wip

Snowflake-Labs · Mar 27, 2024 · 155139a · 155139a
1 parent 3c3ede6
commit 155139a
Show file tree

Hide file tree

Showing 13 changed files with 530 additions and 4 deletions.
diff --git a/docs/resources/grant_ownership.md b/docs/resources/grant_ownership.md
@@ -0,0 +1,64 @@
+---
+page_title: "snowflake_grant_ownership Resource - terraform-provider-snowflake"
+subcategory: ""
+description: |-
+  
+---
+
+# snowflake_grant_ownership (Resource)
+
+
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `on` (Block List, Min: 1, Max: 1) Configures which object(s) should transfer their ownership to the specified role. (see [below for nested schema](#nestedblock--on))
+
+### Optional
+
+- `account_role_name` (String) The fully qualified name of the account role to which privileges will be granted.
+- `database_role_name` (String) The fully qualified name of the database role to which privileges will be granted.
+- `outbound_privileges` (String) Specifies whether to remove or transfer all existing outbound privileges on the object when ownership is transferred to a new role. Available options are: REVOKE for removing existing privileges and COPY to transfer them with ownership. For more information head over to [Snowflake documentation](https://docs.snowflake.com/en/sql-reference/sql/grant-ownership#optional-parameters).
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+<a id="nestedblock--on"></a>
+### Nested Schema for `on`
+
+Optional:
+
+- `all` (Block List, Max: 1) Configures the privilege to be granted on all objects in either a database or schema. (see [below for nested schema](#nestedblock--on--all))
+- `future` (Block List, Max: 1) Configures the privilege to be granted on all objects in either a database or schema. (see [below for nested schema](#nestedblock--on--future))
+- `object_name` (String) Specifies the identifier for the object on which you are transferring ownership.
+- `object_type` (String) Specifies the type of object on which you are transferring ownership. Available values are: AGGREGATION POLICY | ALERT | AUTHENTICATION POLICY | COMPUTE POOL | DATABASE | DATABASE ROLE | DYNAMIC TABLE | EVENT TABLE | EXTERNAL TABLE | EXTERNAL VOLUME | FAILOVER GROUP | FILE FORMAT | FUNCTION | HYBRID TABLE | ICEBERG TABLE | IMAGE REPOSITORY | INTEGRATION | MATERIALIZED VIEW | NETWORK POLICY | NETWORK RULE | PACKAGES POLICY | PIPE | PROCEDURE | MASKING POLICY | PASSWORD POLICY | PROJECTION POLICY | REPLICATION GROUP | ROLE | ROW ACCESS POLICY | SCHEMA | SESSION POLICY | SECRET | SEQUENCE | STAGE | STREAM | TABLE | TAG | TASK | USER | VIEW | WAREHOUSE
+
+<a id="nestedblock--on--all"></a>
+### Nested Schema for `on.all`
+
+Required:
+
+- `object_type_plural` (String) Specifies the type of object in plural form on which you are transferring ownership. Available values are: AGGREGATION POLICIES | ALERTS | AUTHENTICATION POLICIES | COMPUTE POOLS | DATABASES | DATABASE ROLES | DYNAMIC TABLES | EVENT TABLES | EXTERNAL TABLES | EXTERNAL VOLUMES | FAILOVER GROUPS | FILE FORMATS | FUNCTIONS | HYBRID TABLES | ICEBERG TABLES | IMAGE REPOSITORIES | INTEGRATIONS | MATERIALIZED VIEWS | NETWORK POLICIES | NETWORK RULES | PACKAGES POLICIES | PIPES | PROCEDURES | MASKING POLICIES | PASSWORD POLICIES | PROJECTION POLICIES | REPLICATION GROUPS | ROLES | ROW ACCESS POLICIES | SCHEMAS | SESSION POLICIES | SECRETS | SEQUENCES | STAGES | STREAMS | TABLES | TAGS | TASKS | USERS | VIEWS | WAREHOUSES. For more information head over to [Snowflake documentation](https://docs.snowflake.com/en/sql-reference/sql/grant-ownership#required-parameters).
+
+Optional:
+
+- `in_database` (String) The fully qualified name of the database.
+- `in_schema` (String) The fully qualified name of the schema.
+
+
+<a id="nestedblock--on--future"></a>
+### Nested Schema for `on.future`
+
+Required:
+
+- `object_type_plural` (String) Specifies the type of object in plural form on which you are transferring ownership. Available values are: AGGREGATION POLICIES | ALERTS | AUTHENTICATION POLICIES | COMPUTE POOLS | DATABASES | DATABASE ROLES | DYNAMIC TABLES | EVENT TABLES | EXTERNAL TABLES | EXTERNAL VOLUMES | FAILOVER GROUPS | FILE FORMATS | FUNCTIONS | HYBRID TABLES | ICEBERG TABLES | IMAGE REPOSITORIES | INTEGRATIONS | MATERIALIZED VIEWS | NETWORK POLICIES | NETWORK RULES | PACKAGES POLICIES | PIPES | PROCEDURES | MASKING POLICIES | PASSWORD POLICIES | PROJECTION POLICIES | REPLICATION GROUPS | ROLES | ROW ACCESS POLICIES | SCHEMAS | SESSION POLICIES | SECRETS | SEQUENCES | STAGES | STREAMS | TABLES | TAGS | TASKS | USERS | VIEWS | WAREHOUSES. For more information head over to [Snowflake documentation](https://docs.snowflake.com/en/sql-reference/sql/grant-ownership#required-parameters).
+
+Optional:
+
+- `in_database` (String) The fully qualified name of the database.
+- `in_schema` (String) The fully qualified name of the schema.
diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go
@@ -468,6 +468,7 @@ func getResources() map[string]*schema.Resource {
 		"snowflake_function":                                resources.Function(),
 		"snowflake_grant_account_role":                      resources.GrantAccountRole(),
 		"snowflake_grant_database_role":                     resources.GrantDatabaseRole(),
+		"snowflake_grant_ownership":                         resources.GrantOwnership(),
 		"snowflake_grant_privileges_to_role":                resources.GrantPrivilegesToRole(),
 		"snowflake_grant_privileges_to_account_role":        resources.GrantPrivilegesToAccountRole(),
 		"snowflake_grant_privileges_to_database_role":       resources.GrantPrivilegesToDatabaseRole(),

