake_schema.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/schema) | resource |
| [snowflake_schema_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/schema_grant) | resource |
+| [snowflake_sequence_grant.existing](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/sequence_grant) | resource |
| [snowflake_sequence_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/sequence_grant) | resource |
+| [snowflake_stage_grant.existing](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/stage_grant) | resource |
| [snowflake_stage_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/stage_grant) | resource |
+| [snowflake_stream_grant.existing](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/stream_grant) | resource |
| [snowflake_stream_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/stream_grant) | resource |
| [snowflake_table_grant.existing](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/table_grant) | resource |
| [snowflake_table_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/table_grant) | resource |
+| [snowflake_task_grant.existing](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/task_grant) | resource |
| [snowflake_task_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/task_grant) | resource |
| [snowflake_view_grant.existing](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/view_grant) | resource |
| [snowflake_view_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/view_grant) | resource |
-| [snowflake_external_tables.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/data-sources/external_tables) | data source |
-| [snowflake_materialized_views.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/data-sources/materialized_views) | data source |
-| [snowflake_tables.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/data-sources/tables) | data source |
-| [snowflake_views.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/data-sources/views) | data source |
## CONTRIBUTING
diff --git a/locals.tf b/locals.tf
index e188f7a..b28dc5b 100644
--- a/locals.tf
+++ b/locals.tf
@@ -6,7 +6,6 @@ locals {
), module.schema_label.delimiter) : null
create_default_roles = module.this.enabled && var.create_default_roles
- skip_schema_creation = module.this.enabled && var.skip_schema_creation
#This needs to be the same as an object in roles variable
role_template = {
@@ -19,6 +18,7 @@ locals {
add_grants_to_existing_objects = false
schema_grants = []
table_grants = []
+ dynamic_table_grants = []
external_table_grants = []
view_grants = []
materialized_view_grants = []
@@ -35,6 +35,7 @@ locals {
readonly = {
schema_grants = ["USAGE"]
table_grants = ["SELECT"]
+ dynamic_table_grants = ["SELECT"]
external_table_grants = ["SELECT", "REFERENCES"]
view_grants = ["SELECT", "REFERENCES"]
materialized_view_grants = ["SELECT", "REFERENCES"]
@@ -47,6 +48,7 @@ locals {
readwrite = {
schema_grants = ["USAGE"]
table_grants = ["SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE", "REFERENCES", "REBUILD"]
+ dynamic_table_grants = ["SELECT"]
external_table_grants = ["SELECT", "REFERENCES"]
view_grants = ["SELECT", "REFERENCES"]
materialized_view_grants = ["SELECT", "REFERENCES"]
@@ -59,6 +61,7 @@ locals {
transformer = {
schema_grants = ["CREATE TEMPORARY TABLE", "CREATE TAG", "CREATE PIPE", "CREATE PROCEDURE", "CREATE MATERIALIZED VIEW", "USAGE", "CREATE TABLE", "CREATE FILE FORMAT", "CREATE STAGE", "CREATE TASK", "CREATE FUNCTION", "CREATE EXTERNAL TABLE", "CREATE SEQUENCE", "CREATE VIEW", "CREATE STREAM"]
table_grants = ["SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE", "REFERENCES", "REBUILD"]
+ dynamic_table_grants = ["ALL PRIVILEGES"]
external_table_grants = ["SELECT", "REFERENCES"]
view_grants = ["SELECT", "REFERENCES"]
materialized_view_grants = ["SELECT", "REFERENCES"]
@@ -71,6 +74,7 @@ locals {
admin = {
schema_grants = ["ALL PRIVILEGES"]
table_grants = ["ALL PRIVILEGES"]
+ dynamic_table_grants = ["ALL PRIVILEGES"]
external_table_grants = ["ALL PRIVILEGES"]
view_grants = ["ALL PRIVILEGES"]
materialized_view_grants = ["ALL PRIVILEGES"]
@@ -129,64 +133,43 @@ locals {
if local.roles_definition[role_name].enabled
}
)
- table_grants_on_existing = merge(
- [
- for table in coalesce(one(data.snowflake_tables.this[*].tables), []) :
- {
- for privilege, roles in transpose({
- for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].table_grants
- if local.roles_definition[role_name].enabled && local.roles_definition[role_name].add_grants_to_existing_objects
- }) : "${table.name}/${privilege}" => {
- privilege = privilege
- table_name = table.name
- roles = roles
- }
- }
- ]...
