Snowflake-Labs · sfc-gh-asawicki · May 23, 2024 · Apr 19, 2024 · Apr 20, 2024 · Apr 22, 2024
diff --git a/docs/resources/network_policy.md b/docs/resources/network_policy.md
@@ -12,12 +12,21 @@ description: |-
 ## Example Usage
 
 ```terraform
+resource "snowflake_network_rule" "rule" {
+  name       = "rule"
+  database   = "EXAMPLE_DB"
+  schema     = "EXAMPLE_SCHEMA"
+  comment    = "A rule."
+  type       = "IPV4"
+  mode       = "INGRESS"
+  value_list = ["192.168.0.100/24", "29.254.123.20"]
+}
+
 resource "snowflake_network_policy" "policy" {
   name    = "policy"
   comment = "A policy."
 
-  allowed_ip_list = ["192.168.0.100/24"]
-  blocked_ip_list = ["192.168.0.101"]
+  allowed_network_rule_list = [snowflake_network_rule.rule.qualified_name]
 }
 ```
 
@@ -26,12 +35,14 @@ resource "snowflake_network_policy" "policy" {
 
 ### Required
 
-- `allowed_ip_list` (Set of String) Specifies one or more IPv4 addresses (CIDR notation) that are allowed access to your Snowflake account
 - `name` (String) Specifies the identifier for the network policy; must be unique for the account in which the network policy is created.
 
 ### Optional
 
-- `blocked_ip_list` (Set of String) Specifies one or more IPv4 addresses (CIDR notation) that are denied access to your Snowflake account<br><br>**Do not** add `0.0.0.0/0` to `blocked_ip_list`
+- `allowed_ip_list` (Set of String) Specifies one or more IPv4 addresses (CIDR notation) that are allowed access to your Snowflake account.
+- `allowed_network_rule_list` (Set of String) Specifies a list of fully qualified network rules that contain the network identifiers that are allowed access to Snowflake.
+- `blocked_ip_list` (Set of String) Specifies one or more IPv4 addresses (CIDR notation) that are denied access to your Snowflake account<br><br>**Do not** add `0.0.0.0/0` to `blocked_ip_list`.
+- `blocked_network_rule_list` (Set of String) Specifies a list of fully qualified network rules that contain the network identifiers that are denied access to Snowflake.
 - `comment` (String) Specifies a comment for the network policy.
 
 ### Read-Only

diff --git a/docs/resources/network_rule.md b/docs/resources/network_rule.md
@@ -0,0 +1,53 @@
+---
+page_title: "snowflake_network_rule Resource - terraform-provider-snowflake"
+subcategory: ""
+description: |-
+
+---
+
+# snowflake_network_rule (Resource)
+
+
+
+## Example Usage
+
+```terraform
+resource "snowflake_network_rule" "rule" {
+  name       = "rule"
+  database   = "EXAMPLE_DB"
+  schema     = "EXAMPLE_SCHEMA"
+  comment    = "A rule."
+  type       = "IPV4"
+  mode       = "INGRESS"
+  value_list = ["192.168.0.100/24", "29.254.123.20"]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `database` (String) The database in which to create the network rule.
+- `mode` (String) Specifies what is restricted by the network rule. Valid values are INGRESS, INTERNAL_STAGE and EGRESS; see https://docs.snowflake.com/en/sql-reference/sql/create-network-rule#required-parameters for details.
+- `name` (String) Specifies the identifier for the network rule; must be unique for the database and schema in which the network rule is created.
+- `schema` (String) The schema in which to create the network rule.
+- `type` (String) Specifies the type of network identifiers being allowed or blocked. A network rule can have only one type. Allowed values are IPV4, AWSVPCEID, AZURELINKID and HOST_PORT; allowed values are determined by the mode of the network rule; see https://docs.snowflake.com/en/sql-reference/sql/create-network-rule#required-parameters for details.
+- `value_list` (Set of String) Specifies the network identifiers that will be allowed or blocked. Valid values in the list are determined by the type of network rule, see https://docs.snowflake.com/en/sql-reference/sql/create-network-rule#required-parameters for details.
+
+### Optional
+
+- `comment` (String) Specifies a comment for the network rule.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `qualified_name` (String) Qualified name of the network rule.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import snowflake_network_rule.example 'databaseName|schemaName|networkRuleName'
+```
diff --git a/examples/resources/snowflake_network_policy/resource.tf b/examples/resources/snowflake_network_policy/resource.tf
@@ -1,7 +1,16 @@
+resource "snowflake_network_rule" "rule" {
+  name       = "rule"
+  database   = "EXAMPLE_DB"
+  schema     = "EXAMPLE_SCHEMA"
+  comment    = "A rule."
+  type       = "IPV4"
+  mode       = "INGRESS"
+  value_list = ["192.168.0.100/24", "29.254.123.20"]
+}
+
 resource "snowflake_network_policy" "policy" {
   name    = "policy"
   comment = "A policy."
 
