Rework row access policy data source

Snowflake-Labs · Sep 13, 2024 · ce3c9b9 · ce3c9b9
1 parent 13cd694
commit ce3c9b9
Show file tree

Hide file tree

Showing 23 changed files with 966 additions and 121 deletions.
diff --git a/MIGRATION_GUIDE.md b/MIGRATION_GUIDE.md
@@ -5,6 +5,20 @@ describe deprecations or breaking changes and help you to change your configurat
 across different versions.
 
 ## v0.95.0 ➞ v0.96.0
+### snowflake_row_access_policies data source changes
+New filtering options:
+- `in`
+- `limit`
+- `with_describe`
+
+New output fields
+- `show_output`
+- `describe_output`
+
+Breaking changes:
+- `database` and `schema` are right now under `in` field
+- `row_access_policies` field now organizes output of show under `show_output` field and the output of describe under `describe_output` field.
+
 ### snowflake_row_access_policy resource changes
 New fields:
   - `show_output` field that holds the response from SHOW ROW ACCESS POLICIES.

diff --git a/docs/data-sources/row_access_policies.md b/docs/data-sources/row_access_policies.md
@@ -2,41 +2,170 @@
 page_title: "snowflake_row_access_policies Data Source - terraform-provider-snowflake"
 subcategory: ""
 description: |-
-  
+  Datasource used to get details of filtered row access policies. Filtering is aligned with the current possibilities for SHOW ROW ACCESS POLICIES https://docs.snowflake.com/en/sql-reference/sql/show-row-access-policies query. The results of SHOW and DESCRIBE are encapsulated in one output collection row_access_policies.
 ---
 
-# snowflake_row_access_policies (Data Source)
+!> **V1 release candidate** This data source was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the data source if needed. Any errors reported will be resolved with a higher priority. We encourage checking this data source out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0950--v0960) to use it.
 
+# snowflake_row_access_policies (Data Source)
 
+Datasource used to get details of filtered row access policies. Filtering is aligned with the current possibilities for [SHOW ROW ACCESS POLICIES](https://docs.snowflake.com/en/sql-reference/sql/show-row-access-policies) query. The results of SHOW and DESCRIBE are encapsulated in one output collection `row_access_policies`.
 
 ## Example Usage
 
 ```terraform
-data "snowflake_row_access_policies" "current" {
-  database = "MYDB"
-  schema   = "MYSCHEMA"
+# Simple usage
+data "snowflake_row_access_policies" "simple" {
+}
+
+output "simple_output" {
+  value = data.snowflake_row_access_policies.simple.row_access_policies
+}
+
+# Filtering (like)
+data "snowflake_row_access_policies" "like" {
+  like = "row-access-policy-name"
+}
+
+output "like_output" {
+  value = data.snowflake_row_access_policies.like.row_access_policies
+}
+
+# Filtering by prefix (like)
+data "snowflake_row_access_policies" "like_prefix" {
+  like = "prefix%"
+}
+
+output "like_prefix_output" {
+  value = data.snowflake_row_access_policies.like_prefix.row_access_policies
+}
+
+# Filtering (limit)
+data "snowflake_row_access_policies" "limit" {
+  limit {
+    rows = 10
+    from = "prefix-"
+  }
+}
+
+output "limit_output" {
+  value = data.snowflake_row_access_policies.limit.row_access_policies
+}
+
+# Filtering (in)
+data "snowflake_row_access_policies" "in" {
+  in {
+    database = "database"
+  }
+}
+
+output "in_output" {
+  value = data.snowflake_row_access_policies.in.row_access_policies
+}
+
+# Without additional data (to limit the number of calls make for every found row access policy)
+data "snowflake_row_access_policies" "only_show" {
+  # with_describe is turned on by default and it calls DESCRIBE ROW ACCESS POLICY for every row access policy found and attaches its output to row_access_policies.*.describe_output field
+  with_describe = false
+}
+
+output "only_show_output" {
+  value = data.snowflake_row_access_policies.only_show.row_access_policies
+}
+
+# Ensure the number of row access policies is equal to at least one element (with the use of postcondition)
+data "snowflake_row_access_policies" "assert_with_postcondition" {
+  like = "row-access-policy-name%"
+  lifecycle {
+    postcondition {
+      condition     = length(self.row_access_policies) > 0
+      error_message = "there should be at least one row access policy"
+    }
+  }
+}
+
+# Ensure the number of row access policies is equal to at exactly one element (with the use of check block)
+check "row_access_policy_check" {
+  data "snowflake_row_access_policies" "assert_with_check_block" {
+    like = "row-access-policy-name"
+  }
+
+  assert {
+    condition     = length(data.snowflake_row_access_policies.assert_with_check_block.row_access_policies) == 1
+    error_message = "row access policies filtered by '${data.snowflake_row_access_policies.assert_with_check_block.like}' returned ${length(data.snowflake_row_access_policies.assert_with_check_block.row_access_policies)} row access policies where one was expected"
+  }
 }
 ```
 