+ table_grants_on_existing = transpose(
+ {
+ for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].table_grants
+ if local.roles_definition[role_name].enabled && local.roles_definition[role_name].add_grants_to_existing_objects
+ }
)
+ dynamic_table_grants = {
+ for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].dynamic_table_grants
+ if local.roles_definition[role_name].enabled && length(local.roles_definition[role_name].dynamic_table_grants) > 0
+ }
+ dynamic_table_grants_on_existing = {
+ for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].dynamic_table_grants
+ if local.roles_definition[role_name].enabled && length(local.roles_definition[role_name].dynamic_table_grants) > 0 && local.roles_definition[role_name].add_grants_to_existing_objects
+ }
+
external_table_grants = transpose(
{
for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].external_table_grants
if local.roles_definition[role_name].enabled
}
)
- external_table_grants_on_existing = merge(
- [
- for table in coalesce(one(data.snowflake_external_tables.this[*].external_tables), []) :
- {
- for privilege, roles in transpose({
- for role_name, role in local.roles : local.roles[role_name].name =>
- local.roles_definition[role_name].external_table_grants
- if local.roles_definition[role_name].enabled && local.roles_definition[role_name].add_grants_to_existing_objects
- }) : "${table.name}/${privilege}" => {
- privilege = privilege
- external_table_name = table.name
- roles = roles
- }
- }
- ]...
+ external_table_grants_on_existing = transpose(
+ {
+ for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].external_table_grants
+ if local.roles_definition[role_name].enabled && local.roles_definition[role_name].add_grants_to_existing_objects
+ }
)
view_grants = transpose({ for role_name, role in local.roles : local.roles[role_name].name =>
local.roles_definition[role_name].view_grants
if local.roles_definition[role_name].enabled
})
- view_grants_on_existing = merge(
- [
- for view in coalesce(one(data.snowflake_views.this[*].views), []) :
- {
- for privilege, roles in transpose({
- for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].view_grants
- if local.roles_definition[role_name].enabled && local.roles_definition[role_name].add_grants_to_existing_objects
- }) : "${view.name}/${privilege}" => {
- privilege = privilege
- view_name = view.name
- roles = roles
- }
- }
- ]...
- )
+ view_grants_on_existing = transpose({ for role_name, role in local.roles : local.roles[role_name].name =>
+ local.roles_definition[role_name].view_grants
+ if local.roles_definition[role_name].enabled && local.roles_definition[role_name].add_grants_to_existing_objects
+ })
materialized_view_grants = transpose(
{
@@ -194,20 +177,11 @@ locals {
if local.roles_definition[role_name].enabled
}
)
- materialized_view_grants_on_existing = merge(
- [
- for materialized_view in coalesce(one(data.snowflake_materialized_views.this[*].materialized_views), []) :
- {
- for privilege, roles in transpose({
- for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].materialized_view_grants
- if local.roles_definition[role_name].enabled && local.roles_definition[role_name].add_grants_to_existing_objects
- }) : "${materialized_view.name}/${privilege}" => {
- privilege = privilege
- materialized_view_name = materialized_view.name
- roles = roles
- }
- }
- ]...
