dbt-snow-mask icon indicating copy to clipboard operation
dbt-snow-mask copied to clipboard

Published 20 hours ago verified publisher icon entechlog

Feature request: Handle updated policies automatically

Open rumbin opened this issue 3 years ago • 7 comments

Currently, if an existing policy is updated, it needs to be unapplied, deleted, created (or CREATE OR REPLACE...) and applied again. This is imho a manual process which is cumbersome when applied to production environments. It would be great if we could find a solution which handles these things automatically.

rumbin avatar Jul 19 '21 18:07 rumbin

Just got aware of the fact that this is ak known limitation. Nevertheless, I think that handling this as an open issue is probably a good idea,so we can discuss ideas here...

rumbin avatar Jul 19 '21 18:07 rumbin

I ran into this as well and had to choose between the IF EXISTS clause or the OR REPLACE clause. Maybe a separate Update procedure that unapplies, drops, then creates?

eugenekim-orrum avatar Nov 05 '21 20:11 eugenekim-orrum

  • @eugenekim-orrum Sorry that you faced this issue.
  • I am managing with REPLACE clause now but thinking to enhance unapply macro.
  • Do you have a list of actions which needs to happen and the scenarios on which this policy update would happen ?
  • Tagging @robscriva as well here to discuss ideas and options

entechlog avatar Apr 22 '22 22:04 entechlog

I'm coming to the party late so maybe things have changed in Snowflake since previous comments. Snowflake has an ALTER MASKING POLICY command which allows you to change the masking policy without having to go through the "unapplied, deleted, created (or CREATE OR REPLACE...) and applied again" process.

I'm still new to dbt, but I was able to build a macro that checks for the existence of the masking policy and does a CREATE or ALTER, depending on the result of the check.

Perhaps something like that could be added to the package.

mjahammel avatar Jan 06 '23 15:01 mjahammel

Hello @mjahammel, I am open for suggestions and enhancements to the package. Do you mind sharing the source code for your macro, perhaps we can check and work together to see if this enhancement can be implemented ?

entechlog avatar Mar 28 '23 19:03 entechlog

@entechlog , I will create a pull request with the new macro and an implementation of it.

mjahammel avatar Mar 30 '23 15:03 mjahammel

Hi, I found this looking for a more elegant solution, but in case it helps, I'm solving this by adding both create masking policy if not exists and then, if I have to edit it, adding a alter masking policy if exists

{% macro create_masking_policy_mp_mask_pii(node_database,node_schema) %}

CREATE MASKING POLICY IF NOT EXISTS {{node_database}}.{{node_schema}}.mp_mask_pii AS (val string) 
  RETURNS string -> IFF(CURRENT_ROLE() IN ('ROLE1'),  val, '**********' );

ALTER MASKING POLICY IF EXISTS {{node_database}}.{{node_schema}}.mp_mask_pii SET BODY ->
  IFF(CURRENT_ROLE() IN ('ROLE1', 'ROLE2'),  val, '**********' )

{% endmacro %}

First time you run the macro in a new environment, it will run both, the create and alter, following runs, it will run only the alter as it is already created.

romansegador avatar Jul 19 '23 17:07 romansegador