feat: Align module with snowflake provider changes

.github/workflows/pre-commit.yml

@@ -12,7 +12,3 @@ on:
 jobs:
   main:
     uses: getindata/github-workflows/.github/workflows/tf-pre-commit.yml@v1
-    with:
-      # tflint v0.46.0 is the latest version we can use with pre-commit v0.1.20
-      # See .pre-commit-config.yaml for more details.
-      tflint-version: v0.46.0

.pre-commit-config.yaml

@@ -1,30 +1,27 @@
 repos:
   - repo: https://github.com/gruntwork-io/pre-commit
-    # Stick to v0.1.20 until this bug is fixed: https://github.com/gruntwork-io/pre-commit/issues/102
-    # When updating, also check if tflint version in pre-commit workflow can be updated.
-    rev: "v0.1.20" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases
+    rev: "v0.1.23" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases
     hooks:
       - id: terraform-validate # It should be the first step as it runs terraform init required by tflint
       - id: terraform-fmt
       - id: tflint
         args:
-          - --module
-          - --config=.tflint.hcl
+          - "--config=__GIT_ROOT__/.tflint.hcl"
 
   - repo: https://github.com/terraform-docs/terraform-docs
-    rev: "v0.16.0" # Get the latest from: https://github.com/terraform-docs/terraform-docs/releases
+    rev: "v0.18.0" # Get the latest from: https://github.com/terraform-docs/terraform-docs/releases
     hooks:
       - id: terraform-docs-go
         args: ["."]
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: "2.5.13" # Get the latest from: https://github.com/bridgecrewio/checkov/releases
+    rev: "3.2.213" # Get the latest from: https://github.com/bridgecrewio/checkov/releases
     hooks:
       - id: checkov
         args: [--skip-check, "CKV_TF_1"] # Terraform module sources do not use a git url with a commit hash revision
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: "v4.5.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
+    rev: "v4.6.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases
     hooks:
       - id: check-merge-conflict
         args: ["--assume-in-merge"]

.tflint.hcl

@@ -5,12 +5,12 @@ config {
 }
 
 plugin "terraform" {
-    enabled = true
-    version = "0.5.0"
-    source  = "github.com/terraform-linters/tflint-ruleset-terraform"
-    preset  = "all"
+  enabled = true
+  version = "0.5.0"
+  source  = "github.com/terraform-linters/tflint-ruleset-terraform"
+  preset  = "all"
 }
 
 rule "terraform_standard_module_structure" {
-  enabled = false  # Fails on context.tf
+  enabled = false # Fails on context.tf
 }

README.md

@@ -23,7 +23,6 @@ Terraform module for Snowflake Warehouse management
 * Can create custom Snowflake Roles with role-to-role, role-to-user assignments
 * Can create a set of default, functional roles to simplify access management:
   * `ADMIN` - full access
-  * `MODIFY` - abillity to modify warehouse
   * `MONITOR` - abillity to monitor warehouse
   * `USAGE` - abillity to use warehouse
 
@@ -56,7 +55,7 @@ module "terraform_snowflake_warehouse" {
 
 ## NOTES
 
-_Additional information that should be made public, for ex. how to solve known issues, additional descriptions/suggestions_
+When upgrading to version `v2.2.x` - all `default_roles` will be recreated using new terraform resources.
 
