Rename references to deprecated role resource

Snowflake-Labs · Jul 10, 2024 · bf99277 · bf99277
1 parent e1860a1
commit bf99277
Show file tree

Hide file tree

Showing 63 changed files with 699 additions and 601 deletions.
diff --git a/MIGRATION_GUIDE.md b/MIGRATION_GUIDE.md
@@ -20,10 +20,10 @@ They are all described in short in the [changes before v1 doc](./v1-preparations
 ### old grant resources removal
 Following the [announcement](https://github.com/Snowflake-Labs/terraform-provider-snowflake/discussions/2736) we have removed the old grant resources. The two resources [snowflake_role_ownership_grant](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_ownership_grant) and [snowflake_user_ownership_grant](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/user_ownership_grant) were not listed in the announcement, but they were also marked as deprecated ones. We are removing them too to conclude the grants redesign saga.
 
+### *(new feature)* new snowflake_account_role resource
 
-### *(new feature)* new field in the snowflake_role resource
-
-No migration is needed.
+Already existing `snowflake_role` was deprecated in favor of the new `snowflake_account_role`. The old resource got upgraded to 
+have the same features as the new one. The only difference is the deprecation message on the old resource.
 
 New fields:
 - added `show_output` field that holds the response from SHOW ROLES. Remember that the field will be only recomputed if one of the fields (`name` or `comment`) are changed.

diff --git a/docs/index.md b/docs/index.md
@@ -231,6 +231,7 @@ The Snowflake provider will use the following order of precedence when determini
 
 - [snowflake_database_old](./docs/resources/database_old)
 - [snowflake_oauth_integration](./docs/resources/oauth_integration)
+- [snowflake_role](./docs/resources/role) - use [snowflake_account_role](./docs/resources/account_role) instead
 - [snowflake_saml_integration](./docs/resources/saml_integration) - use [snowflake_saml2_integration](./docs/resources/saml2_integration) instead
 - [snowflake_unsafe_execute](./docs/resources/unsafe_execute)
 

diff --git a/docs/resources/account_role.md b/docs/resources/account_role.md
@@ -0,0 +1,67 @@
+---
+page_title: "snowflake_account_role Resource - terraform-provider-snowflake"
+subcategory: ""
+description: |-
+  The resource is used for role management, where roles can be assigned privileges and, in turn, granted to users and other roles. When granted to roles they can create hierarchies of privilege structures. For more details, refer to the official documentation https://docs.snowflake.com/en/user-guide/security-access-control-overview.
+---
+
+!> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it.
+
+# snowflake_account_role (Resource)
+
+The resource is used for role management, where roles can be assigned privileges and, in turn, granted to users and other roles. When granted to roles they can create hierarchies of privilege structures. For more details, refer to the [official documentation](https://docs.snowflake.com/en/user-guide/security-access-control-overview).
+
+## Example Usage
+
+```terraform
+## Minimal
+resource "snowflake_account_role" "minimal" {
+  name = "role_name"
+}
+
+## Complete (with every optional set)
+resource "snowflake_account_role" "complete" {
+  name    = "role_name"
+  comment = "my account role"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String)
+
+### Optional
+
+- `comment` (String)
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `show_output` (List of Object) Outputs the result of `SHOW ROLES` for the given role. (see [below for nested schema](#nestedatt--show_output))
+
+<a id="nestedatt--show_output"></a>
+### Nested Schema for `show_output`
+
+Read-Only:
+
+- `assigned_to_users` (Number)
+- `comment` (String)
+- `created_on` (String)
+- `granted_roles` (Number)
+- `granted_to_roles` (Number)
+- `is_current` (Boolean)
+- `is_default` (Boolean)
+- `is_inherited` (Boolean)
+- `name` (String)
+- `owner` (String)
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import snowflake_account_role.example "name"
+```
diff --git a/docs/resources/grant_account_role.md b/docs/resources/grant_account_role.md
@@ -16,25 +16,25 @@ description: |-
 ### grant account role to account role
 ##################################
 
-resource "snowflake_role" "role" {
+resource "snowflake_account_role" "role" {
   name = var.role_name
 }
 
-resource "snowflake_role" "parent_role" {
+resource "snowflake_account_role" "parent_role" {
   name = var.parent_role_name
 }
 
 resource "snowflake_grant_account_role" "g" {
-  role_name        = snowflake_role.role.name
-  parent_role_name = snowflake_role.parent_role.name
+  role_name        = snowflake_account_role.role.name
+  parent_role_name = snowflake_account_role.parent_role.name
 }
 
 
 ##################################
 ### grant account role to user
 ##################################
 
-resource "snowflake_role" "role" {
+resource "snowflake_account_role" "role" {
   name = var.role_name
 }
 

diff --git a/docs/resources/grant_application_role.md b/docs/resources/grant_application_role.md
@@ -21,13 +21,13 @@ locals {
 ##################################
 
