terraform-provider-snowflake icon indicating copy to clipboard operation
terraform-provider-snowflake copied to clipboard
verified publisher icon Snowflake-Labs

Replacing snowflake_database_grant - granting access to a role and a share

Open natashamathur opened this issue 1 year ago • 4 comments

Terraform Provider Version

0.88.0

Terraform Configuration

resource "snowflake_database_grant" "ext_db_grant_usage" {
  provider          = snowflake.account_admin
  database_name     = snowflake_database.ext_db.name
  privilege         = "USAGE"
  roles             = [snowflake_role.data_engineer_role.name]
  shares            = [snowflake_share.ext_share.name]
  with_grant_option = false
}

Category

category:grants

Expected Behavior

I am trying to update the above grant using the new format. The example in the migration guide explains how to grant access to a database to 2 roles.

However is there a way to grant access to a share as well as a role? How should the above grant be changed with the new setup?

Actual Behavior

Grant usage to share and role

How much impact is this issue causing?

Medium

natashamathur avatar Apr 30 '24 20:04 natashamathur

While we're on the topic of shares, I wanted to confirm whether this is the right way to grant a share usage on a database. It's putting a snowflake_share.example_share.name in the account_role category, which seemed a bit odd.

resource "snowflake_grant_privileges_to_account_role" "raw_db_reference_usage_grant" {
    for_each   = toset([
      snowflake_share.ext_a_share.name,
      snowflake_share.ext_b_share.name,
      snowflake_share.ext_c_share.name
    ])
    privileges = ["USAGE"]
    account_role_name  = each.key
    on_account_object {
      object_type = "DATABASE"
      object_name = snowflake_database.raw.name
  }
}```

natashamathur avatar Apr 30 '24 20:04 natashamathur

Shares are now granted permissions through the resource snowflake_grant_privileges_to_share.

samanthaduggan avatar Apr 30 '24 20:04 samanthaduggan

Okay - so does this grant need to be split into 2 separate blocks?

resource "snowflake_database_grant" "ext_db_grant_usage" { provider = snowflake.account_admin database_name = snowflake_database.ext_db.name privilege = "USAGE" roles = [snowflake_role.data_engineer_role.name] shares = [snowflake_share.ext_share.name] with_grant_option = false }

natashamathur avatar Apr 30 '24 20:04 natashamathur

Hey @natashamathur. Thanks for reaching out to us.

Yes, you have to use two resources: snowflake_grant_privileges_to_account_role and snowflake_grant_privileges_to_share.

sfc-gh-asawicki avatar May 02 '24 08:05 sfc-gh-asawicki

Hey @natashamathur. Do you need anything more in that matter or can we close this issue?

sfc-gh-asawicki avatar May 15 '24 08:05 sfc-gh-asawicki

Is it possible to grant a role access to multiple tables or views in the same grant block? I am looking for ways to prevent my files from getting extremely long with all the new grants. I'll try for_each but wanted to confirm whether or not that was an accepted use case.

natashamathur avatar May 15 '24 13:05 natashamathur

It's not possible without the for_each currently.

sfc-gh-asawicki avatar May 15 '24 13:05 sfc-gh-asawicki

Okay. Right now we have about 30 views that need to be granted to various roles and shares. Would you recommend creating a block for each role / share, and then using for_each to grant access to all the necessary views? Or another approach?

natashamathur avatar May 15 '24 13:05 natashamathur

Any approach that fits your needs is acceptable. For sure, using for_each makes the config more condensed, so if the proposed block fits your needs - go with it.

sfc-gh-asawicki avatar May 15 '24 14:05 sfc-gh-asawicki