 ## EXAMPLES
 
@@ -99,23 +98,23 @@ _Additional information that should be made public, for ex. how to solve known i
 | <a name="input_query_acceleration_max_scale_factor"></a> [query\_acceleration\_max\_scale\_factor](#input\_query\_acceleration\_max\_scale\_factor) | Specifies the maximum scale factor for leasing compute resources for query acceleration. The scale factor is used as a multiplier based on warehouse size. | `number` | `null` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_resource_monitor"></a> [resource\_monitor](#input\_resource\_monitor) | Specifies the name of a resource monitor that is explicitly assigned to the warehouse. | `string` | `null` | no |
-| <a name="input_roles"></a> [roles](#input\_roles) | Roles created on the warehouse level | <pre>map(object({<br>    enabled              = optional(bool, true)<br>    descriptor_name      = optional(string, "snowflake-role")<br>    comment              = optional(string)<br>    role_ownership_grant = optional(string)<br>    granted_roles        = optional(list(string))<br>    granted_to_roles     = optional(list(string))<br>    granted_to_users     = optional(list(string))<br>    warehouse_grants     = optional(list(string))<br>  }))</pre> | `{}` | no |
-| <a name="input_scaling_policy"></a> [scaling\_policy](#input\_scaling\_policy) | Specifies the policy for automatically starting and shutting down clusters in a multi-cluster warehouse running in Auto-scale mode. | `string` | `null` | no |
+| <a name="input_roles"></a> [roles](#input\_roles) | Account roles created on the warehouse level | <pre>map(object({<br>    enabled              = optional(bool, true)<br>    descriptor_name      = optional(string, "snowflake-role")<br>    comment              = optional(string)<br>    role_ownership_grant = optional(string)<br>    granted_roles        = optional(list(string))<br>    granted_to_roles     = optional(list(string))<br>    granted_to_users     = optional(list(string))<br>    warehouse_grants = optional(object({<br>      all_privileges    = optional(bool)<br>      with_grant_option = optional(bool, false)<br>      privileges        = optional(list(string))<br>    }))<br>  }))</pre> | `{}` | no |
+| <a name="input_scaling_policy"></a> [scaling\_policy](#input\_scaling\_policy) | Specifies the policy for automatically starting and shutting down clusters in a multi-cluster warehouse running in Auto-scale mode. Valid values are `STANDARD` and `ECONOMY`. | `string` | `null` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_statement_queued_timeout_in_seconds"></a> [statement\_queued\_timeout\_in\_seconds](#input\_statement\_queued\_timeout\_in\_seconds) | Object parameter that specifies the time, in seconds, a SQL statement (query, DDL, DML, etc.) can be queued on a warehouse before it is canceled by the system. | `number` | `null` | no |
 | <a name="input_statement_timeout_in_seconds"></a> [statement\_timeout\_in\_seconds](#input\_statement\_timeout\_in\_seconds) | Specifies the time, in seconds, after which a running SQL statement (query, DDL, DML, etc.) is canceled by the system | `number` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).<br>Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
 | <a name="input_tenant"></a> [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
-| <a name="input_warehouse_size"></a> [warehouse\_size](#input\_warehouse\_size) | Specifies the size of the virtual warehouse. | `string` | `"X-Small"` | no |
+| <a name="input_warehouse_size"></a> [warehouse\_size](#input\_warehouse\_size) | Specifies the size of the virtual warehouse. Possible values are: XSMALL, X-SMALL, SMALL, MEDIUM, LARGE, XLARGE, X-LARGE, XXLARGE, X2LARGE, 2X-LARGE, XXXLARGE, X3LARGE, 3X-LARGE, X4LARGE, 4X-LARGE, X5LARGE, 5X-LARGE, X6LARGE, 6X-LARGE. | `string` | `"X-Small"` | no |
 | <a name="input_warehouse_type"></a> [warehouse\_type](#input\_warehouse\_type) | Specifies the type of the virtual warehouse. | `string` | `"STANDARD"` | no |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_roles_deep_merge"></a> [roles\_deep\_merge](#module\_roles\_deep\_merge) | Invicton-Labs/deepmerge/null | 0.1.5 |
-| <a name="module_snowflake_custom_role"></a> [snowflake\_custom\_role](#module\_snowflake\_custom\_role) | getindata/role/snowflake | 1.0.3 |
-| <a name="module_snowflake_default_role"></a> [snowflake\_default\_role](#module\_snowflake\_default\_role) | getindata/role/snowflake | 1.0.3 |
+| <a name="module_snowflake_custom_role"></a> [snowflake\_custom\_role](#module\_snowflake\_custom\_role) | getindata/role/snowflake | 2.1.0 |
+| <a name="module_snowflake_default_role"></a> [snowflake\_default\_role](#module\_snowflake\_default\_role) | getindata/role/snowflake | 2.1.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 | <a name="module_warehouse_label"></a> [warehouse\_label](#module\_warehouse\_label) | cloudposse/label/null | 0.25.0 |
 
