wip

Snowflake-Labs · Jul 8, 2024 · 69f7492 · 69f7492
1 parent d0c136d
commit 69f7492
Show file tree

Hide file tree

Showing 26 changed files with 1,259 additions and 365 deletions.
diff --git a/MIGRATION_GUIDE.md b/MIGRATION_GUIDE.md
@@ -20,6 +20,27 @@ They are all described in short in the [changes before v1 doc](./v1-preparations
 ### old grant resources removal
 Following the [announcement](https://github.com/Snowflake-Labs/terraform-provider-snowflake/discussions/2736) we have removed the old grant resources. The two resources [snowflake_role_ownership_grant](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_ownership_grant) and [snowflake_user_ownership_grant](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/user_ownership_grant) were not listed in the announcement, but they were also marked as deprecated ones. We are removing them too to conclude the grants redesign saga.
 
+### *(new feature)* refactored snowflake_network_policy resource
+
+No migration should be needed.
+
+New behavior:
+- `name` is no longer marked as ForceNew parameter. When changed, now it will perform ALTER RENAME operation.
+- Additional validation was added to `blocked_ip_list` to inform about specifying `0.0.0.0/0` ip. More details in the [official documentation](https://docs.snowflake.com/en/sql-reference/sql/create-network-policy#usage-notes).
+
+New fields:
+- `show_output` and `describe_output` saving the Snowflake state from `SHOW` and `DESCRIBE` commands in the computed fields.
+
+### *(new feature)* snowflake_network_policies datasource
+
+Added a new datasource enabling querying and filtering network policies. Notes:
+- all results are stored in `network_policies` field.
+- `like` field enables filtering.
+- SHOW NETWORK POLICIES output is enclosed in `show_output` field inside `network_policies`.
+- Output from **DESC NETWORK POLICY** (which can be turned off by declaring `with_describe = false`, **it's turned on by default**) is enclosed in `describe_output` field inside `network_policies`.
+  The additional parameters call **DESC NETWORK POLICY** (with `with_describe` turned on) **per network policy** returned by **SHOW NETWORK POLICIES**.
+  It's important to limit the records and calls to Snowflake to the minimum. That's why we recommend assessing which information you need from the data source and then providing strong filters and turning off additional fields for better plan performance.
+
 ### *(new feature)* snowflake_security_integrations datasource
 Added a new datasource enabling querying and filtering all types of security integrations. Notes:
 - all results are stored in `security_integrations` field.

diff --git a/docs/data-sources/network_policies.md b/docs/data-sources/network_policies.md
@@ -0,0 +1,59 @@
+---
+page_title: "snowflake_network_policies Data Source - terraform-provider-snowflake"
+subcategory: ""
+description: |-
+  Datasource used to get details of filtered network policies. Filtering is aligned with the current possibilities for SHOW NETWORK POLICIES https://docs.snowflake.com/en/sql-reference/sql/show-network-policies query (like is supported). The results of SHOW and DESCRIBE are encapsulated in one output collection.
+---
+
+!> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it.
+
+# snowflake_network_policies (Data Source)
+
+Datasource used to get details of filtered network policies. Filtering is aligned with the current possibilities for [SHOW NETWORK POLICIES](https://docs.snowflake.com/en/sql-reference/sql/show-network-policies) query (`like` is supported). The results of SHOW and DESCRIBE are encapsulated in one output collection.
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Optional
+
+- `like` (String) Filters the output with **case-insensitive** pattern, with support for SQL wildcard characters (`%` and `_`).
+- `with_describe` (Boolean) Runs DESC NETWORK POLICY for each network policy returned by SHOW NETWORK POLICIES. The output of describe is saved to the description field. By default this value is set to true.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `network_policies` (List of Object) Holds the aggregated output of all network policies details queries. (see [below for nested schema](#nestedatt--network_policies))
+
+<a id="nestedatt--network_policies"></a>
+### Nested Schema for `network_policies`
+
+Read-Only:
+
+- `describe_output` (List of Object) (see [below for nested schema](#nestedobjatt--network_policies--describe_output))
+- `show_output` (List of Object) (see [below for nested schema](#nestedobjatt--network_policies--show_output))
+
+<a id="nestedobjatt--network_policies--describe_output"></a>
+### Nested Schema for `network_policies.describe_output`
+
+Read-Only:
+
+- `allowed_ip_list` (String)
+- `allowed_network_rule_list` (String)
+- `blocked_ip_list` (String)
+- `blocked_network_rule_list` (String)
+
+
+<a id="nestedobjatt--network_policies--show_output"></a>
+### Nested Schema for `network_policies.show_output`
+
+Read-Only:
+
+- `comment` (String)
+- `created_on` (String)
+- `entries_in_allowed_ip_list` (Number)
+- `entries_in_allowed_network_rules` (Number)
+- `entries_in_blocked_ip_list` (Number)
+- `entries_in_blocked_network_rules` (Number)
+- `name` (String)
diff --git a/docs/resources/network_policy.md b/docs/resources/network_policy.md
@@ -5,6 +5,8 @@ description: |-
   
