Snowflake-Labs · sfc-gh-jmichalak · May 16, 2024 · Apr 10, 2024 · Apr 11, 2024 · Apr 13, 2024
diff --git a/docs/resources/grant_application_role.md b/docs/resources/grant_application_role.md
@@ -0,0 +1,66 @@
+---
+page_title: "snowflake_grant_application_role Resource - terraform-provider-snowflake"
+subcategory: ""
+description: |-
+
+---
+
+# snowflake_grant_application_role (Resource)
+
+
+
+## Example Usage
+
+```terraform
+locals {
+  application_role_identifier = "\"my_appplication\".\"app_role_1\""
+}
+
+##################################
+### grant application role to account role
+##################################
+
+
+resource "snowflake_role" "role" {
+  name = "my_role"
+}
+
+resource "snowflake_grant_application_role" "g" {
+  application_role_name    = local.application_role_identifier
+  parent_account_role_name = snowflake_role.role.name
+}
+
+##################################
+### grant application role to application
+##################################
+
+resource "snowflake_grant_application_role" "g" {
+  application_role_name = local.application_role_identifier
+  application_name      = "my_second_application"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `application_role_name` (String) Specifies the identifier for the application role to grant.
+
+### Optional
+
+- `application_name` (String) The fully qualified name of the application on which application role will be granted.
+- `parent_account_role_name` (String) The fully qualified name of the account role on which application role will be granted.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# format is application_role_name (string) | object_type (ACCOUNT_ROLE|APPLICATION) | grantee_name (string)
+terraform import "\"my_application\".\"app_role_1\"|ACCOUNT_ROLE|\"my_role\""
+```
diff --git a/examples/resources/snowflake_grant_application_role/import.sh b/examples/resources/snowflake_grant_application_role/import.sh
@@ -0,0 +1,2 @@
+# format is application_role_name (string) | object_type (ACCOUNT_ROLE|APPLICATION) | grantee_name (string)
+terraform import "\"my_application\".\"app_role_1\"|ACCOUNT_ROLE|\"my_role\""
diff --git a/examples/resources/snowflake_grant_application_role/resource.tf b/examples/resources/snowflake_grant_application_role/resource.tf
@@ -0,0 +1,26 @@
+locals {
+  application_role_identifier = "\"my_appplication\".\"app_role_1\""
+}
+
+##################################
+### grant application role to account role
+##################################
+
+
+resource "snowflake_role" "role" {
+  name = "my_role"
+}
+
+resource "snowflake_grant_application_role" "g" {
+  application_role_name    = local.application_role_identifier
+  parent_account_role_name = snowflake_role.role.name
+}
+
+##################################
+### grant application role to application
+##################################
+
+resource "snowflake_grant_application_role" "g" {
+  application_role_name = local.application_role_identifier
+  application_name      = "my_second_application"
+}
diff --git a/pkg/acceptance/check_destroy.go b/pkg/acceptance/check_destroy.go
@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/helpers"
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/internal/provider"
 	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/provider/resources"
 	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
@@ -363,3 +364,34 @@ func CheckUserPasswordPolicyAttachmentDestroy(t *testing.T) func(*terraform.Stat
 		return nil
 	}
 }
+
+func TestAccCheckGrantApplicationRoleDestroy(s *terraform.State) error {
+	client := TestAccProvider.Meta().(*provider.Context).Client
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "snowflake_grant_application_role" {
+			continue
+		}
+		ctx := context.Background()
+		id := rs.Primary.ID
+		ids := strings.Split(id, "|")
+		applicationRoleName := ids[0]
+		objectType := ids[1]
+		parentRoleName := ids[2]
+		grants, err := client.Grants.Show(ctx, &sdk.ShowGrantOptions{
+			Of: &sdk.ShowGrantsOf{
+				ApplicationRole: sdk.NewDatabaseObjectIdentifierFromFullyQualifiedName(applicationRoleName),
+			},
+		})
+		if err != nil {
+			continue
+		}
+		for _, grant := range grants {
+			if grant.GrantedTo == sdk.ObjectType(objectType) {
+				if grant.GranteeName.FullyQualifiedName() == parentRoleName {
+					return fmt.Errorf("application role grant %v still exists", grant)
+				}
+			}
+		}
+	}
+	return nil
+}
diff --git a/pkg/acceptance/helpers/application_client.go b/pkg/acceptance/helpers/application_client.go
@@ -27,7 +27,6 @@ func (c *ApplicationClient) client() sdk.Applications {
 func (c *ApplicationClient) CreateApplication(t *testing.T, packageId sdk.AccountObjectIdentifier, version string) (*sdk.Application, func()) {
 	t.Helper()
 	ctx := context.Background()
-
 	id := c.ids.RandomAccountObjectIdentifier()
 	err := c.client().Create(ctx, sdk.NewCreateApplicationRequest(id, packageId).WithVersion(sdk.NewApplicationVersionRequest().WithVersionAndPatch(sdk.NewVersionAndPatchRequest(version, nil))))
 	require.NoError(t, err)

diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go
@@ -467,6 +467,7 @@ func getResources() map[string]*schema.Resource {
 		"snowflake_file_format":                             resources.FileFormat(),
 		"snowflake_function":                                resources.Function(),
 		"snowflake_grant_account_role":                      resources.GrantAccountRole(),
+		"snowflake_grant_application_role":                  resources.GrantApplicationRole(),
 		"snowflake_grant_database_role":                     resources.GrantDatabaseRole(),
 		"snowflake_grant_ownership":                         resources.GrantOwnership(),
 		"snowflake_grant_privileges_to_role":                resources.GrantPrivilegesToRole(),