@@ -130,21 +129,20 @@ _Additional information that should be made public, for ex. how to solve known i
 
 | Name | Version |
 |------|---------|
-| <a name="provider_snowflake"></a> [snowflake](#provider\_snowflake) | ~> 0.53 |
+| <a name="provider_snowflake"></a> [snowflake](#provider\_snowflake) | ~> 0.94 |
 
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
-| <a name="requirement_snowflake"></a> [snowflake](#requirement\_snowflake) | ~> 0.53 |
+| <a name="requirement_snowflake"></a> [snowflake](#requirement\_snowflake) | ~> 0.94 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [snowflake_warehouse.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/warehouse) | resource |
-| [snowflake_warehouse_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/warehouse_grant) | resource |
 <!-- END_TF_DOCS -->
 
 ## CONTRIBUTING

examples/complete/main.tf

@@ -1,9 +1,9 @@
-resource "snowflake_role" "this_admin" {
+resource "snowflake_account_role" "this_admin" {
   name    = "WAREHOUSE_ADMIN"
   comment = "Role for Snowflake Administrators"
 }
 
-resource "snowflake_role" "this_dev" {
+resource "snowflake_account_role" "this_dev" {
   name    = "WAREHOUSE_DEV"
   comment = "Role for Snowflake Developers"
 }
@@ -59,11 +59,19 @@ module "terraform_snowflake_warehouse" {
 
   roles = {
     admin = {
-      granted_to_roles = [snowflake_role.this_admin.name]
+      granted_to_roles = [snowflake_account_role.this_admin.name]
     }
     custom_role = {
-      warehouse_grants = ["USAGE", "MODIFY"]
-      granted_to_roles = [snowflake_role.this_dev.name]
+      warehouse_grants = {
+        privileges = ["USAGE", "MODIFY"]
+      }
+      granted_to_roles = [snowflake_account_role.this_dev.name]
     }
   }
+
+  depends_on = [
+    snowflake_account_role.this_admin,
+    snowflake_account_role.this_dev,
+    snowflake_resource_monitor.this
+  ]
 }

examples/complete/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     snowflake = {
       source  = "Snowflake-Labs/snowflake"
-      version = "~> 0.47"
+      version = "~> 0.94"
     }
   }
 }

examples/simple/versions.tf

@@ -1,10 +1,3 @@
 terraform {
   required_version = ">= 1.3"
-
-  required_providers {
-    snowflake = {
-      source  = "Snowflake-Labs/snowflake"
-      version = "~> 0.47"
-    }
-  }
 }

locals.tf

@@ -8,13 +8,25 @@ locals {
 
   default_roles_definition = {
     usage = {
-      warehouse_grants = ["USAGE", "OPERATE"]
+      warehouse_grants = {
+        all_privileges    = null
+        privileges        = ["USAGE", "OPERATE"]
+        with_grant_option = false
+      }
     }
     monitor = {
-      warehouse_grants = ["MONITOR"]
+      warehouse_grants = {
+        privileges        = ["MONITOR"]
+        all_privileges    = null
+        with_grant_option = false
+      }
     }
     admin = {
-      warehouse_grants = ["MODIFY", "MONITOR", "USAGE", "OPERATE", "OWNERSHIP"]
+      warehouse_grants = {
+        all_privileges    = true
+        privileges        = null
+        with_grant_option = false
+      }
     }
   }
 

main.tf

@@ -40,7 +40,8 @@ module "snowflake_default_role" {
   for_each = local.default_roles
 
   source  = "getindata/role/snowflake"
-  version = "1.0.3"
+  version = "2.1.0"
+
   context = module.this.context
 