diff --git a/pkg/resources/grant_ownership.go b/pkg/resources/grant_ownership.go
@@ -16,6 +16,26 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 )
 
+// Done (doc-discuss thread):
+// - Materialized views
+
+// Won't do:
+// - External tables (cannot handle this edge case, because we have to know the auto_refresh state of the external table; it's not retrievable by SHOW or DESC commands)
+
+// TODO for later:
+// - Tasks bulk operations
+
+// TODO:
+// - Test edge cases (and not only)
+// 		- RBAC hierarchy
+// 		- Delete resource before grant ownership resource
+// 		- Pipes on bulk and individually
+// 		- Tasks on bulk
+// 		- Materialized view
+// 		- Validation (?): grant ownership of e.g. share (not possible)
+// 		- Dynamic Tables
+// 		- Database Roles
+
 var grantOwnershipSchema = map[string]*schema.Schema{
 	"account_role_name": {
 		Type:             schema.TypeString,
@@ -342,10 +362,11 @@ func ReadGrantOwnership(ctx context.Context, d *schema.ResourceData, meta any) d
 
 	grants, err := client.Grants.Show(ctx, opts)
 	if err != nil {
+		d.SetId("")
 		return diag.Diagnostics{
 			diag.Diagnostic{
-				Severity: diag.Error,
-				Summary:  "Failed to retrieve grants",
+				Severity: diag.Warning,
+				Summary:  "Failed to retrieve grants. Marking the resource as removed.",
 				Detail:   fmt.Sprintf("Id: %s\nError: %s", d.Id(), err),
 			},
 		}
@@ -383,10 +404,11 @@ func ReadGrantOwnership(ctx context.Context, d *schema.ResourceData, meta any) d
 	}
 
 	if !ownershipFound {
+		d.SetId("")
 		return diag.Diagnostics{
 			diag.Diagnostic{
-				Severity: diag.Error,
-				Summary:  "Couldn't find OWNERSHIP privilege on target object",
+				Severity: diag.Warning,
+				Summary:  "Couldn't find OWNERSHIP privilege on target object. Marking the resource as removed.",
 				Detail:   fmt.Sprintf("Id: %s", d.Id()),
 			},
 		}