feat: Masking policy resource v1 #3078
Conversation
|
Integration tests failure for 97e53056f97a9bd19c39c21fdecf8b477a6f315e |
|
Integration tests failure for c3fed8307d4d491bbb497c437f785938d53f382a |
pkg/sdk/masking_policy.go
Outdated
| @@ -346,6 +373,7 @@ func (row maskingPolicyDetailsRow) toMaskingPolicyDetails() *MaskingPolicyDetail | |||
| ReturnType: dataType, | |||
| Body: row.Body, | |||
| } | |||
| // TODO (after merged changes in row access policies) use/merge with parsing in row access policies | |||
There was a problem hiding this comment.
Leaving a comment as a reminder (will resolve after the upcoming change)
There was a problem hiding this comment.
Ok, done. I adjusted this also for row access policies.
|
Integration tests failure for ed7a13f1070b4fb6785c9be6333f1a18127ae0a8 |
|
Integration tests failure for 8573b9dababe6e599e6ebcf9eb81dd086558819b |
|
Integration tests failure for bd36e593d457119c834c1a79729227cafe4a426c |
|
Integration tests failure for ca5af1835c93bfba07de367e016f1b7d4a2ec0ef |
|
Integration tests failure for 09b60098bde37d9e2b0d73d0fc9392fb7cfe963a |
|
Integration tests failure for 03612eff7ebaeae5929fb37019146d0c7dcb950f |
<!-- Feel free to delete comments as you fill this in --> - SDK - improve validations - add tests - improve options parsing (also, get rid of a 3rd party library) - add a TODO to reuse parsing from row access policies after merging #3079 - resource - use new id handling - rename/remove some fields to be consistent with other resources - better ACC tests - misc - adjust helper clients - generate config and assertion builders - adjust docs <!-- summary of changes --> ## Test Plan <!-- detail ways in which this PR has been tested or needs to be tested --> * [x] acceptance tests * [x] integration tests * [x] unit tests ## References <!-- issues documentation links, etc --> https://docs.snowflake.com/en/sql-reference/sql/create-masking-policy ## TODO - add tests for issues - rework data source
🤖 I have created a release *beep* *boop* --- ## [0.96.0](v0.95.0...v0.96.0) (2024-09-18) Essential GA object readiness for V1: [link](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/ESSENTIAL_GA_OBJECTS.MD) ([Roadmap reference](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/ROADMAP.md#preparing-essential-ga-objects-for-the-provider-v1)). :exclamation: Migration guide: [v0.95.0 -> v0.96.0](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0950--v0960) ### 🎉 **What's new:** * V1 redesign of resources and data sources * Row access policy ([#3066](#3066)) ([#3063](#3063)) * Resource monitor ([#3052](#3052)) ([#3064](#3064)) * Masking policy ([#3078](#3078)) ([#3083](#3083)) * SDK upgrades * External volume ([#3033](#3033)) * Authentication policy ([#2937](#2937)) ([#3068](#3068)) ([#3061](#3061)) ### 🔧 **Misc** * Clean up old test object helpers ([#3049](#3049)) * Add example of granting role to multiple objects ([#3047](#3047)) * Update readme and objects rework state ([#3046](#3046)) ### 🐛 **Bug fixes:** * Fix model grants ([#3070](#3070)) * Fix database show by and resource logic ([#3055](#3055)) * Fix default secondary roles option import ([#3041](#3041)) * Fix sweepers for warehouse and database ([#3057](#3057)) * Fix views permadiff ([#3079](#3079)) * Update v0.95.0 migration guide ([#3062](#3062)) Co-authored-by: snowflake-release-please[bot] <105954990+snowflake-release-please[bot]@users.noreply.github.com>
| - `exempt_other_policies` (Boolean) Specifies whether the row access policy or conditional masking policy can reference a column that is already protected by a masking policy. | ||
| - `if_not_exists` (Boolean) Prevent overwriting a previous masking policy with the same name. | ||
| - `or_replace` (Boolean) Whether to override a previous masking policy with the same name. | ||
| - `exempt_other_policies` (String) Specifies whether the row access policy or conditional masking policy can reference a column that is already protected by a masking policy. Due to Snowflake limitations, when value is chenged, the resource is recreated. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. |
There was a problem hiding this comment.
chenged -> changed
| log.Printf("[DEBUG] row access policy (%s) not found", d.Id()) | ||
| d.SetId("") | ||
| return nil | ||
| if errors.Is(err, sdk.ErrObjectNotFound) { |
There was a problem hiding this comment.
Is there a test showing that it was missing?
| assertOptsInvalidJoinedErrors(t, opts, ErrDifferentSchema) | ||
| }) | ||
|
|
||
| t.Run("validation: only 1 option allowed at the same time", func(t *testing.T) { |
There was a problem hiding this comment.
usually we check both empty and multiple
| policyModel := model.MaskingPolicy("test", []sdk.TableColumnSignature{ | ||
| { | ||
| Name: "a", | ||
| Type: "TEXT", |
There was a problem hiding this comment.
nit-pick: why we are sometimes using sdk.DataType and sometimes string?
| // set all fields | ||
| { | ||
| ConfigDirectory: acc.ConfigurationDirectory("TestAcc_MaskingPolicy/complete"), | ||
| ConfigVariables: tfconfig.ConfigVariablesFromModel(t, policyModel.WithBody(body).WithComment("Terraform acceptance test").WithExemptOtherPolicies(r.BooleanTrue)), |
There was a problem hiding this comment.
in the next step there are more fields set, so the "all" is inappropriate here
| { | ||
| Config: maskingPolicyConfig(newId.Name(), comment2, acc.TestDatabaseName, acc.TestSchemaName), | ||
| ConfigDirectory: acc.ConfigurationDirectory("TestAcc_MaskingPolicy/complete"), | ||
| ConfigVariables: tfconfig.ConfigVariablesFromModel(t, policyModel.WithBody(bodyWithBooleanReturnType).WithReturnDataType(string(sdk.DataTypeBoolean)).WithArgument(argumentWithChangedFirstArgumentType).WithComment("Terraform acceptance test - changed comment").WithExemptOtherPolicies(r.BooleanFalse)), |
There was a problem hiding this comment.
The way that policyModel is reused here is interesting/unsafe - that was not the initial intention to reuse it this way. It bases on the order of execution and is a bit misleading (e.g. in step 4 and step 5 we want to validate only external change but we use "different" config variables - different only in the written way, underneath it's the same pointer, with fields already set in the previous step).
Maybe the design of model is a bit flawed and we should not use the pointer but the model directly, so that we always get the copied struct. Either way, I am raising it as a topic to discuss internally.
Test Plan
References
https://docs.snowflake.com/en/sql-reference/sql/create-masking-policy
TODO