fix: UNSET and empty SET in network policies (#2759)

Removed UnsetComment field. This is now nested as Unset.Comment with unsetting other fields.  ## Test Plan  * [x] acceptance tests  * [x] integration tests * [x] unit tests ## References  https://docs.snowflake.com/en/sql-reference/sql/alter-network-policy -- UNSET should be documented.
Snowflake-Labs · May 6, 2024 · 3eacb0b · 3eacb0b
1 parent df025b0
commit 3eacb0b
Show file tree

Hide file tree

Showing 11 changed files with 441 additions and 74 deletions.
diff --git a/pkg/resources/network_policy.go b/pkg/resources/network_policy.go
@@ -149,7 +149,8 @@ func UpdateNetworkPolicy(d *schema.ResourceData, meta interface{}) error {
 		comment := d.Get("comment")
 
 		if c := comment.(string); c == "" {
-			err := client.NetworkPolicies.Alter(ctx, baseReq.WithUnsetComment(sdk.Bool(true)))
+			unsetReq := sdk.NewNetworkPolicyUnsetRequest().WithComment(sdk.Bool(true))
+			err := client.NetworkPolicies.Alter(ctx, baseReq.WithUnset(unsetReq))
 			if err != nil {
 				return fmt.Errorf("error unsetting comment for network policy %v err = %w", name, err)
 			}
@@ -168,7 +169,7 @@ func UpdateNetworkPolicy(d *schema.ResourceData, meta interface{}) error {
 		for i, v := range newIps {
 			ipRequests[i] = *sdk.NewIPRequest(v)
 		}
-		setReq := sdk.NewNetworkPolicySetRequest().WithAllowedIpList(ipRequests)
+		setReq := sdk.NewNetworkPolicySetRequest().WithAllowedIpList(sdk.NewAllowedIPListRequest().WithAllowedIPList(ipRequests))
 		err := client.NetworkPolicies.Alter(ctx, baseReq.WithSet(setReq))
 		if err != nil {
 			return fmt.Errorf("error updating ALLOWED_IP_LIST for network policy %v err = %w", name, err)
@@ -181,7 +182,7 @@ func UpdateNetworkPolicy(d *schema.ResourceData, meta interface{}) error {
 		for i, v := range newIps {
 			ipRequests[i] = *sdk.NewIPRequest(v)
 		}
-		setReq := sdk.NewNetworkPolicySetRequest().WithBlockedIpList(ipRequests)
+		setReq := sdk.NewNetworkPolicySetRequest().WithBlockedIpList(sdk.NewBlockedIPListRequest().WithBlockedIPList(ipRequests))
 		err := client.NetworkPolicies.Alter(ctx, baseReq.WithSet(setReq))
 		if err != nil {
 			return fmt.Errorf("error updating BLOCKED_IP_LIST for network policy %v err = %w", name, err)

