From 09f67b423eeeb27bbd8905cb53de44874965e097 Mon Sep 17 00:00:00 2001 From: Artur Sawicki Date: Wed, 6 Nov 2024 15:12:03 +0100 Subject: [PATCH] Fix handling compute pools privileges References: #2717 --- pkg/acceptance/helpers/compute_pool_client.go | 47 +++++++++++++++++++ pkg/acceptance/helpers/test_client.go | 2 + .../grant_privileges_to_account_role.go | 3 ++ ...vileges_to_account_role_acceptance_test.go | 47 +++++++++++++++++++ .../OnAccountObject_gh2717/test.tf | 8 ++++ .../OnAccountObject_gh2717/variables.tf | 11 +++++ 6 files changed, 118 insertions(+) create mode 100644 pkg/acceptance/helpers/compute_pool_client.go create mode 100644 pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnAccountObject_gh2717/test.tf create mode 100644 pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnAccountObject_gh2717/variables.tf diff --git a/pkg/acceptance/helpers/compute_pool_client.go b/pkg/acceptance/helpers/compute_pool_client.go new file mode 100644 index 0000000000..08affb0a2b --- /dev/null +++ b/pkg/acceptance/helpers/compute_pool_client.go @@ -0,0 +1,47 @@ +package helpers + +import ( + "context" + "fmt" + "testing" + + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk" + "github.com/stretchr/testify/require" +) + +// TODO [SNOW-1790174]: change raw sqls to proper client +type ComputePoolClient struct { + context *TestClientContext + ids *IdsGenerator +} + +func NewComputePoolClient(context *TestClientContext, idsGenerator *IdsGenerator) *ComputePoolClient { + return &ComputePoolClient{ + context: context, + ids: idsGenerator, + } +} + +func (c *ComputePoolClient) client() *sdk.Client { + return c.context.client +} + +func (c *ComputePoolClient) CreateComputePool(t *testing.T) (sdk.AccountObjectIdentifier, func()) { + t.Helper() + ctx := context.Background() + + id := c.ids.RandomAccountObjectIdentifier() + _, err := c.client().ExecForTests(ctx, fmt.Sprintf(`CREATE COMPUTE POOL %s MIN_NODES = 1 MAX_NODES = 1 INSTANCE_FAMILY = CPU_X64_XS`, id.FullyQualifiedName())) + require.NoError(t, err) + return id, c.DropComputePoolFunc(t, id) +} + +func (c *ComputePoolClient) DropComputePoolFunc(t *testing.T, id sdk.AccountObjectIdentifier) func() { + t.Helper() + ctx := context.Background() + + return func() { + _, err := c.client().ExecForTests(ctx, fmt.Sprintf(`DROP COMPUTE POOL IF EXISTS %s`, id.FullyQualifiedName())) + require.NoError(t, err) + } +} diff --git a/pkg/acceptance/helpers/test_client.go b/pkg/acceptance/helpers/test_client.go index cbfc8de2b9..cf2e559b44 100644 --- a/pkg/acceptance/helpers/test_client.go +++ b/pkg/acceptance/helpers/test_client.go @@ -17,6 +17,7 @@ type TestClient struct { ApplicationPackage *ApplicationPackageClient AuthenticationPolicy *AuthenticationPolicyClient BcrBundles *BcrBundlesClient + ComputePool *ComputePoolClient Connection *ConnectionClient Context *ContextClient CortexSearchService *CortexSearchServiceClient @@ -85,6 +86,7 @@ func NewTestClient(c *sdk.Client, database string, schema string, warehouse stri ApplicationPackage: NewApplicationPackageClient(context, idsGenerator), AuthenticationPolicy: NewAuthenticationPolicyClient(context, idsGenerator), BcrBundles: NewBcrBundlesClient(context), + ComputePool: NewComputePoolClient(context, idsGenerator), Connection: NewConnectionClient(context, idsGenerator), Context: NewContextClient(context), CortexSearchService: NewCortexSearchServiceClient(context, idsGenerator), diff --git a/pkg/resources/grant_privileges_to_account_role.go b/pkg/resources/grant_privileges_to_account_role.go index e314e067b0..9d8fd49a97 100644 --- a/pkg/resources/grant_privileges_to_account_role.go +++ b/pkg/resources/grant_privileges_to_account_role.go @@ -1183,6 +1183,9 @@ func createGrantPrivilegesToAccountRoleIdFromSchema(d *schema.ResourceData) (id case on.AccountObject.ReplicationGroup != nil: onAccountObjectGrantData.ObjectType = sdk.ObjectTypeReplicationGroup onAccountObjectGrantData.ObjectName = *on.AccountObject.ReplicationGroup + case on.AccountObject.ComputePool != nil: + onAccountObjectGrantData.ObjectType = sdk.ObjectTypeComputePool + onAccountObjectGrantData.ObjectName = *on.AccountObject.ComputePool case