+ materialized_view_grants_on_existing = transpose(
+ {
+ for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].materialized_view_grants
+ if local.roles_definition[role_name].enabled && local.roles_definition[role_name].add_grants_to_existing_objects
+ }
)
file_format_grants = transpose(
@@ -216,81 +190,89 @@ locals {
if local.roles_definition[role_name].enabled
}
)
+ file_format_grants_on_existing = transpose(
+ {
+ for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].file_format_grants
+ if local.roles_definition[role_name].enabled && local.roles_definition[role_name].add_grants_to_existing_objects
+ }
+ )
+
function_grants = transpose(
{
for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].function_grants
if local.roles_definition[role_name].enabled
}
)
+ function_grants_on_existing = transpose(
+ {
+ for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].function_grants
+ if local.roles_definition[role_name].enabled && local.roles_definition[role_name].add_grants_to_existing_objects
+ }
+ )
+
stage_grants = transpose(
{
for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].stage_grants
if local.roles_definition[role_name].enabled
}
)
+ stage_grants_on_existing = transpose(
+ {
+ for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].stage_grants
+ if local.roles_definition[role_name].enabled && local.roles_definition[role_name].add_grants_to_existing_objects
+ }
+ )
+
task_grants = transpose(
{
for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].task_grants
if local.roles_definition[role_name].enabled
}
)
+ task_grants_on_existing = transpose(
+ {
+ for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].task_grants
+ if local.roles_definition[role_name].enabled && local.roles_definition[role_name].add_grants_to_existing_objects
+ }
+ )
+
procedure_grants = transpose(
{
for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].procedure_grants
if local.roles_definition[role_name].enabled
}
)
+ procedure_grants_on_existing = transpose(
+ {
+ for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].procedure_grants
+ if local.roles_definition[role_name].enabled && local.roles_definition[role_name].add_grants_to_existing_objects
+ }
+ )
+
sequence_grants = transpose(
{
for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].sequence_grants
if local.roles_definition[role_name].enabled
}
)
+ sequence_grants_on_existing = transpose(
+ {
+ for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].sequence_grants
+ if local.roles_definition[role_name].enabled && local.roles_definition[role_name].add_grants_to_existing_objects
+ }
+ )
+
stream_grants = transpose(
{
for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].stream_grants
if local.roles_definition[role_name].enabled
}
)
-
- roles_grant_on_all_statements = local.skip_schema_creation ? join("\n", concat(
- [
- for role_name, role in local.roles_definition :
- format(
- "GRANT %s ON ALL TABLES IN SCHEMA %s.%s TO ROLE %s;",
- join(", ", role.table_grants), local.database, local.schema, local.roles[role_name].name
- )
- if length(role.table_grants) > 0
- ],
- [
- for role_name, role in local.roles_definition :
- format(
- "GRANT %s ON ALL EXTERNAL TABLES IN SCHEMA %s.%s TO ROLE %s;",
- join(", ", role.external_table_grants), local.database, local.schema, local.roles[role_name].name
- )
- if length(role.external_table_grants) > 0
- ],
- [
- for role_name, role in local.roles_definition :
- format(
- "GRANT %s ON ALL VIEWS IN SCHEMA %s.%s TO ROLE %s;",
- join(", ", role.view_grants), local.database, local.schema, local.roles[role_name].name
- )
- if length(role.view_grants) > 0
- ],
- [
- for role_name, role in local.roles_definition :
- format(
- "GRANT %s ON ALL MATERIALIZED VIEWS IN SCHEMA %s.%s TO ROLE %s;",
- join(", ", role.materialized_view_grants), local.database, local.schema, local.roles[role_name].name
- )
- if length(role.materialized_view_grants) > 0
- ],
- )) : null
-
- roles_revoke_on_all_statements = (local.skip_schema_creation
- ? replace(local.roles_grant_on_all_statements, "GRANT", "REVOKE")
- : null
+ stream_grants_on_existing = transpose(
+ {
+ for role_name, role in local.roles : local.roles[role_name].name => local.roles_definition[role_name].stream_grants
+ if local.roles_definition[role_name].enabled && local.roles_definition[role_name].add_grants_to_existing_objects
+ }
)
}
diff --git a/main.tf b/main.tf
index 033b20f..9c29aed 100644
--- a/main.tf
+++ b/main.tf
@@ -53,7 +53,7 @@ module "snowflake_default_role" {
for_each = local.default_roles
source = "getindata/role/snowflake"
- version = "1.0.3"
+ version = "1.3.0"
context = module.this.context
enabled = local.create_default_roles && each.value.enabled
@@ -71,7 +71,7 @@ module "snowflake_custom_role" {
for_each = local.custom_roles
source = "getindata/role/snowflake"
- version = "1.0.3"
+ version = "1.3.0"
context = module.this.context
