Merge pull request #9 from getindata/feature/grant_default_roles

feat: Automatically grant user default roles
getindata · Feb 23, 2023 · 32d0bcc · 32d0bcc
2 parents 604003d + c0ae321
commit 32d0bcc
Show file tree

Hide file tree

Showing 8 changed files with 58 additions and 29 deletions.
diff --git a/README.md b/README.md
@@ -1,4 +1,5 @@
 # Snowflake User Terraform Module
+
 ![Snowflake](https://img.shields.io/badge/-SNOWFLAKE-249edc?style=for-the-badge&logo=snowflake&logoColor=white)
 ![Terraform](https://img.shields.io/badge/terraform-%235835CC.svg?style=for-the-badge&logo=terraform&logoColor=white)
 
@@ -10,22 +11,27 @@
   <h3 align="center">We help companies turn their data into assets</h3>
 </p>
 
-Terraform module for creating Snowflake user. 
+Terraform module for creating Snowflake user.
+
+This module can:
+
+* Create and manage Snowflake Users
+* Automatically generate RSA private and public keys for the User
+* Automatically grant `default_role` and `default_secondary_roles` to the User
+
 ## Usage
+
 ```terraform
 module "terraform_snowflake_user" {
   source = "getindata/terraform-snowflake/user"
   name = "snowflake-user"
 }
 ```
+
 ---
 
 <!-- BEGIN_TF_DOCS -->
-# Snowflake User
 
-Terraform module can:
-* Create and manage Snowflake Users
-* Automatically generate RSA private and public keys for the user
 
 
 
@@ -51,6 +57,7 @@ Terraform module can:
 | <a name="input_first_name"></a> [first\_name](#input\_first\_name) | First name of the user | `string` | `null` | no |
 | <a name="input_generate_password"></a> [generate\_password](#input\_generate\_password) | Generate a random password using Terraform | `bool` | `false` | no |
 | <a name="input_generate_rsa_key"></a> [generate\_rsa\_key](#input\_generate\_rsa\_key) | Whether automatically generate an RSA key - IMPORTANT <br>    The private key generated by this resource will be stored <br>    unencrypted in your Terraform state file. <br>    Use of this resource for production deployments is not recommended. | `bool` | `false` | no |
+| <a name="input_grant_default_roles"></a> [grant\_default\_roles](#input\_grant\_default\_roles) | Whether to grant default\_role and default\_secondary\_roles to Snowflake User | `bool` | `true` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_label_key_case"></a> [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.<br>Does not affect keys of tags passed in via the `tags` input.<br>Possible values: `lower`, `title`, `upper`.<br>Default value: `title`. | `string` | `null` | no |
 | <a name="input_label_order"></a> [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
@@ -114,6 +121,8 @@ Terraform module can:
 | Name | Type |
 |------|------|
 | [random_password.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [snowflake_role_grants.default_role](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
+| [snowflake_role_grants.default_secondary_roles](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
 | [snowflake_user.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/user) | resource |
 | [tls_private_key.this](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
 <!-- END_TF_DOCS -->

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -1,7 +1,18 @@
+resource "snowflake_role" "user_role" {
+  name = "SNOWFLAKE_USER_ROLE"
+}
+
+resource "snowflake_role" "secondary_role" {
+  name = "SNOWFLAKE_SECOND_ROLE"
+}
+
 module "terraform_snowflake_user" {
   source            = "../../"
   context           = module.this.context
   name              = "snowflake-user"
   generate_rsa_key  = true
   generate_password = true
+
+  default_role            = resource.snowflake_role.user_role.name
+  default_secondary_roles = [resource.snowflake_role.secondary_role.name]
 }
diff --git a/examples/complete/providers.tf b/examples/complete/providers.tf
@@ -1,3 +1 @@
-provider "null" {
-  # Configuration options
-}
+provider "snowflake" {}
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
@@ -1,10 +1,9 @@
 terraform {
-  required_version = ">= 1.3.0"
-
+  required_version = ">= 1.3"
   required_providers {
-    null = {
-      source  = "hashicorp/null"
-      version = "3.1.1"
+    snowflake = {
+      source  = "Snowflake-Labs/snowflake"
+      version = "~> 0.54"
     }
   }
 }
diff --git a/examples/simple/providers.tf b/examples/simple/providers.tf
@@ -1,2 +1 @@
-provider "null" {
-}
+provider "snowflake" {}
diff --git a/examples/simple/versions.tf b/examples/simple/versions.tf
@@ -1,10 +1,9 @@
 terraform {
-  required_version = ">= 1.3.0"
-
+  required_version = ">= 1.3"
   required_providers {
-    null = {
-      source  = "hashicorp/null"
-      version = "3.1.1"
+    snowflake = {
+      source  = "Snowflake-Labs/snowflake"
+      version = "~> 0.54"
     }
   }
 }
diff --git a/main.tf b/main.tf
@@ -1,10 +1,3 @@
-/*
-* # Snowflake User
-* 
-* Terraform module can:
-* * Create and manage Snowflake Users
-* * Automatically generate RSA private and public keys for the user
-*/
 module "user_label" {
   source  = "cloudposse/label/null"
   version = "0.25.0"
@@ -16,14 +9,15 @@ module "user_label" {
 }
 
 resource "tls_private_key" "this" {
-  count = local.generate_rsa_key ? 1 : 0
+  count = module.this.enabled && local.generate_rsa_key ? 1 : 0
 
   algorithm = "RSA"
   rsa_bits  = 4096
 }
 
 resource "random_password" "this" {
-  count            = local.generate_password ? 1 : 0
+  count = module.this.enabled && local.generate_password ? 1 : 0
+
   length           = 16
   special          = true
   override_special = "!#$%&*()-_=+[]{}<>:?"
@@ -52,3 +46,17 @@ resource "snowflake_user" "this" {
   rsa_public_key   = local.rsa_public_key
   rsa_public_key_2 = var.rsa_public_key_2
 }
+
+resource "snowflake_role_grants" "default_role" {
+  count = module.this.enabled && var.grant_default_roles && var.default_role != null ? 1 : 0
+
+  role_name = var.default_role
+  users     = [one(resource.snowflake_user.this[*].name)]
+}
+
+resource "snowflake_role_grants" "default_secondary_roles" {
+  for_each = module.this.enabled && var.grant_default_roles ? toset(var.default_secondary_roles) : []
+
+  role_name = each.key
+  users     = [one(resource.snowflake_user.this[*].name)]
+}
diff --git a/variables.tf b/variables.tf
@@ -102,3 +102,9 @@ variable "must_change_password" {
   type        = bool
   default     = true
 }
+
+variable "grant_default_roles" {
+  description = "Whether to grant default_role and default_secondary_roles to Snowflake User"
+  type        = bool
+  default     = true
+}