on.AccountObject.ExternalVolume != nil: onAccountObjectGrantData.ObjectType = sdk.ObjectTypeExternalVolume onAccountObjectGrantData.ObjectName = *on.AccountObject.ExternalVolume diff --git a/pkg/resources/grant_privileges_to_account_role_acceptance_test.go b/pkg/resources/grant_privileges_to_account_role_acceptance_test.go index f0302e4674..15cdae3486 100644 --- a/pkg/resources/grant_privileges_to_account_role_acceptance_test.go +++ b/pkg/resources/grant_privileges_to_account_role_acceptance_test.go @@ -215,6 +215,53 @@ func TestAcc_GrantPrivilegesToAccountRole_OnAccountObject(t *testing.T) { }) } +func TestAcc_GrantPrivilegesToAccountRole_OnAccountObject_gh2717(t *testing.T) { + _ = testenvs.GetOrSkipTest(t, testenvs.EnableAcceptance) + acc.TestAccPreCheck(t) + + computePoolId, computePoolCleanup := acc.TestClient().ComputePool.CreateComputePool(t) + t.Cleanup(computePoolCleanup) + + roleId := acc.TestClient().Ids.RandomAccountObjectIdentifier() + roleFullyQualifiedName := roleId.FullyQualifiedName() + configVariables := config.Variables{ + "name": config.StringVariable(roleFullyQualifiedName), + "compute_pool": config.StringVariable(computePoolId.Name()), + "privileges": config.ListVariable( + config.StringVariable(string(sdk.AccountObjectPrivilegeUsage)), + ), + } + resourceName := "snowflake_grant_privileges_to_account_role.test" + + resource.Test(t, resource.TestCase{ + ProtoV6ProviderFactories: acc.TestAccProtoV6ProviderFactories, + PreCheck: func() { acc.TestAccPreCheck(t) }, + TerraformVersionChecks: []tfversion.TerraformVersionCheck{ + tfversion.RequireAbove(tfversion.Version1_5_0), + }, + CheckDestroy: acc.CheckAccountRolePrivilegesRevoked(t), + Steps: []resource.TestStep{ + { + PreConfig: func() { + _, roleCleanup := acc.TestClient().Role.CreateRoleWithIdentifier(t, roleId) + t.Cleanup(roleCleanup) + }, + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_GrantPrivilegesToAccountRole/OnAccountObject_gh2717"), + ConfigVariables: configVariables, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "account_role_name", roleFullyQualifiedName), + resource.TestCheckResourceAttr(resourceName, "privileges.#", "1"), + resource.TestCheckResourceAttr(resourceName, "privileges.0", string(sdk.AccountObjectPrivilegeUsage)), + resource.TestCheckResourceAttr(resourceName, "on_account_object.#", "1"), + resource.TestCheckResourceAttr(resourceName, "on_account_object.0.object_type", string(sdk.ObjectTypeComputePool)), + resource.TestCheckResourceAttr(resourceName, "on_account_object.0.object_name", computePoolId.Name()), + resource.TestCheckResourceAttr(resourceName, "id", fmt.Sprintf("%s|false|false|USAGE|OnAccountObject|%s|%s", roleFullyQualifiedName, sdk.ObjectTypeComputePool, computePoolId.FullyQualifiedName())), + ), + }, + }, + }) +} + // This proves that infinite plan is not produced as in snowflake_grant_privileges_to_role. // More details can be found in the fix pr https://github.com/Snowflake-Labs/terraform-provider-snowflake/pull/2364. func TestAcc_GrantPrivilegesToApplicationRole_OnAccountObject_InfinitePlan(t *testing.T) { diff --git a/pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnAccountObject_gh2717/test.tf b/pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnAccountObject_gh2717/test.tf new file mode 100644 index 0000000000..89561deeab --- /dev/null +++ b/pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnAccountObject_gh2717/test.tf @@ -0,0 +1,8 @@ +resource "snowflake_grant_privileges_to_account_role" "test" { + account_role_name = var.name + privileges = var.privileges + on_account_object { + object_type = "COMPUTE POOL" + object_name = var.compute_pool + } +} diff --git a/pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnAccountObject_gh2717/variables.tf b/pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnAccountObject_gh2717/variables.tf new file mode 100644 index 0000000000..82329fbe6b --- /dev/null +++ b/pkg/resources/testdata/TestAcc_GrantPrivilegesToAccountRole/OnAccountObject_gh2717/variables.tf @@ -0,0 +1,11 @@ +variable "name" { + type = string +} + +variable "compute_pool" { + type = string +} + +variable "privileges" { + type = list(string) +}