Skip to content

Commit

Permalink
feat: Row access policy data source v1 (#3066)
Browse files Browse the repository at this point in the history 
<!-- Feel free to delete comments as you fill this in -->
- rework row access policy data source
- adjust sdk
- add missing filtering
- add `output` fields
- add description to policy resource
- add more acceptance tests
- improve examples
- add an entry to the migration guide
<!-- summary of changes -->

## Test Plan
<!-- detail ways in which this PR has been tested or needs to be tested
-->
* [x] acceptance tests
<!-- add more below if you think they are relevant -->

## References
<!-- issues documentation links, etc  -->
https://docs.snowflake.com/en/sql-reference/sql/show-row-access-policies
  • Loading branch information
@sfc-gh-jmichalak @sfc-gh-fbudzynski
sfc-gh-jmichalak authored and sfc-gh-fbudzynski committed Sep 19, 2024
1 parent 6c420a4 commit 6078048
Show file tree
Hide file tree
Showing 25 changed files with 971 additions and 123 deletions.
16 changes: 16 additions & 0 deletions MIGRATION_GUIDE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,22 @@ describe deprecations or breaking changes and help you to change your configurat
across different versions.

## v0.95.0 ➞ v0.96.0
### snowflake_row_access_policies data source changes
New filtering options:
- `in`
- `limit`
- `with_describe`

New output fields
- `show_output`
- `describe_output`

Breaking changes:
- `database` and `schema` are right now under `in` field
- `row_access_policies` field now organizes output of show under `show_output` field and the output of describe under `describe_output` field.

Please adjust your Terraform configuration files.

### snowflake_row_access_policy resource changes
New fields:
- `show_output` field that holds the response from SHOW ROW ACCESS POLICIES.
Expand Down
151 changes: 140 additions & 11 deletions docs/data-sources/row_access_policies.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,41 +2,170 @@
page_title: "snowflake_row_access_policies Data Source - terraform-provider-snowflake"
subcategory: ""
description: |-
Datasource used to get details of filtered row access policies. Filtering is aligned with the current possibilities for SHOW ROW ACCESS POLICIES https://docs.snowflake.com/en/sql-reference/sql/show-row-access-policies query. The results of SHOW and DESCRIBE are encapsulated in one output collection row_access_policies.
---

# snowflake_row_access_policies (Data Source)
!> **V1 release candidate** This data source was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the data source if needed. Any errors reported will be resolved with a higher priority. We encourage checking this data source out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0950--v0960) to use it.

# snowflake_row_access_policies (Data Source)

Datasource used to get details of filtered row access policies. Filtering is aligned with the current possibilities for [SHOW ROW ACCESS POLICIES](https://docs.snowflake.com/en/sql-reference/sql/show-row-access-policies) query. The results of SHOW and DESCRIBE are encapsulated in one output collection `row_access_policies`.