diff --git a/pkg/resources/network_policy_acceptance_test.go b/pkg/resources/network_policy_acceptance_test.go
@@ -35,7 +35,7 @@ func TestAcc_NetworkPolicy(t *testing.T) {
 					resource.TestCheckResourceAttr("snowflake_network_policy.test", "blocked_ip_list.#", "0"),
 				),
 			},
-			// CHANGE PROPERTIES
+			// CHANGE PROPERTIES - add to and remove from ip lists
 			{
 				Config: networkPolicyConfig2(name),
 				Check: resource.ComposeTestCheckFunc(
@@ -45,7 +45,23 @@ func TestAcc_NetworkPolicy(t *testing.T) {
 					resource.TestCheckResourceAttr("snowflake_network_policy.test", "blocked_ip_list.#", "1"),
 				),
 			},
-			// IMPORT
+			// IMPORT - all fields are non-empty
+			{
+				ResourceName:      "snowflake_network_policy.test",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			// CHANGE PROPERTIES - set empty ip lists
+			{
+				Config: networkPolicyConfig3(name),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("snowflake_network_policy.test", "name", name),
+					resource.TestCheckResourceAttr("snowflake_network_policy.test", "comment", networkPolicyComment),
+					resource.TestCheckResourceAttr("snowflake_network_policy.test", "allowed_ip_list.#", "0"),
+					resource.TestCheckResourceAttr("snowflake_network_policy.test", "blocked_ip_list.#", "0"),
+				),
+			},
+			// IMPORT - incomplete
 			{
 				ResourceName:      "snowflake_network_policy.test",
 				ImportState:       true,
@@ -75,3 +91,13 @@ resource "snowflake_network_policy" "test" {
 }
 `, name, networkPolicyComment)
 }
+
+func networkPolicyConfig3(name string) string {
+	return fmt.Sprintf(`
+resource "snowflake_network_policy" "test" {
+	name            = "%v"
+	comment         = "%v"
+	allowed_ip_list = []
+}
+`, name, networkPolicyComment)
+}
diff --git a/pkg/sdk/README.md b/pkg/sdk/README.md
@@ -20,5 +20,5 @@ TEST_SF_TF_TEST_ACCOUNT_CREATE=1
 | `ddl:"static"`     | `sqlStaticClause`     | `WORD`                                                                        |
 | `ddl:"keyword"`    | `sqlKeywordClause`    | `"WORD"` (quotes configurable)                                                |
 | `ddl:"identifier"` | `sqlIdentifierClause` | `"a.b.c"` or `OBJ_TYPE "a.b.c"`                                               |
-| `ddl:"parameter"`  | `sqlParameterClause`  | `PARAM = "value"` (quotes configurable) or `PARAM = 2`                        |                                          |
+| `ddl:"parameter"`  | `sqlParameterClause`  | `PARAM = "value"` (quotes configurable) or `PARAM = 2`                        |
 | `ddl:"list"`       | `sqlListClause`       | `WORD (<subclause>, <subclause>)` (WORD, parentheses, separator configurable) |
diff --git a/pkg/sdk/network_policies_def.go b/pkg/sdk/network_policies_def.go
@@ -8,6 +8,18 @@ var (
 	ip = g.NewQueryStruct("IP").
 		Text("IP", g.KeywordOptions().SingleQuotes().Required())
 
+	allowedNetworkRuleList = g.NewQueryStruct("AllowedNetworkRuleList").
+				List("AllowedNetworkRuleList", "SchemaObjectIdentifier", g.ListOptions().MustParentheses())
+
+	blockedNetworkRuleList = g.NewQueryStruct("BlockedNetworkRuleList").
+				List("BlockedNetworkRuleList", "SchemaObjectIdentifier", g.ListOptions().MustParentheses())
+
+	allowedIPList = g.NewQueryStruct("AllowedIPList").
+			ListQueryStructField("AllowedIPList", ip, g.ListOptions().MustParentheses())
+
+	blockedIPList = g.NewQueryStruct("BlockedIPList").
+			ListQueryStructField("BlockedIPList", ip, g.ListOptions().MustParentheses())
+
 	networkPoliciesAddNetworkRule = g.NewQueryStruct("AddNetworkRule").
 					ListAssignment("ALLOWED_NETWORK_RULE_LIST", "SchemaObjectIdentifier", g.ParameterOptions().Parentheses()).
 					ListAssignment("BLOCKED_NETWORK_RULE_LIST", "SchemaObjectIdentifier", g.ParameterOptions().Parentheses()).
@@ -47,14 +59,25 @@ var (
 				OptionalQueryStructField(
 					"Set",
 					g.NewQueryStruct("NetworkPolicySet").
-						ListAssignment("ALLOWED_NETWORK_RULE_LIST", "SchemaObjectIdentifier", g.ParameterOptions().Parentheses()).
-						ListAssignment("BLOCKED_NETWORK_RULE_LIST", "SchemaObjectIdentifier", g.ParameterOptions().Parentheses()).
-						ListQueryStructField("AllowedIpList", ip, g.ParameterOptions().SQL("ALLOWED_IP_LIST").Parentheses()).
-						ListQueryStructField("BlockedIpList", ip, g.ParameterOptions().SQL("BLOCKED_IP_LIST").Parentheses()).
+						OptionalQueryStructField("AllowedNetworkRuleList", allowedNetworkRuleList, g.ParameterOptions().SQL("ALLOWED_NETWORK_RULE_LIST").Parentheses()).
+						OptionalQueryStructField("BlockedNetworkRuleList", blockedNetworkRuleList, g.ParameterOptions().SQL("BLOCKED_NETWORK_RULE_LIST").Parentheses()).
+						OptionalQueryStructField("AllowedIpList", allowedIPList, g.ParameterOptions().SQL("ALLOWED_IP_LIST").Parentheses()).
+						OptionalQueryStructField("BlockedIpList", blockedIPList, g.ParameterOptions().SQL("BLOCKED_IP_LIST").Parentheses()).
 						OptionalTextAssignment("COMMENT", g.ParameterOptions().SingleQuotes()).
 						WithValidation(g.AtLeastOneValueSet, "AllowedIpList", "BlockedIpList", "Comment", "AllowedNetworkRuleList", "BlockedNetworkRuleList"),
 					g.KeywordOptions().SQL("SET"),
 				).
+				OptionalQueryStructField(
+					"Unset",
+					g.NewQueryStruct("NetworkPolicyUnset").
+						OptionalSQL("ALLOWED_NETWORK_RULE_LIST").
+						OptionalSQL("BLOCKED_NETWORK_RULE_LIST").
+						OptionalSQL("ALLOWED_IP_LIST").
+						OptionalSQL("BLOCKED_IP_LIST").
+						OptionalSQL("COMMENT").
+						WithValidation(g.AtLeastOneValueSet, "AllowedIpList", "BlockedIpList", "Comment", "AllowedNetworkRuleList", "BlockedNetworkRuleList"),
+					g.ListOptions().NoParentheses().SQL("UNSET"),
+				).
 				OptionalQueryStructField(
 					"Add",
 					networkPoliciesAddNetworkRule,
@@ -65,10 +88,9 @@ var (
 					networkPoliciesRemoveNetworkRule,
 					g.KeywordOptions().SQL("REMOVE"),
 				).
-				OptionalSQL("UNSET COMMENT").
 				Identifier("RenameTo", g.KindOfTPointer[AccountObjectIdentifier](), g.IdentifierOptions().SQL("RENAME TO")).
 				WithValidation(g.ValidIdentifier, "name").
-				WithValidation(g.ExactlyOneValueSet, "Set", "UnsetComment", "RenameTo", "Add", "Remove").
+				WithValidation(g.ExactlyOneValueSet, "Set", "Unset", "RenameTo", "Add", "Remove").
 				WithValidation(g.ValidIdentifierIfSet, "RenameTo"),
 		).
 		DropOperation(