-  allowed_ip_list = ["192.168.0.100/24"]
-  blocked_ip_list = ["192.168.0.101"]
+  allowed_network_rule_list = [snowflake_network_rule.rule.qualified_name]
 }
diff --git a/examples/resources/snowflake_network_rule/import.sh b/examples/resources/snowflake_network_rule/import.sh
@@ -0,0 +1 @@
+terraform import snowflake_network_rule.example 'databaseName|schemaName|networkRuleName'
diff --git a/examples/resources/snowflake_network_rule/resource.tf b/examples/resources/snowflake_network_rule/resource.tf
@@ -0,0 +1,9 @@
+resource "snowflake_network_rule" "rule" {
+  name       = "rule"
+  database   = "EXAMPLE_DB"
+  schema     = "EXAMPLE_SCHEMA"
+  comment    = "A rule."
+  type       = "IPV4"
+  mode       = "INGRESS"
+  value_list = ["192.168.0.100/24", "29.254.123.20"]
+}
diff --git a/pkg/acceptance/check_destroy.go b/pkg/acceptance/check_destroy.go
@@ -108,6 +108,9 @@ var showByIdFunctions = map[resources.Resource]showByIdFunc{
 	resources.NetworkPolicy: func(ctx context.Context, client *sdk.Client, id sdk.ObjectIdentifier) error {
 		return runShowById(ctx, id, client.NetworkPolicies.ShowByID)
 	},
+	resources.NetworkRule: func(ctx context.Context, client *sdk.Client, id sdk.ObjectIdentifier) error {
+		return runShowById(ctx, id, client.NetworkRules.ShowByID)
+	},
 	resources.NotificationIntegration: func(ctx context.Context, client *sdk.Client, id sdk.ObjectIdentifier) error {
 		return runShowById(ctx, id, client.NotificationIntegrations.ShowByID)
 	},

diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go
@@ -478,6 +478,7 @@ func getResources() map[string]*schema.Resource {
 		"snowflake_materialized_view":                       resources.MaterializedView(),
 		"snowflake_network_policy":                          resources.NetworkPolicy(),
 		"snowflake_network_policy_attachment":               resources.NetworkPolicyAttachment(),
+		"snowflake_network_rule":                            resources.NetworkRule(),
 		"snowflake_notification_integration":                resources.NotificationIntegration(),
 		"snowflake_oauth_integration":                       resources.OAuthIntegration(),
 		"snowflake_object_parameter":                        resources.ObjectParameter(),

diff --git a/pkg/provider/resources/resources.go b/pkg/provider/resources/resources.go
@@ -19,6 +19,7 @@ const (
 	MaskingPolicy                resource = "snowflake_masking_policy"
 	MaterializedView             resource = "snowflake_materialized_view"
 	NetworkPolicy                resource = "snowflake_network_policy"
+	NetworkRule                  resource = "snowflake_network_rule"
 	NotificationIntegration      resource = "snowflake_notification_integration"
 	PasswordPolicy               resource = "snowflake_password_policy"
 	Pipe                         resource = "snowflake_pipe"