Skip to content

Commit

Permalink
Merge pull request #57 from brainly/grant-extend-supported-object-types
Browse files Browse the repository at this point in the history
Support language, function and procedure object types in redshift_grant resource
  • Loading branch information
winglot authored Apr 20, 2022
2 parents d2b1e20 + 23bee63 commit be6e0d9
Show file tree
Hide file tree
Showing 6 changed files with 581 additions and 10 deletions.
16 changes: 13 additions & 3 deletions docs/resources/grant.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,21 +26,31 @@ resource "redshift_grant" "group" {
object_type = "schema"
privileges = ["usage"]
}
# Granting permissions to execute functions or procedures requires providing their arguments' types
resource "redshift_grant" "user" {
user = "john"
schema = "my_schema"
object_type = "function"
objects = ["my_function(float)"]
privileges = ["execute"]
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- **object_type** (String) The Redshift object type to grant privileges on (one of: table, schema, database).
- **privileges** (Set of String) The list of privileges to apply as default privileges. See [GRANT command documentation](https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html) to see what privileges are available to which object type. An empty list could be provided to revoke all privileges for this user or group
- **object_type** (String) The Redshift object type to grant privileges on (one of: table, schema, database, function, procedure, language).
- **privileges** (Set of String) The list of privileges to apply as default privileges. See [GRANT command documentation](https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html) to see what privileges are available to which object type. An empty list could be provided to revoke all privileges for this user or group. Required when `object_type` is set to `language`.

### Optional

- **group** (String) The name of the group to grant privileges on. Either `group` or `user` parameter must be set.
- **id** (String) The ID of this resource.
- **objects** (Set of String) The objects upon which to grant the privileges. An empty list (the default) means to grant permissions on all objects of the specified type. Only has effect if `object_type` is set to `table`.
- **objects** (Set of String) The objects upon which to grant the privileges. An empty list (the default) means to grant permissions on all objects of the specified type. Ignored when `object_type` is one of (`database`, `schema`).
- **schema** (String) The database schema to grant privileges on.
- **user** (String) The name of the user to grant privileges on. Either `user` or `group` parameter must be set.

Expand Down
10 changes: 10 additions & 0 deletions examples/resources/redshift_grant/resource.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,13 @@ resource "redshift_grant" "group" {
object_type = "schema"
privileges = ["usage"]
}

# Granting permissions to execute functions or procedures requires providing their arguments' types

resource "redshift_grant" "user" {
user = "john"
schema = "my_schema"
object_type = "function"
objects = ["my_function(float)"]
privileges = ["execute"]
}
43 changes: 43 additions & 0 deletions redshift/helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,9 @@ func splitCsvAndTrim(raw string) ([]string, error) {
}

func validatePrivileges(privileges []string, objectType string) bool {
if objectType == "language" && len(privileges) == 0 {
return false
}
for _, p := range privileges {
switch strings.ToUpper(objectType) {
case "SCHEMA":
Expand All @@ -177,6 +180,20 @@ func validatePrivileges(privileges []string, objectType string) bool {
default:
return false
}
case "PROCEDURE", "FUNCTION":
switch strings.ToUpper(p) {
case "EXECUTE":
continue
default:
return false
}
case "LANGUAGE":
switch strings.ToUpper(p) {
case "USAGE":
continue
default:
return false
}
default:
return false
}
Expand All @@ -203,3 +220,29 @@ func setToPgIdentList(identifiers *schema.Set, prefix string) string {

return strings.Join(quoted, ",")
}

// Quoted identifiers somehow does not work for grants/revokes on functions and procedures
func setToPgIdentListNotQuoted(identifiers *schema.Set, prefix string) string {
quoted := make([]string, identifiers.Len())
for i, identifier := range identifiers.List() {
if prefix == "" {
quoted[i] = identifier.(string)
} else {
quoted[i] = fmt.Sprintf("%s.%s", prefix, identifier.(string))
}
}

return strings.Join(quoted, ",")
}

func stripArgumentsFromCallablesDefinitions(defs *schema.Set) []string {
parser := func(name string) string {
return strings.Split(name, "(")[0]
}

names := make([]string, defs.Len())
for _, def := range defs.List() {
names = append(names, parser(def.(string)))
}
return names
}
50 changes: 50 additions & 0 deletions redshift/helpers_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,56 @@ func TestValidatePrivileges(t *testing.T) {
objectType: "table",
expected: true,
},
"valid list for function": {
privileges: []string{"execute"},
objectType: "function",
expected: true,
},
"invalid list for function": {
privileges: []string{"foo"},
objectType: "function",
expected: false,
},
"extended invalid list for function": {
privileges: []string{"execute", "foo"},
objectType: "function",
expected: false,
},
"valid list for procedure": {
privileges: []string{"execute"},
objectType: "procedure",
expected: true,
},
"invalid list for procedure": {
privileges: []string{"foo"},
objectType: "procedure",
expected: false,
},
"extended invalid list for procedure": {
privileges: []string{"execute", "foo"},
objectType: "procedure",
expected: false,
},
"valid list for language": {
privileges: []string{"usage"},
objectType: "language",
expected: true,
},
"invalid list for language": {
privileges: []string{"foo"},
objectType: "language",
expected: false,
},
"extended invalid list for language": {
privileges: []string{"usage", "foo"},
objectType: "language",
expected: false,
},
"empty list for language": {
privileges: []string{},
objectType: "language",
expected: false,
},
}

for name, tt := range tests {
Expand Down
Loading

0 comments on commit be6e0d9

Please sign in to comment.