   name            = each.key
@@ -52,13 +53,27 @@ module "snowflake_default_role" {
   granted_to_users     = lookup(each.value, "granted_to_users", [])
   granted_to_roles     = lookup(each.value, "granted_to_roles", [])
   granted_roles        = lookup(each.value, "granted_roles", [])
+
+  account_objects_grants = {
+    WAREHOUSE = [{
+      all_privileges    = each.value.warehouse_grants.all_privileges
+      privileges        = each.value.warehouse_grants.privileges
+      with_grant_option = each.value.warehouse_grants.with_grant_option
+      object_name       = one(snowflake_warehouse.this[*].name)
+    }]
+  }
+
+  depends_on = [
+    snowflake_warehouse.this
+  ]
 }
 
 module "snowflake_custom_role" {
   for_each = local.custom_roles
 
   source  = "getindata/role/snowflake"
-  version = "1.0.3"
+  version = "2.1.0"
+
   context = module.this.context
 
   name            = each.key
@@ -70,19 +85,17 @@ module "snowflake_custom_role" {
   granted_to_users     = lookup(each.value, "granted_to_users", [])
   granted_to_roles     = lookup(each.value, "granted_to_roles", [])
   granted_roles        = lookup(each.value, "granted_roles", [])
-}
 
-resource "snowflake_warehouse_grant" "this" {
-  for_each = local.enabled ? transpose({ for role_name, role in local.roles : local.roles[role_name].name =>
-    lookup(local.roles_definition[role_name], "warehouse_grants", [])
-    if lookup(local.roles_definition[role_name], "enabled", true)
-  }) : {}
-  warehouse_name = one(resource.snowflake_warehouse.this[*]).name
-  privilege      = each.key
-  roles          = each.value
-
-  # Whole configuration should be maintained "as Code" so below
-  # options should be disabled in all use-cases
-  enable_multiple_grants = false
-  with_grant_option      = false
+  account_objects_grants = {
+    WAREHOUSE = [{
+      all_privileges    = each.value.warehouse_grants.all_privileges
+      privileges        = each.value.warehouse_grants.privileges
+      with_grant_option = each.value.warehouse_grants.with_grant_option
+      object_name       = one(snowflake_warehouse.this[*].name)
+    }]
+  }
+
+  depends_on = [
+    snowflake_warehouse.this
+  ]
 }

variables.tf

@@ -5,7 +5,7 @@ variable "comment" {
 }
 
 variable "warehouse_size" {
-  description = "Specifies the size of the virtual warehouse."
+  description = "Specifies the size of the virtual warehouse. Possible values are: XSMALL, X-SMALL, SMALL, MEDIUM, LARGE, XLARGE, X-LARGE, XXLARGE, X2LARGE, 2X-LARGE, XXXLARGE, X3LARGE, 3X-LARGE, X4LARGE, 4X-LARGE, X5LARGE, 5X-LARGE, X6LARGE, 6X-LARGE."
   type        = string
   default     = "X-Small"
 }
@@ -51,7 +51,7 @@ variable "max_cluster_count" {
 }
 
 variable "scaling_policy" {
-  description = "Specifies the policy for automatically starting and shutting down clusters in a multi-cluster warehouse running in Auto-scale mode."
+  description = "Specifies the policy for automatically starting and shutting down clusters in a multi-cluster warehouse running in Auto-scale mode. Valid values are `STANDARD` and `ECONOMY`."
   type        = string
   default     = null
 }
@@ -93,7 +93,7 @@ variable "resource_monitor" {
 }
 
 variable "roles" {
-  description = "Roles created on the warehouse level"
+  description = "Account roles created on the warehouse level"
   type = map(object({
     enabled              = optional(bool, true)
     descriptor_name      = optional(string, "snowflake-role")
@@ -102,7 +102,11 @@ variable "roles" {
     granted_roles        = optional(list(string))
     granted_to_roles     = optional(list(string))
     granted_to_users     = optional(list(string))
-    warehouse_grants     = optional(list(string))
+    warehouse_grants = optional(object({
+      all_privileges    = optional(bool)
+      with_grant_option = optional(bool, false)
+      privileges        = optional(list(string))
+    }))
   }))
   default = {}
 }

versions.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     snowflake = {
       source  = "Snowflake-Labs/snowflake"
-      version = "~> 0.53"
+      version = "~> 0.94"
     }
   }
 }