Merge pull request #10 from getindata/fix/add-on_all-flag-to-grants

fix: Add missing logic needed to support `on_all` flag
getindata · Dec 28, 2023 · 03071d2 · 03071d2
2 parents 3241a79 + 04729f8
commit 03071d2
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 4 deletions.
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -29,4 +29,13 @@ module "snowflake_role" {
       privileges    = ["SELECT"]
     }
   ]
+
+  view_grants = [
+    {
+      database_name = "LOGS_DB"
+      schema_name   = "BRONZE"
+      on_all        = true
+      privileges    = ["SELECT"]
+    }
+  ]
 }
diff --git a/locals.tf b/locals.tf
@@ -17,39 +17,44 @@ locals {
   }]...)
 
   schema_grants = merge([for schema_grant in var.schema_grants : {
-    for privilege in schema_grant.privileges : "${schema_grant.database_name}/${schema_grant.schema_name}/${privilege}" => {
+    for privilege in schema_grant.privileges : "${schema_grant.database_name}/${coalesce(schema_grant.schema_name, schema_grant.on_future != null ? "on_future" : "on_all")}/${privilege}" => {
       database_name = schema_grant.database_name
       schema_name   = schema_grant.schema_name
+      on_future     = schema_grant.on_future
+      on_all        = schema_grant.on_all
       privilege     = privilege
     }
   }]...)
 
   table_grants = merge([for table_grant in var.table_grants : {
-    for privilege in table_grant.privileges : "${table_grant.database_name}/${table_grant.schema_name}/${coalesce(table_grant.table_name, "on_future")}/${privilege}" => {
+    for privilege in table_grant.privileges : "${table_grant.database_name}/${table_grant.schema_name}/${coalesce(table_grant.table_name, table_grant.on_future != null ? "on_future" : "on_all")}/${privilege}" => {
       database_name = table_grant.database_name
       schema_name   = table_grant.schema_name
       table_name    = table_grant.table_name
       on_future     = table_grant.on_future
+      on_all        = table_grant.on_all
       privilege     = privilege
     }
   }]...)
 
   external_table_grants = merge([for table_grant in var.external_table_grants : {
-    for privilege in table_grant.privileges : "${table_grant.database_name}/${table_grant.schema_name}/${coalesce(table_grant.external_table_name, "on_future")}/${privilege}" => {
+    for privilege in table_grant.privileges : "${table_grant.database_name}/${table_grant.schema_name}/${coalesce(table_grant.external_table_name, table_grant.on_future != null ? "on_future" : "on_all")}/${privilege}" => {
       database_name       = table_grant.database_name
       schema_name         = table_grant.schema_name
       external_table_name = table_grant.external_table_name
       on_future           = table_grant.on_future
+      on_all              = table_grant.on_all
       privilege           = privilege
     }
   }]...)
 
   view_grants = merge([for view_grant in var.view_grants : {
-    for privilege in view_grant.privileges : "${view_grant.database_name}/${view_grant.schema_name}/${coalesce(view_grant.view_name, "on_future")}/${privilege}" => {
+    for privilege in view_grant.privileges : "${view_grant.database_name}/${view_grant.schema_name}/${coalesce(view_grant.view_name, view_grant.on_future != null ? "on_future" : "on_all")}/${privilege}" => {
       database_name = view_grant.database_name
       schema_name   = view_grant.schema_name
       view_name     = view_grant.view_name
       on_future     = view_grant.on_future
+      on_all        = view_grant.on_all
       privilege     = privilege
     }
   }]...)

diff --git a/variables.tf b/variables.tf
@@ -53,6 +53,10 @@ variable "schema_grants" {
     on_future     = optional(bool)
   }))
   default = []
+  validation {
+    condition     = alltrue([for schema_grant in var.schema_grants : anytrue([schema_grant.schema_name != null, schema_grant.on_future, schema_grant.on_all])])
+    error_message = "Variable `schema_grants` fails validation - one of `schema_name`, `on_future` or `on_all` has to be set (not null / true)."
+  }
 }
 
 variable "table_grants" {
@@ -66,6 +70,10 @@ variable "table_grants" {
     privileges    = list(string)
   }))
   default = []
+  validation {
+    condition     = alltrue([for table_grant in var.table_grants : anytrue([table_grant.table_name != null, table_grant.on_future, table_grant.on_all])])
+    error_message = "Variable `table_grants` fails validation - one of `table_name`, `on_future` or `on_all` has to be set (not null / true)."
+  }
 }
 
 variable "external_table_grants" {
@@ -79,6 +87,10 @@ variable "external_table_grants" {
     privileges          = list(string)
   }))
   default = []
+  validation {
+    condition     = alltrue([for external_table_grant in var.external_table_grants : anytrue([external_table_grant.external_table_name != null, external_table_grant.on_future, external_table_grant.on_all])])
+    error_message = "Variable `external_table_grants` fails validation - one of `external_table_name`, `on_future` or `on_all` has to be set (not null / true)."
+  }
 }
 
 variable "view_grants" {
@@ -92,6 +104,10 @@ variable "view_grants" {
     privileges    = list(string)
   }))
   default = []
+  validation {
+    condition     = alltrue([for view_grant in var.view_grants : anytrue([view_grant.view_name != null, view_grant.on_future, view_grant.on_all])])
+    error_message = "Variable `view_grants` fails validation - one of `view_name`, `on_future` or `on_all` has to be set (not null / true)."
+  }
 }
 
 variable "descriptor_name" {