## Example Usage

```terraform
data "snowflake_row_access_policies" "current" {
database = "MYDB"
schema = "MYSCHEMA"
# Simple usage
data "snowflake_row_access_policies" "simple" {
}
output "simple_output" {
value = data.snowflake_row_access_policies.simple.row_access_policies
}
# Filtering (like)
data "snowflake_row_access_policies" "like" {
like = "row-access-policy-name"
}
output "like_output" {
value = data.snowflake_row_access_policies.like.row_access_policies
}
# Filtering by prefix (like)
data "snowflake_row_access_policies" "like_prefix" {
like = "prefix%"
}
output "like_prefix_output" {
value = data.snowflake_row_access_policies.like_prefix.row_access_policies
}
# Filtering (limit)
data "snowflake_row_access_policies" "limit" {
limit {
rows = 10
from = "prefix-"
}
}
output "limit_output" {
value = data.snowflake_row_access_policies.limit.row_access_policies
}
# Filtering (in)
data "snowflake_row_access_policies" "in" {
in {
database = "database"
}
}
output "in_output" {
value = data.snowflake_row_access_policies.in.row_access_policies
}
# Without additional data (to limit the number of calls make for every found row access policy)
data "snowflake_row_access_policies" "only_show" {
# with_describe is turned on by default and it calls DESCRIBE ROW ACCESS POLICY for every row access policy found and attaches its output to row_access_policies.*.describe_output field
with_describe = false
}
output "only_show_output" {
value = data.snowflake_row_access_policies.only_show.row_access_policies
}
# Ensure the number of row access policies is equal to at least one element (with the use of postcondition)
data "snowflake_row_access_policies" "assert_with_postcondition" {
like = "row-access-policy-name%"
lifecycle {
postcondition {
condition = length(self.row_access_policies) > 0
error_message = "there should be at least one row access policy"
}
}
}
# Ensure the number of row access policies is equal to at exactly one element (with the use of check block)
check "row_access_policy_check" {
data "snowflake_row_access_policies" "assert_with_check_block" {
like = "row-access-policy-name"
}
assert {
condition = length(data.snowflake_row_access_policies.assert_with_check_block.row_access_policies) == 1
error_message = "row access policies filtered by '${data.snowflake_row_access_policies.assert_with_check_block.like}' returned ${length(data.snowflake_row_access_policies.assert_with_check_block.row_access_policies)} row access policies where one was expected"
}
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required
### Optional

- `database` (String) The database from which to return the schemas from.
- `schema` (String) The schema from which to return the row access policy from.
- `in` (Block List, Max: 1) IN clause to filter the list of row access policies (see [below for nested schema](#nestedblock--in))
- `like` (String) Filters the output with **case-insensitive** pattern, with support for SQL wildcard characters (`%` and `_`).
- `limit` (Block List, Max: 1) Limits the number of rows returned. If the `limit.from` is set, then the limit wll start from the first element matched by the expression. The expression is only used to match with the first element, later on the elements are not matched by the prefix, but you can enforce a certain pattern with `starts_with` or `like`. (see [below for nested schema](#nestedblock--limit))
- `with_describe` (Boolean) Runs DESC ROW ACCESS POLICY for each row access policy returned by SHOW ROW ACCESS POLICIES. The output of describe is saved to the description field. By default this value is set to true.

### Read-Only

- `id` (String) The ID of this resource.
- `row_access_policies` (List of Object) The row access policy in the schema (see [below for nested schema](#nestedatt--row_access_policies))
- `row_access_policies` (List of Object) Holds the aggregated output of all views details queries. (see [below for nested schema](#nestedatt--row_access_policies))

<a id="nestedblock--in"></a>
### Nested Schema for `in`

Optional:

- `account` (Boolean) Returns records for the entire account.
- `application` (String) Returns records for the specified application.
- `application_package` (String) Returns records for the specified application package.
- `database` (String) Returns records for the current database in use or for a specified database.
- `schema` (String) Returns records for the current schema in use or a specified schema. Use fully qualified name.


<a id="nestedblock--limit"></a>
### Nested Schema for `limit`

Required:

- `rows` (Number) The maximum number of rows to return.

Optional:

- `from` (String) Specifies a **case-sensitive** pattern that is used to match object name. After the first match, the limit on the number of rows will be applied.


<a id="nestedatt--row_access_policies"></a>
### Nested Schema for `row_access_policies`

Read-Only:

- `describe_output` (List of Object) (see [below for nested schema](#nestedobjatt--row_access_policies--describe_output))
- `show_output` (List of Object) (see [below for nested schema](#nestedobjatt--row_access_policies--show_output))

<a id="nestedobjatt--row_access_policies--describe_output"></a>
### Nested Schema for `row_access_policies.describe_output`

Read-Only:

- `body` (String)
- `name` (String)
- `return_type` (String)
- `signature` (String)


<a id="nestedobjatt--row_access_policies--show_output"></a>
### Nested Schema for `row_access_policies.show_output`

Read-Only:

- `comment` (String)
- `database` (String)
- `created_on` (String)
- `database_name` (String)
- `kind` (String)
- `name` (String)
- `schema` (String)
- `options` (String)
- `owner` (String)
- `owner_role_type` (String)
- `schema_name` (String)
83 changes: 80 additions & 3 deletions docs/data-sources/views.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,86 @@ Datasource used to get details of filtered views. Filtering is aligned with the
## Example Usage

