Merge pull request #30 from getindata/fix/grant_schema_privs_on_existing

fix: Grant DB schema privileges on existing schemas
getindata · Feb 20, 2024 · 22446ef · 22446ef
2 parents 7b92a52 + 6142de6
commit 22446ef
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 12 deletions.
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -12,7 +12,3 @@ on:
 jobs:
   main:
     uses: getindata/github-workflows/.github/workflows/tf-pre-commit.yml@v1
-    with:
-      # tflint v0.46.0 is the latest version we can use with pre-commit v0.1.20
-      # See .pre-commit-config.yaml for more details.
-      tflint-version: v0.46.0
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -2,14 +2,11 @@ repos:
   - repo: https://github.com/gruntwork-io/pre-commit
     # Stick to v0.1.20 until this bug is fixed: https://github.com/gruntwork-io/pre-commit/issues/102
     # When updating, also check if tflint version in pre-commit workflow can be updated.
-    rev: "v0.1.20" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases
+    rev: "v0.1.23" # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases
     hooks:
       - id: terraform-validate # It should be the first step as it runs terraform init required by tflint
       - id: terraform-fmt
       - id: tflint
-        args:
-          - --module
-          - --config=.tflint.hcl
 
   - repo: https://github.com/terraform-docs/terraform-docs
     rev: "v0.16.0" # Get the latest from: https://github.com/terraform-docs/terraform-docs/releases

diff --git a/README.md b/README.md
@@ -86,8 +86,8 @@ module "snowflake_database" {
 |------|--------|---------|
 | <a name="module_database_label"></a> [database\_label](#module\_database\_label) | cloudposse/label/null | 0.25.0 |
 | <a name="module_roles_deep_merge"></a> [roles\_deep\_merge](#module\_roles\_deep\_merge) | Invicton-Labs/deepmerge/null | 0.1.5 |
-| <a name="module_snowflake_custom_role"></a> [snowflake\_custom\_role](#module\_snowflake\_custom\_role) | getindata/role/snowflake | 1.0.3 |
-| <a name="module_snowflake_default_role"></a> [snowflake\_default\_role](#module\_snowflake\_default\_role) | getindata/role/snowflake | 1.0.3 |
+| <a name="module_snowflake_custom_role"></a> [snowflake\_custom\_role](#module\_snowflake\_custom\_role) | getindata/role/snowflake | 1.4.0 |
+| <a name="module_snowflake_default_role"></a> [snowflake\_default\_role](#module\_snowflake\_default\_role) | getindata/role/snowflake | 1.4.0 |
 | <a name="module_snowflake_schema"></a> [snowflake\_schema](#module\_snowflake\_schema) | getindata/schema/snowflake | 1.5.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
@@ -120,6 +120,7 @@ module "snowflake_database" {
 |------|------|
 | [snowflake_database.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database) | resource |
 | [snowflake_database_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database_grant) | resource |
+| [snowflake_schema_grant.existing](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/schema_grant) | resource |
 | [snowflake_schema_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/schema_grant) | resource |
 <!-- END_TF_DOCS -->
 

diff --git a/main.tf b/main.tf
@@ -26,7 +26,7 @@ module "snowflake_default_role" {
   for_each = local.default_roles
 
   source  = "getindata/role/snowflake"
-  version = "1.0.3"
+  version = "1.4.0"
 
   context         = module.this.context
   enabled         = local.create_default_roles && each.value.enabled
@@ -45,7 +45,7 @@ module "snowflake_custom_role" {
   for_each = local.custom_roles
 
   source  = "getindata/role/snowflake"
-  version = "1.0.3"
+  version = "1.4.0"
 
   context         = module.this.context
   enabled         = local.enabled && each.value.enabled
@@ -107,3 +107,15 @@ resource "snowflake_schema_grant" "this" {
   privilege     = each.key
   roles         = each.value
 }
+
+resource "snowflake_schema_grant" "existing" {
+  for_each = local.enabled ? transpose({ for role_name, role in local.roles : local.roles[role_name].name =>
+    lookup(local.roles_definition[role_name], "schema_grants", [])
+    if lookup(local.roles_definition[role_name], "enabled", true)
+  }) : {}
+
+  database_name = one(snowflake_database.this[*].name)
+  on_all        = true
+  privilege     = each.key
+  roles         = each.value
+}