 ---
 
+!> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it.
+
 # snowflake_network_policy (Resource)
 
 
@@ -58,13 +60,39 @@ resource "snowflake_network_policy" "policy" {
 
 - `allowed_ip_list` (Set of String) Specifies one or more IPv4 addresses (CIDR notation) that are allowed access to your Snowflake account.
 - `allowed_network_rule_list` (Set of String) Specifies a list of fully qualified network rules that contain the network identifiers that are allowed access to Snowflake.
-- `blocked_ip_list` (Set of String) Specifies one or more IPv4 addresses (CIDR notation) that are denied access to your Snowflake account<br><br>**Do not** add `0.0.0.0/0` to `blocked_ip_list`.
+- `blocked_ip_list` (Set of String) Specifies one or more IPv4 addresses (CIDR notation) that are denied access to your Snowflake account. **Do not** add `0.0.0.0/0` to `blocked_ip_list`, in order to block all IP addresses except a select list, you only need to add IP addresses to `allowed_ip_list`.
 - `blocked_network_rule_list` (Set of String) Specifies a list of fully qualified network rules that contain the network identifiers that are denied access to Snowflake.
 - `comment` (String) Specifies a comment for the network policy.
 
 ### Read-Only
 
+- `describe_output` (List of Object) Outputs the result of `DESCRIBE NETWORK POLICY` for the given network policy. (see [below for nested schema](#nestedatt--describe_output))
 - `id` (String) The ID of this resource.
+- `show_output` (List of Object) Outputs the result of `SHOW NETWORK POLICIES` for the given network policy. (see [below for nested schema](#nestedatt--show_output))
+
+<a id="nestedatt--describe_output"></a>
+### Nested Schema for `describe_output`
+
+Read-Only:
+
+- `allowed_ip_list` (String)
+- `allowed_network_rule_list` (String)
+- `blocked_ip_list` (String)
+- `blocked_network_rule_list` (String)
+
+
+<a id="nestedatt--show_output"></a>
+### Nested Schema for `show_output`
+
+Read-Only:
+
+- `comment` (String)
+- `created_on` (String)
+- `entries_in_allowed_ip_list` (Number)
+- `entries_in_allowed_network_rules` (Number)
+- `entries_in_blocked_ip_list` (Number)
+- `entries_in_blocked_network_rules` (Number)
+- `name` (String)
 
 ## Import
 

diff --git a/pkg/acceptance/helpers/network_policy_client.go b/pkg/acceptance/helpers/network_policy_client.go
@@ -42,12 +42,20 @@ func (c *NetworkPolicyClient) CreateNetworkPolicyWithRequest(t *testing.T, reque
 	return networkPolicy, c.DropNetworkPolicyFunc(t, request.GetName())
 }
 