diff --git a/pkg/sdk/network_policies_dto_builders_gen.go b/pkg/sdk/network_policies_dto_builders_gen.go
diff --git a/pkg/sdk/network_policies_dto_gen.go b/pkg/sdk/network_policies_dto_gen.go
@@ -20,30 +20,50 @@ type CreateNetworkPolicyRequest struct {
 	Comment                *string
 }
 
-func (r *CreateNetworkPolicyRequest) GetName() AccountObjectIdentifier {
-	return r.name
-}
-
 type IPRequest struct {
 	IP string // required
 }
 
 type AlterNetworkPolicyRequest struct {
-	IfExists     *bool
-	name         AccountObjectIdentifier // required
-	Set          *NetworkPolicySetRequest
-	Add          *AddNetworkRuleRequest
-	Remove       *RemoveNetworkRuleRequest
-	UnsetComment *bool
-	RenameTo     *AccountObjectIdentifier
+	IfExists *bool
+	name     AccountObjectIdentifier // required
+	Set      *NetworkPolicySetRequest
+	Unset    *NetworkPolicyUnsetRequest
+	Add      *AddNetworkRuleRequest
+	Remove   *RemoveNetworkRuleRequest
+	RenameTo *AccountObjectIdentifier
 }
 
 type NetworkPolicySetRequest struct {
+	AllowedNetworkRuleList *AllowedNetworkRuleListRequest
+	BlockedNetworkRuleList *BlockedNetworkRuleListRequest
+	AllowedIpList          *AllowedIPListRequest
+	BlockedIpList          *BlockedIPListRequest
+	Comment                *string
+}
+
+type AllowedNetworkRuleListRequest struct {
 	AllowedNetworkRuleList []SchemaObjectIdentifier
+}
+
+type BlockedNetworkRuleListRequest struct {
 	BlockedNetworkRuleList []SchemaObjectIdentifier
-	AllowedIpList          []IPRequest
-	BlockedIpList          []IPRequest
-	Comment                *string
+}
+
+type AllowedIPListRequest struct {
+	AllowedIPList []IPRequest
+}
+
+type BlockedIPListRequest struct {
+	BlockedIPList []IPRequest
+}
+
+type NetworkPolicyUnsetRequest struct {
+	AllowedNetworkRuleList *bool
+	BlockedNetworkRuleList *bool
+	AllowedIpList          *bool
+	BlockedIpList          *bool
+	Comment                *bool
 }
 
 type AddNetworkRuleRequest struct {

diff --git a/pkg/sdk/network_policies_gen.go b/pkg/sdk/network_policies_gen.go
@@ -24,6 +24,10 @@ type CreateNetworkPolicyOptions struct {
 	Comment                *string                  `ddl:"parameter,single_quotes" sql:"COMMENT"`
 }
 