enabled = module.this.enabled && each.value.enabled
@@ -95,13 +95,6 @@ resource "snowflake_schema_grant" "this" {
################################################################
-data "snowflake_tables" "this" {
- count = module.this.enabled ? 1 : 0
-
- database = local.database
- schema = local.schema
-}
-
resource "snowflake_table_grant" "this" {
for_each = module.this.enabled ? local.table_grants : {}
@@ -112,30 +105,54 @@ resource "snowflake_table_grant" "this" {
roles = each.value
}
-#This is done due to lack of GRANT ON ALL statement in the Terraform Snowflake provider
-#https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/250
resource "snowflake_table_grant" "existing" {
- for_each = local.skip_schema_creation ? local.table_grants_on_existing : {}
+ for_each = module.this.enabled ? local.table_grants_on_existing : {}
database_name = local.database
schema_name = local.schema
- table_name = each.value.table_name
- privilege = each.value.privilege
- roles = each.value.roles
+ on_all = true
+ privilege = each.key
+ roles = each.value
}
################################################################
-
################################################################
-data "snowflake_external_tables" "this" {
- count = local.skip_schema_creation ? 1 : 0
+resource "snowflake_grant_privileges_to_role" "dynamic_table" {
+ for_each = module.this.enabled ? local.dynamic_table_grants : {}
- database = local.database
- schema = local.schema
+ privileges = each.value != ["ALL PRIVILEGES"] ? each.value : null
+ all_privileges = each.value == ["ALL PRIVILEGES"] ? true : null
+ role_name = each.key
+
+ on_schema_object {
+ future {
+ object_type_plural = "DYNAMIC TABLES"
+ in_schema = join(".", [local.database, local.schema])
+ }
+ }
+}
+
+resource "snowflake_grant_privileges_to_role" "existing_dynamic_table" {
+ for_each = module.this.enabled ? local.dynamic_table_grants_on_existing : {}
+
+ privileges = each.value != ["ALL PRIVILEGES"] ? each.value : null
+ all_privileges = each.value == ["ALL PRIVILEGES"] ? true : null
+ role_name = each.key
+
+ on_schema_object {
+ all {
+ object_type_plural = "DYNAMIC TABLES"
+ in_schema = join(".", [local.database, local.schema])
+ }
+ }
}
+################################################################
+
+################################################################
+
resource "snowflake_external_table_grant" "this" {
for_each = module.this.enabled ? local.external_table_grants : {}
@@ -146,16 +163,14 @@ resource "snowflake_external_table_grant" "this" {
roles = each.value
}
-#This is done due to lack of GRANT ON ALL statement in the Terraform Snowflake provider
-#https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/250
resource "snowflake_external_table_grant" "existing" {
- for_each = local.skip_schema_creation ? local.external_table_grants_on_existing : {}
+ for_each = module.this.enabled ? local.external_table_grants_on_existing : {}
- database_name = local.database
- schema_name = local.schema
- external_table_name = each.value.external_table_name
- privilege = each.value.privilege
- roles = each.value.roles
+ database_name = local.database
+ schema_name = local.schema
+ on_all = true
+ privilege = each.key
+ roles = each.value
}
################################################################
@@ -163,13 +178,6 @@ resource "snowflake_external_table_grant" "existing" {
################################################################
-data "snowflake_views" "this" {
- count = local.skip_schema_creation ? 1 : 0
-
- database = local.database
- schema = local.schema
-}
-
resource "snowflake_view_grant" "this" {
for_each = module.this.enabled ? local.view_grants : {}
@@ -180,16 +188,14 @@ resource "snowflake_view_grant" "this" {
roles = each.value
}
-#This is done due to lack of GRANT ON ALL statement in the Terraform Snowflake provider
-#https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/250
resource "snowflake_view_grant" "existing" {
- for_each = local.skip_schema_creation ? local.view_grants_on_existing : {}
+ for_each = module.this.enabled ? local.view_grants_on_existing : {}
database_name = local.database
schema_name = local.schema
- view_name = each.value.view_name
- privilege = each.value.privilege
- roles = each.value.roles
+ on_all = true
+ privilege = each.key
+ roles = each.value
}
################################################################
@@ -198,13 +204,6 @@ resource "snowflake_view_grant" "existing" {
################################################################
-data "snowflake_materialized_views" "this" {
- count = local.skip_schema_creation ? 1 : 0
-
- database = local.database
- schema = local.schema
-}
-
resource "snowflake_materialized_view_grant" "this" {
for_each = module.this.enabled ? local.materialized_view_grants : {}
@@ -215,16 +214,14 @@ resource "snowflake_materialized_view_grant" "this" {