+func (c *NetworkPolicyClient) Update(t *testing.T, request *sdk.AlterNetworkPolicyRequest) {
+	t.Helper()
+	ctx := context.Background()
+
+	err := c.client().Alter(ctx, request)
+	require.NoError(t, err)
+}
+
 func (c *NetworkPolicyClient) DropNetworkPolicyFunc(t *testing.T, id sdk.AccountObjectIdentifier) func() {
 	t.Helper()
 	ctx := context.Background()
 
 	return func() {
-		err := c.client().Drop(ctx, sdk.NewDropNetworkPolicyRequest(id).WithIfExists(sdk.Bool(true)))
+		err := c.client().Drop(ctx, sdk.NewDropNetworkPolicyRequest(id).WithIfExists(true))
 		require.NoError(t, err)
 	}
 }
diff --git a/pkg/acceptance/helpers/network_rule_client.go b/pkg/acceptance/helpers/network_rule_client.go
@@ -0,0 +1,53 @@
+package helpers
+
+import (
+	"context"
+	"testing"
+
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk"
+	"github.com/stretchr/testify/require"
+)
+
+type NetworkRuleClient struct {
+	context *TestClientContext
+	ids     *IdsGenerator
+}
+
+func NewNetworkRuleClient(context *TestClientContext, idsGenerator *IdsGenerator) *NetworkRuleClient {
+	return &NetworkRuleClient{
+		context: context,
+		ids:     idsGenerator,
+	}
+}
+
+func (c *NetworkRuleClient) client() sdk.NetworkRules {
+	return c.context.client.NetworkRules
+}
+
+func (c *NetworkRuleClient) Create(t *testing.T) *sdk.NetworkRule {
+	t.Helper()
+	return c.CreateWithName(t, c.ids.Alpha())
+}
+
+func (c *NetworkRuleClient) CreateWithName(t *testing.T, name string) *sdk.NetworkRule {
+	t.Helper()
+	return c.CreateWithIdentifier(t, c.ids.NewSchemaObjectIdentifier(name))
+}
+
+func (c *NetworkRuleClient) CreateWithIdentifier(t *testing.T, id sdk.SchemaObjectIdentifier) *sdk.NetworkRule {
+	t.Helper()
+	ctx := context.Background()
+
+	err := c.client().Create(ctx, sdk.NewCreateNetworkRuleRequest(id, sdk.NetworkRuleTypeIpv4, []sdk.NetworkRuleValue{}, sdk.NetworkRuleModeIngress))
+	require.NoError(t, err)
+
+	t.Cleanup(func() {
+		_ = c.client().Drop(ctx, sdk.NewDropNetworkRuleRequest(id).WithIfExists(sdk.Bool(true)))
+	})
+
+	networkRule, err := c.client().ShowByID(ctx, id)
+	require.NoError(t, err)
+	require.NotNil(t, networkRule)
+
+	return networkRule
+}
diff --git a/pkg/acceptance/helpers/test_client.go b/pkg/acceptance/helpers/test_client.go
@@ -26,6 +26,7 @@ type TestClient struct {
 	MaskingPolicy       *MaskingPolicyClient
 	MaterializedView    *MaterializedViewClient
 	NetworkPolicy       *NetworkPolicyClient
+	NetworkRule         *NetworkRuleClient
 	Parameter           *ParameterClient
 	PasswordPolicy      *PasswordPolicyClient
 	Pipe                *PipeClient
@@ -76,6 +77,7 @@ func NewTestClient(c *sdk.Client, database string, schema string, warehouse stri
 		MaskingPolicy:       NewMaskingPolicyClient(context, idsGenerator),
 		MaterializedView:    NewMaterializedViewClient(context, idsGenerator),
 		NetworkPolicy:       NewNetworkPolicyClient(context, idsGenerator),
+		NetworkRule:         NewNetworkRuleClient(context, idsGenerator),
 		Parameter:           NewParameterClient(context),
 		PasswordPolicy:      NewPasswordPolicyClient(context, idsGenerator),
 		Pipe:                NewPipeClient(context, idsGenerator),