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
-### Required
+### Optional
 
-- `database` (String) The database from which to return the schemas from.
-- `schema` (String) The schema from which to return the row access policy from.
+- `in` (Block List, Max: 1) IN clause to filter the list of row access policies (see [below for nested schema](#nestedblock--in))
+- `like` (String) Filters the output with **case-insensitive** pattern, with support for SQL wildcard characters (`%` and `_`).
+- `limit` (Block List, Max: 1) Limits the number of rows returned. If the `limit.from` is set, then the limit wll start from the first element matched by the expression. The expression is only used to match with the first element, later on the elements are not matched by the prefix, but you can enforce a certain pattern with `starts_with` or `like`. (see [below for nested schema](#nestedblock--limit))
+- `with_describe` (Boolean) Runs DESC ROW ACCESS POLICY for each row access policy returned by SHOW ROW ACCESS POLICIES. The output of describe is saved to the description field. By default this value is set to true.
 
 ### Read-Only
 
 - `id` (String) The ID of this resource.
-- `row_access_policies` (List of Object) The row access policy in the schema (see [below for nested schema](#nestedatt--row_access_policies))
+- `row_access_policies` (List of Object) Holds the aggregated output of all views details queries. (see [below for nested schema](#nestedatt--row_access_policies))
+
+<a id="nestedblock--in"></a>
+### Nested Schema for `in`
+
+Optional:
+
+- `account` (Boolean) Returns records for the entire account.
+- `application` (String) Returns records for the specified application.
+- `application_package` (String) Returns records for the specified application package.
+- `database` (String) Returns records for the current database in use or for a specified database.
+- `schema` (String) Returns records for the current schema in use or a specified schema. Use fully qualified name.
+
+
+<a id="nestedblock--limit"></a>
+### Nested Schema for `limit`
+
+Required:
+
+- `rows` (Number) The maximum number of rows to return.
+
+Optional:
+
+- `from` (String) Specifies a **case-sensitive** pattern that is used to match object name. After the first match, the limit on the number of rows will be applied.
+
 
 <a id="nestedatt--row_access_policies"></a>
 ### Nested Schema for `row_access_policies`
 
 Read-Only:
 
+- `describe_output` (List of Object) (see [below for nested schema](#nestedobjatt--row_access_policies--describe_output))
+- `show_output` (List of Object) (see [below for nested schema](#nestedobjatt--row_access_policies--show_output))
+
+<a id="nestedobjatt--row_access_policies--describe_output"></a>
+### Nested Schema for `row_access_policies.describe_output`
+
+Read-Only:
+
+- `body` (String)
+- `name` (String)
+- `return_type` (String)
+- `signature` (String)
+
+
+<a id="nestedobjatt--row_access_policies--show_output"></a>
+### Nested Schema for `row_access_policies.show_output`
+
+Read-Only:
+
 - `comment` (String)
-- `database` (String)
+- `created_on` (String)
+- `database_name` (String)
+- `kind` (String)
 - `name` (String)
-- `schema` (String)
+- `options` (String)
+- `owner` (String)
+- `owner_role_type` (String)
+- `schema_name` (String)
diff --git a/docs/data-sources/views.md b/docs/data-sources/views.md
@@ -12,9 +12,86 @@ Datasource used to get details of filtered views. Filtering is aligned with the
 ## Example Usage
 
 ```terraform
-data "snowflake_views" "current" {
-  database = "MYDB"
-  schema   = "MYSCHEMA"
+# Simple usage
+data "snowflake_views" "simple" {
+}
+
+output "simple_output" {
+  value = data.snowflake_views.simple.views
+}
+
+# Filtering (like)
+data "snowflake_views" "like" {
+  like = "view-name"
+}
+
+output "like_output" {
+  value = data.snowflake_views.like.views
+}
+
+# Filtering by prefix (like)
+data "snowflake_views" "like_prefix" {
+  like = "prefix%"
+}
+
+output "like_prefix_output" {
+  value = data.snowflake_views.like_prefix.views
+}
+
+# Filtering (limit)
+data "snowflake_views" "limit" {
+  limit {
+    rows = 10
+    from = "prefix-"
+  }
+}
+
+output "limit_output" {
+  value = data.snowflake_views.limit.views
+}
+
+# Filtering (in)
+data "snowflake_views" "in" {
+  in {
+    database = "database"
+  }
+}
+
+output "in_output" {
+  value = data.snowflake_views.in.views
+}
+
+# Without additional data (to limit the number of calls make for every found view)
+data "snowflake_views" "only_show" {
+  # with_describe is turned on by default and it calls DESCRIBE VIEW for every view found and attaches its output to views.*.describe_output field
+  with_describe = false
+}
+
+output "only_show_output" {
+  value = data.snowflake_views.only_show.views
+}
+
+# Ensure the number of views is equal to at least one element (with the use of postcondition)
+data "snowflake_views" "assert_with_postcondition" {
+  like = "view-name%"
+  lifecycle {
+    postcondition {
+      condition     = length(self.views) > 0
+      error_message = "there should be at least one view"
+    }
+  }
+}
+
+# Ensure the number of views is equal to at exactly one element (with the use of check block)
+check "view_check" {
+  data "snowflake_views" "assert_with_check_block" {
+    like = "view-name"
+  }
+
+  assert {
+    condition     = length(data.snowflake_views.assert_with_check_block.views) == 1
+    error_message = "views filtered by '${data.snowflake_views.assert_with_check_block.like}' returned ${length(data.snowflake_views.assert_with_check_block.views)} views where one was expected"
+  }
 }
 ```
 