 
-resource "snowflake_role" "role" {
+resource "snowflake_account_role" "role" {
   name = "my_role"
 }
 
 resource "snowflake_grant_application_role" "g" {
   application_role_name    = local.application_role_identifier
-  parent_account_role_name = snowflake_role.role.name
+  parent_account_role_name = snowflake_account_role.role.name
 }
 
 ##################################

diff --git a/docs/resources/grant_database_role.md b/docs/resources/grant_database_role.md
@@ -21,13 +21,13 @@ resource "snowflake_database_role" "database_role" {
   name     = var.database_role_name
 }
 
-resource "snowflake_role" "parent_role" {
+resource "snowflake_account_role" "parent_role" {
   name = var.parent_role_name
 }
 
 resource "snowflake_grant_database_role" "g" {
   database_role_name = "\"${var.database}\".\"${snowflake_database_role.database_role.name}\""
-  parent_role_name   = snowflake_role.parent_role.name
+  parent_role_name   = snowflake_account_role.parent_role.name
 }
 
 ##################################

diff --git a/docs/resources/grant_ownership.md b/docs/resources/grant_ownership.md
@@ -21,7 +21,7 @@ description: |-
 ### on object to account role
 ##################################
 
-resource "snowflake_role" "test" {
+resource "snowflake_account_role" "test" {
   name = "test_role"
 }
 
@@ -74,7 +74,7 @@ resource "snowflake_grant_ownership" "test" {
 ### on all tables in database to account role
 ##################################
 
-resource "snowflake_role" "test" {
+resource "snowflake_account_role" "test" {
   name = "test_role"
 }
 
@@ -96,7 +96,7 @@ resource "snowflake_grant_ownership" "test" {
 ### on all tables in schema to account role
 ##################################
 
-resource "snowflake_role" "test" {
+resource "snowflake_account_role" "test" {
   name = "test_role"
 }
 
@@ -123,7 +123,7 @@ resource "snowflake_grant_ownership" "test" {
 ### on future tables in database to account role
 ##################################
 
-resource "snowflake_role" "test" {
+resource "snowflake_account_role" "test" {
   name = "test_role"
 }
 
@@ -145,7 +145,7 @@ resource "snowflake_grant_ownership" "test" {
 ### on future tables in schema to account role
 ##################################
 
-resource "snowflake_role" "test" {
+resource "snowflake_account_role" "test" {
   name = "test_role"
 }
 
@@ -172,7 +172,7 @@ resource "snowflake_grant_ownership" "test" {
 ### RoleBasedAccessControl (RBAC example)
 ##################################
 
-resource "snowflake_role" "test" {
+resource "snowflake_account_role" "test" {
   name = "role"
 }
 
@@ -181,22 +181,22 @@ resource "snowflake_database" "test" {
 }
 
 resource "snowflake_grant_ownership" "test" {
-  account_role_name = snowflake_role.test.name
+  account_role_name = snowflake_account_role.test.name
   on {
     object_type = "DATABASE"
     object_name = snowflake_database.test.name
   }
 }
 
 resource "snowflake_grant_account_role" "test" {
-  role_name = snowflake_role.test.name
+  role_name = snowflake_account_role.test.name
   user_name = "username"
 }
 
 provider "snowflake" {
   profile = "default"
   alias   = "secondary"
-  role    = snowflake_role.test.name
+  role    = snowflake_account_role.test.name
 }
 
 ## With ownership on the database, the secondary provider is able to create schema on it without any additional privileges.

diff --git a/docs/resources/grant_privileges_to_account_role.md b/docs/resources/grant_privileges_to_account_role.md
@@ -22,7 +22,7 @@ resource "snowflake_database" "db" {
   name = "database"
 }
 
-resource "snowflake_role" "db_role" {
+resource "snowflake_account_role" "db_role" {
   name = "role_name"
 }
 
@@ -33,15 +33,15 @@ resource "snowflake_role" "db_role" {
 # list of privileges
 resource "snowflake_grant_privileges_to_account_role" "example" {
   privileges        = ["CREATE DATABASE", "CREATE USER"]
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_account        = true
 }
 
 ## ID: "\"role_name\"|false|false|CREATE DATABASE,CREATE USER|OnAccount"
 
 # all privileges + grant option
 resource "snowflake_grant_privileges_to_account_role" "example" {
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_account        = true
   all_privileges    = true
   with_grant_option = true
@@ -51,7 +51,7 @@ resource "snowflake_grant_privileges_to_account_role" "example" {
 