roles = each.value
}
-#This is done due to lack of GRANT ON ALL statement in the Terraform Snowflake provider
-#https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/250
resource "snowflake_materialized_view_grant" "existing" {
- for_each = local.skip_schema_creation ? local.materialized_view_grants_on_existing : {}
+ for_each = module.this.enabled ? local.materialized_view_grants_on_existing : {}
- database_name = local.database
- schema_name = local.schema
- materialized_view_name = each.value.materialized_view_name
- privilege = each.value.privilege
- roles = each.value.roles
+ database_name = local.database
+ schema_name = local.schema
+ on_all = true
+ privilege = each.key
+ roles = each.value
}
################################################################
@@ -239,6 +236,22 @@ resource "snowflake_file_format_grant" "this" {
roles = each.value
}
+resource "snowflake_file_format_grant" "existing" {
+ for_each = module.this.enabled ? local.file_format_grants_on_existing : {}
+
+ database_name = local.database
+ schema_name = local.schema
+ on_all = true
+ privilege = each.key
+ roles = each.value
+}
+
+################################################################
+
+
+
+################################################################
+
resource "snowflake_function_grant" "this" {
for_each = module.this.enabled ? local.function_grants : {}
@@ -249,6 +262,22 @@ resource "snowflake_function_grant" "this" {
roles = each.value
}
+resource "snowflake_function_grant" "existing" {
+ for_each = module.this.enabled ? local.function_grants_on_existing : {}
+
+ database_name = local.database
+ schema_name = local.schema
+ on_all = true
+ privilege = each.key
+ roles = each.value
+}
+
+################################################################
+
+
+
+################################################################
+
resource "snowflake_stage_grant" "this" {
for_each = module.this.enabled ? local.stage_grants : {}
@@ -259,6 +288,22 @@ resource "snowflake_stage_grant" "this" {
roles = each.value
}
+resource "snowflake_stage_grant" "existing" {
+ for_each = module.this.enabled ? local.stage_grants_on_existing : {}
+
+ database_name = local.database
+ schema_name = local.schema
+ on_all = true
+ privilege = each.key
+ roles = each.value
+}
+
+################################################################
+
+
+
+################################################################
+
resource "snowflake_task_grant" "this" {
for_each = module.this.enabled ? local.task_grants : {}
@@ -269,6 +314,22 @@ resource "snowflake_task_grant" "this" {
roles = each.value
}
+resource "snowflake_task_grant" "existing" {
+ for_each = module.this.enabled ? local.task_grants_on_existing : {}
+
+ database_name = local.database
+ schema_name = local.schema
+ on_all = true
+ privilege = each.key
+ roles = each.value
+}
+
+################################################################
+
+
+
+################################################################
+
resource "snowflake_procedure_grant" "this" {
for_each = module.this.enabled ? local.procedure_grants : {}
@@ -279,6 +340,22 @@ resource "snowflake_procedure_grant" "this" {
roles = each.value
}
+resource "snowflake_procedure_grant" "existing" {
+ for_each = module.this.enabled ? local.procedure_grants_on_existing : {}
+
+ database_name = local.database
+ schema_name = local.schema
+ on_all = true
+ privilege = each.key
+ roles = each.value
+}
+
+################################################################
+
+
+
+################################################################
+
resource "snowflake_sequence_grant" "this" {
for_each = module.this.enabled ? local.sequence_grants : {}
@@ -289,6 +366,22 @@ resource "snowflake_sequence_grant" "this" {
roles = each.value
}
+resource "snowflake_sequence_grant" "existing" {
+ for_each = module.this.enabled ? local.sequence_grants_on_existing : {}
+
+ database_name = local.database
+ schema_name = local.schema
+ on_all = true
+ privilege = each.key
+ roles = each.value
+}
+
+################################################################
+
+
+
+################################################################
+
resource "snowflake_stream_grant" "this" {
for_each = module.this.enabled ? local.stream_grants : {}
@@ -298,3 +391,13 @@ resource "snowflake_stream_grant" "this" {
privilege = each.key
roles = each.value
}
+
+resource "snowflake_stream_grant" "existing" {
+ for_each = module.this.enabled ? local.stream_grants_on_existing : {}
+
+ database_name = local.database
+ schema_name = local.schema
+ on_all = true
+ privilege = each.key
+ roles = each.value
+}
diff --git a/outputs.tf b/outputs.tf
index 034bb2a..19025d2 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -32,25 +32,3 @@ output "roles" {
description = "Snowflake Roles"
value = local.roles
}
-
-output "roles_grant_on_all_statements" {
- description = <