diff --git a/examples/data-sources/snowflake_row_access_policies/data-source.tf b/examples/data-sources/snowflake_row_access_policies/data-source.tf
@@ -1,4 +1,81 @@
-data "snowflake_row_access_policies" "current" {
-  database = "MYDB"
-  schema   = "MYSCHEMA"
-}
+# Simple usage
+data "snowflake_row_access_policies" "simple" {
+}
+
+output "simple_output" {
+  value = data.snowflake_row_access_policies.simple.row_access_policies
+}
+
+# Filtering (like)
+data "snowflake_row_access_policies" "like" {
+  like = "row-access-policy-name"
+}
+
+output "like_output" {
+  value = data.snowflake_row_access_policies.like.row_access_policies
+}
+
+# Filtering by prefix (like)
+data "snowflake_row_access_policies" "like_prefix" {
+  like = "prefix%"
+}
+
+output "like_prefix_output" {
+  value = data.snowflake_row_access_policies.like_prefix.row_access_policies
+}
+
+# Filtering (limit)
+data "snowflake_row_access_policies" "limit" {
+  limit {
+    rows = 10
+    from = "prefix-"
+  }
+}
+
+output "limit_output" {
+  value = data.snowflake_row_access_policies.limit.row_access_policies
+}
+
+# Filtering (in)
+data "snowflake_row_access_policies" "in" {
+  in {
+    database = "database"
+  }
+}
+
+output "in_output" {
+  value = data.snowflake_row_access_policies.in.row_access_policies
+}
+
+# Without additional data (to limit the number of calls make for every found row access policy)
+data "snowflake_row_access_policies" "only_show" {
+  # with_describe is turned on by default and it calls DESCRIBE ROW ACCESS POLICY for every row access policy found and attaches its output to row_access_policies.*.describe_output field
+  with_describe = false
+}
+
+output "only_show_output" {
+  value = data.snowflake_row_access_policies.only_show.row_access_policies
+}
+
+# Ensure the number of row access policies is equal to at least one element (with the use of postcondition)
+data "snowflake_row_access_policies" "assert_with_postcondition" {
+  like = "row-access-policy-name%"
+  lifecycle {
+    postcondition {
+      condition     = length(self.row_access_policies) > 0
+      error_message = "there should be at least one row access policy"
+    }
+  }
+}
+
+# Ensure the number of row access policies is equal to at exactly one element (with the use of check block)
+check "row_access_policy_check" {
+  data "snowflake_row_access_policies" "assert_with_check_block" {
+    like = "row-access-policy-name"
+  }
+
+  assert {
+    condition     = length(data.snowflake_row_access_policies.assert_with_check_block.row_access_policies) == 1
+    error_message = "row access policies filtered by '${data.snowflake_row_access_policies.assert_with_check_block.like}' returned ${length(data.snowflake_row_access_policies.assert_with_check_block.row_access_policies)} row access policies where one was expected"
+  }
+}