 # all privileges + grant option + always apply
 resource "snowflake_grant_privileges_to_account_role" "example" {
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_account        = true
   always_apply      = true
   all_privileges    = true
@@ -67,7 +67,7 @@ resource "snowflake_grant_privileges_to_account_role" "example" {
 # list of privileges
 resource "snowflake_grant_privileges_to_account_role" "example" {
   privileges        = ["CREATE SCHEMA", "CREATE DATABASE ROLE"]
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_account_object {
     object_type = "DATABASE"
     object_name = snowflake_database.db.name
@@ -78,7 +78,7 @@ resource "snowflake_grant_privileges_to_account_role" "example" {
 
 # all privileges + grant option
 resource "snowflake_grant_privileges_to_account_role" "example" {
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_account_object {
     object_type = "DATABASE"
     object_name = snowflake_database.db.name
@@ -91,7 +91,7 @@ resource "snowflake_grant_privileges_to_account_role" "example" {
 
 # grant IMPORTED PRIVILEGES on SNOWFLAKE application
 resource "snowflake_grant_privileges_to_account_role" "example" {
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   privileges        = ["IMPORTED PRIVILEGES"]
   on_account_object {
     object_type = "DATABASE" # All applications should be using DATABASE object_type
@@ -103,7 +103,7 @@ resource "snowflake_grant_privileges_to_account_role" "example" {
 
 # all privileges + grant option + always apply
 resource "snowflake_grant_privileges_to_account_role" "example" {
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_account_object {
     object_type = "DATABASE"
     object_name = snowflake_database.db.name
@@ -122,7 +122,7 @@ resource "snowflake_grant_privileges_to_account_role" "example" {
 # list of privileges
 resource "snowflake_grant_privileges_to_account_role" "example" {
   privileges        = ["MODIFY", "CREATE TABLE"]
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_schema {
     schema_name = "\"${snowflake_database.db.name}\".\"my_schema\"" # note this is a fully qualified name!
   }
@@ -132,7 +132,7 @@ resource "snowflake_grant_privileges_to_account_role" "example" {
 
 # all privileges + grant option
 resource "snowflake_grant_privileges_to_account_role" "example" {
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_schema {
     schema_name = "\"${snowflake_database.db.name}\".\"my_schema\"" # note this is a fully qualified name!
   }
@@ -145,7 +145,7 @@ resource "snowflake_grant_privileges_to_account_role" "example" {
 # all schemas in database
 resource "snowflake_grant_privileges_to_account_role" "example" {
   privileges        = ["MODIFY", "CREATE TABLE"]
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_schema {
     all_schemas_in_database = snowflake_database.db.name
   }
@@ -156,7 +156,7 @@ resource "snowflake_grant_privileges_to_account_role" "example" {
 # future schemas in database
 resource "snowflake_grant_privileges_to_account_role" "example" {
   privileges        = ["MODIFY", "CREATE TABLE"]
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_schema {
     future_schemas_in_database = snowflake_database.db.name
   }
@@ -171,7 +171,7 @@ resource "snowflake_grant_privileges_to_account_role" "example" {
 # list of privileges
 resource "snowflake_grant_privileges_to_account_role" "example" {
   privileges        = ["SELECT", "REFERENCES"]
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_schema_object {
     object_type = "VIEW"
     object_name = "\"${snowflake_database.db.name}\".\"my_schema\".\"my_view\"" # note this is a fully qualified name!
@@ -182,7 +182,7 @@ resource "snowflake_grant_privileges_to_account_role" "example" {
 
 # all privileges + grant option
 resource "snowflake_grant_privileges_to_account_role" "example" {
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_schema_object {
     object_type = "VIEW"
     object_name = "\"${snowflake_database.db.name}\".\"my_schema\".\"my_view\"" # note this is a fully qualified name!
@@ -196,7 +196,7 @@ resource "snowflake_grant_privileges_to_account_role" "example" {
 # all in database
 resource "snowflake_grant_privileges_to_account_role" "example" {
   privileges        = ["SELECT", "INSERT"]
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_schema_object {
     all {
       object_type_plural = "TABLES"
@@ -210,7 +210,7 @@ resource "snowflake_grant_privileges_to_account_role" "example" {
 # all in schema
 resource "snowflake_grant_privileges_to_account_role" "example" {
   privileges        = ["SELECT", "INSERT"]
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_schema_object {
     all {
       object_type_plural = "TABLES"
@@ -224,7 +224,7 @@ resource "snowflake_grant_privileges_to_account_role" "example" {
 # future in database
 resource "snowflake_grant_privileges_to_account_role" "example" {
   privileges        = ["SELECT", "INSERT"]
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_schema_object {
     future {
       object_type_plural = "TABLES"
@@ -238,7 +238,7 @@ resource "snowflake_grant_privileges_to_account_role" "example" {
 # future in schema
 resource "snowflake_grant_privileges_to_account_role" "example" {
   privileges        = ["SELECT", "INSERT"]
-  account_role_name = snowflake_role.db_role.name
+  account_role_name = snowflake_account_role.db_role.name
   on_schema_object {
     future {
       object_type_plural = "TABLES"