```terraform
data "snowflake_views" "current" {
database = "MYDB"
schema = "MYSCHEMA"
# Simple usage
data "snowflake_views" "simple" {
}
output "simple_output" {
value = data.snowflake_views.simple.views
}
# Filtering (like)
data "snowflake_views" "like" {
like = "view-name"
}
output "like_output" {
value = data.snowflake_views.like.views
}
# Filtering by prefix (like)
data "snowflake_views" "like_prefix" {
like = "prefix%"
}
output "like_prefix_output" {
value = data.snowflake_views.like_prefix.views
}
# Filtering (limit)
data "snowflake_views" "limit" {
limit {
rows = 10
from = "prefix-"
}
}
output "limit_output" {
value = data.snowflake_views.limit.views
}
# Filtering (in)
data "snowflake_views" "in" {
in {
database = "database"
}
}
output "in_output" {
value = data.snowflake_views.in.views
}
# Without additional data (to limit the number of calls make for every found view)
data "snowflake_views" "only_show" {
# with_describe is turned on by default and it calls DESCRIBE VIEW for every view found and attaches its output to views.*.describe_output field
with_describe = false
}
output "only_show_output" {
value = data.snowflake_views.only_show.views
}
# Ensure the number of views is equal to at least one element (with the use of postcondition)
data "snowflake_views" "assert_with_postcondition" {
like = "view-name%"
lifecycle {
postcondition {
condition = length(self.views) > 0
error_message = "there should be at least one view"
}
}
}
# Ensure the number of views is equal to at exactly one element (with the use of check block)
check "view_check" {
data "snowflake_views" "assert_with_check_block" {
like = "view-name"
}
assert {
condition = length(data.snowflake_views.assert_with_check_block.views) == 1
error_message = "views filtered by '${data.snowflake_views.assert_with_check_block.like}' returned ${length(data.snowflake_views.assert_with_check_block.views)} views where one was expected"
}
}
```

Expand Down
4 changes: 2 additions & 2 deletions docs/resources/row_access_policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@
page_title: "snowflake_row_access_policy Resource - terraform-provider-snowflake"
subcategory: ""
description: |-
Resource used to manage row access policy objects. For more information, check row access policy documentation https://docs.snowflake.com/en/sql-reference/sql/create-row-access-policy.
---

!> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0950--v0960) to use it.

# snowflake_row_access_policy (Resource)


Resource used to manage row access policy objects. For more information, check [row access policy documentation](https://docs.snowflake.com/en/sql-reference/sql/create-row-access-policy).

## Example Usage

Expand Down
85 changes: 81 additions & 4 deletions examples/data-sources/snowflake_row_access_policies/data-source.tf
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,81 @@
data "snowflake_row_access_policies" "current" {
database = "MYDB"
schema = "MYSCHEMA"
}
# Simple usage
data "snowflake_row_access_policies" "simple" {
}

output "simple_output" {
value = data.snowflake_row_access_policies.simple.row_access_policies
}

# Filtering (like)
data "snowflake_row_access_policies" "like" {
like = "row-access-policy-name"
}

output "like_output" {
value = data.snowflake_row_access_policies.like.row_access_policies
}

# Filtering by prefix (like)
data "snowflake_row_access_policies" "like_prefix" {
like = "prefix%"
}

output "like_prefix_output" {
value = data.snowflake_row_access_policies.like_prefix.row_access_policies
}

# Filtering (limit)
data "snowflake_row_access_policies" "limit" {
limit {
rows = 10
from = "prefix-"
}
}

output "limit_output" {
value = data.snowflake_row_access_policies.limit.row_access_policies
}

# Filtering (in)
data "snowflake_row_access_policies" "in" {
in {
database = "database"
}
}

output "in_output" {
value = data.snowflake_row_access_policies.in.row_access_policies
}

# Without additional data (to limit the number of calls make for every found row access policy)
data "snowflake_row_access_policies" "only_show" {
# with_describe is turned on by default and it calls DESCRIBE ROW ACCESS POLICY for every row access policy found and attaches its output to row_access_policies.*.describe_output field
with_describe = false
}

output "only_show_output" {
value = data.snowflake_row_access_policies.only_show.row_access_policies
}

# Ensure the number of row access policies is equal to at least one element (with the use of postcondition)
data "snowflake_row_access_policies" "assert_with_postcondition" {
like = "row-access-policy-name%"
lifecycle {
postcondition {
condition = length(self.row_access_policies) > 0
error_message = "there should be at least one row access policy"
}
}
}

# Ensure the number of row access policies is equal to at exactly one element (with the use of check block)
check "row_access_policy_check" {
data "snowflake_row_access_policies" "assert_with_check_block" {
like = "row-access-policy-name"
}

assert {
condition = length(data.snowflake_row_access_policies.assert_with_check_block.row_access_policies) == 1
error_message = "row access policies filtered by '${data.snowflake_row_access_policies.assert_with_check_block.like}' returned ${length(data.snowflake_row_access_policies.assert_with_check_block.row_access_policies)} row access policies where one was expected"
}
}
Loading

0 comments on commit 6078048

Please sign in to comment.