+func (r *CreateNetworkPolicyRequest) GetName() AccountObjectIdentifier {
+	return r.name
+}
+
 type IP struct {
 	IP string `ddl:"keyword,single_quotes"`
 }
@@ -35,18 +39,42 @@ type AlterNetworkPolicyOptions struct {
 	IfExists      *bool                    `ddl:"keyword" sql:"IF EXISTS"`
 	name          AccountObjectIdentifier  `ddl:"identifier"`
 	Set           *NetworkPolicySet        `ddl:"keyword" sql:"SET"`
+	Unset         *NetworkPolicyUnset      `ddl:"list,no_parentheses" sql:"UNSET"`
 	Add           *AddNetworkRule          `ddl:"keyword" sql:"ADD"`
 	Remove        *RemoveNetworkRule       `ddl:"keyword" sql:"REMOVE"`
-	UnsetComment  *bool                    `ddl:"keyword" sql:"UNSET COMMENT"`
 	RenameTo      *AccountObjectIdentifier `ddl:"identifier" sql:"RENAME TO"`
 }
 
 type NetworkPolicySet struct {
-	AllowedNetworkRuleList []SchemaObjectIdentifier `ddl:"parameter,parentheses" sql:"ALLOWED_NETWORK_RULE_LIST"`
-	BlockedNetworkRuleList []SchemaObjectIdentifier `ddl:"parameter,parentheses" sql:"BLOCKED_NETWORK_RULE_LIST"`
-	AllowedIpList          []IP                     `ddl:"parameter,parentheses" sql:"ALLOWED_IP_LIST"`
-	BlockedIpList          []IP                     `ddl:"parameter,parentheses" sql:"BLOCKED_IP_LIST"`
-	Comment                *string                  `ddl:"parameter,single_quotes" sql:"COMMENT"`
+	AllowedNetworkRuleList *AllowedNetworkRuleList `ddl:"parameter,parentheses" sql:"ALLOWED_NETWORK_RULE_LIST"`
+	BlockedNetworkRuleList *BlockedNetworkRuleList `ddl:"parameter,parentheses" sql:"BLOCKED_NETWORK_RULE_LIST"`
+	AllowedIpList          *AllowedIPList          `ddl:"parameter,parentheses" sql:"ALLOWED_IP_LIST"`
+	BlockedIpList          *BlockedIPList          `ddl:"parameter,parentheses" sql:"BLOCKED_IP_LIST"`
+	Comment                *string                 `ddl:"parameter,single_quotes" sql:"COMMENT"`
+}
+
+type AllowedNetworkRuleList struct {
+	AllowedNetworkRuleList []SchemaObjectIdentifier `ddl:"list,must_parentheses"`
+}
+
+type BlockedNetworkRuleList struct {
+	BlockedNetworkRuleList []SchemaObjectIdentifier `ddl:"list,must_parentheses"`
+}
+
+type AllowedIPList struct {
+	AllowedIPList []IP `ddl:"list,must_parentheses"`
+}
+
+type BlockedIPList struct {
+	BlockedIPList []IP `ddl:"list,must_parentheses"`
+}
+
+type NetworkPolicyUnset struct {
+	AllowedNetworkRuleList *bool `ddl:"keyword" sql:"ALLOWED_NETWORK_RULE_LIST"`
+	BlockedNetworkRuleList *bool `ddl:"keyword" sql:"BLOCKED_NETWORK_RULE_LIST"`
+	AllowedIpList          *bool `ddl:"keyword" sql:"ALLOWED_IP_LIST"`
+	BlockedIpList          *bool `ddl:"keyword" sql:"BLOCKED_IP_LIST"`
+	Comment                *bool `ddl:"keyword" sql:"COMMENT"`
 }
 
 type AddNetworkRule struct {