diff --git a/pkg/datasources/network_policies.go b/pkg/datasources/network_policies.go
@@ -0,0 +1,102 @@
+package datasources
+
+import (
+	"context"
+
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/internal/provider"
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources"
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/schemas"
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+var networkPoliciesSchema = map[string]*schema.Schema{
+	"with_describe": {
+		Type:        schema.TypeBool,
+		Optional:    true,
+		Default:     true,
+		Description: "Runs DESC NETWORK POLICY for each network policy returned by SHOW NETWORK POLICIES. The output of describe is saved to the description field. By default this value is set to true.",
+	},
+	"like": {
+		Type:        schema.TypeString,
+		Optional:    true,
+		Description: "Filters the output with **case-insensitive** pattern, with support for SQL wildcard characters (`%` and `_`).",
+	},
+	"network_policies": {
+		Type:        schema.TypeList,
+		Computed:    true,
+		Description: "Holds the aggregated output of all network policies details queries.",
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				resources.ShowOutputAttributeName: {
+					Type:        schema.TypeList,
+					Computed:    true,
+					Description: "Holds the output of SHOW NETWORK POLICIES.",
+					Elem: &schema.Resource{
+						Schema: schemas.ShowNetworkPolicySchema,
+					},
+				},
+				resources.DescribeOutputAttributeName: {
+					Type:        schema.TypeList,
+					Computed:    true,
+					Description: "Holds the output of DESCRIBE NETWORK POLICIES.",
+					Elem: &schema.Resource{
+						Schema: schemas.DescribeNetworkPolicySchema,
+					},
+				},
+			},
+		},
+	},
+}
+
+func NetworkPolicies() *schema.Resource {
+	return &schema.Resource{
+		ReadContext: ReadNetworkPolicies,
+		Schema:      networkPoliciesSchema,
+		Description: "Datasource used to get details of filtered network policies. Filtering is aligned with the current possibilities for [SHOW NETWORK POLICIES](https://docs.snowflake.com/en/sql-reference/sql/show-network-policies) query (`like` is supported). The results of SHOW and DESCRIBE are encapsulated in one output collection.",
+	}
+}
+
+func ReadNetworkPolicies(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	client := meta.(*provider.Context).Client
+	req := sdk.NewShowNetworkPolicyRequest()
+
+	if likePattern, ok := d.GetOk("like"); ok {
+		req.WithLike(sdk.Like{
+			Pattern: sdk.String(likePattern.(string)),
+		})
+	}
+
+	networkPolicies, err := client.NetworkPolicies.Show(ctx, req)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId("network_policies_read")
+
+	flattenedNetworkPolicies := make([]map[string]any, len(networkPolicies))
+	for i, networkPolicy := range networkPolicies {
+		networkPolicy := networkPolicy
+
+		var networkPolicyDescribeOutput []map[string]any
+		if d.Get("with_describe").(bool) {
+			describeResult, err := client.NetworkPolicies.Describe(ctx, sdk.NewAccountObjectIdentifier(networkPolicy.Name))
+			if err != nil {
+				return diag.FromErr(err)
+			}
+			networkPolicyDescribeOutput = []map[string]any{schemas.NetworkPolicyPropertiesToSchema(describeResult)}
+		}
+
+		flattenedNetworkPolicies[i] = map[string]any{
+			resources.ShowOutputAttributeName:     []map[string]any{schemas.NetworkPolicyToSchema(&networkPolicy)},
+			resources.DescribeOutputAttributeName: networkPolicyDescribeOutput,
+		}
+	}
+
+	if err = d.Set("network_policies", flattenedNetworkPolicies); err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}