-
Notifications
You must be signed in to change notification settings - Fork 428
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Masking policy resource v1 #3078
Conversation
Integration tests failure for 97e53056f97a9bd19c39c21fdecf8b477a6f315e |
Integration tests failure for c3fed8307d4d491bbb497c437f785938d53f382a |
pkg/sdk/masking_policy.go
Outdated
@@ -346,6 +373,7 @@ func (row maskingPolicyDetailsRow) toMaskingPolicyDetails() *MaskingPolicyDetail | |||
ReturnType: dataType, | |||
Body: row.Body, | |||
} | |||
// TODO (after merged changes in row access policies) use/merge with parsing in row access policies |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leaving a comment as a reminder (will resolve after the upcoming change)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, done. I adjusted this also for row access policies.
Integration tests failure for ed7a13f1070b4fb6785c9be6333f1a18127ae0a8 |
Integration tests failure for 8573b9dababe6e599e6ebcf9eb81dd086558819b |
Integration tests failure for bd36e593d457119c834c1a79729227cafe4a426c |
Integration tests failure for ca5af1835c93bfba07de367e016f1b7d4a2ec0ef |
Integration tests failure for 09b60098bde37d9e2b0d73d0fc9392fb7cfe963a |
Integration tests failure for 03612eff7ebaeae5929fb37019146d0c7dcb950f |
<!-- Feel free to delete comments as you fill this in --> - SDK - improve validations - add tests - improve options parsing (also, get rid of a 3rd party library) - add a TODO to reuse parsing from row access policies after merging #3079 - resource - use new id handling - rename/remove some fields to be consistent with other resources - better ACC tests - misc - adjust helper clients - generate config and assertion builders - adjust docs <!-- summary of changes --> ## Test Plan <!-- detail ways in which this PR has been tested or needs to be tested --> * [x] acceptance tests * [x] integration tests * [x] unit tests ## References <!-- issues documentation links, etc --> https://docs.snowflake.com/en/sql-reference/sql/create-masking-policy ## TODO - add tests for issues - rework data source
🤖 I have created a release *beep* *boop* --- ## [0.96.0](v0.95.0...v0.96.0) (2024-09-18) Essential GA object readiness for V1: [link](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/ESSENTIAL_GA_OBJECTS.MD) ([Roadmap reference](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/ROADMAP.md#preparing-essential-ga-objects-for-the-provider-v1)). :exclamation: Migration guide: [v0.95.0 -> v0.96.0](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0950--v0960) ### 🎉 **What's new:** * V1 redesign of resources and data sources * Row access policy ([#3066](#3066)) ([#3063](#3063)) * Resource monitor ([#3052](#3052)) ([#3064](#3064)) * Masking policy ([#3078](#3078)) ([#3083](#3083)) * SDK upgrades * External volume ([#3033](#3033)) * Authentication policy ([#2937](#2937)) ([#3068](#3068)) ([#3061](#3061)) ### 🔧 **Misc** * Clean up old test object helpers ([#3049](#3049)) * Add example of granting role to multiple objects ([#3047](#3047)) * Update readme and objects rework state ([#3046](#3046)) ### 🐛 **Bug fixes:** * Fix model grants ([#3070](#3070)) * Fix database show by and resource logic ([#3055](#3055)) * Fix default secondary roles option import ([#3041](#3041)) * Fix sweepers for warehouse and database ([#3057](#3057)) * Fix views permadiff ([#3079](#3079)) * Update v0.95.0 migration guide ([#3062](#3062)) Co-authored-by: snowflake-release-please[bot] <105954990+snowflake-release-please[bot]@users.noreply.github.com>
- `exempt_other_policies` (Boolean) Specifies whether the row access policy or conditional masking policy can reference a column that is already protected by a masking policy. | ||
- `if_not_exists` (Boolean) Prevent overwriting a previous masking policy with the same name. | ||
- `or_replace` (Boolean) Whether to override a previous masking policy with the same name. | ||
- `exempt_other_policies` (String) Specifies whether the row access policy or conditional masking policy can reference a column that is already protected by a masking policy. Due to Snowflake limitations, when value is chenged, the resource is recreated. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
chenged -> changed
log.Printf("[DEBUG] row access policy (%s) not found", d.Id()) | ||
d.SetId("") | ||
return nil | ||
if errors.Is(err, sdk.ErrObjectNotFound) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a test showing that it was missing?
assertOptsInvalidJoinedErrors(t, opts, ErrDifferentSchema) | ||
}) | ||
|
||
t.Run("validation: only 1 option allowed at the same time", func(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
usually we check both empty and multiple
policyModel := model.MaskingPolicy("test", []sdk.TableColumnSignature{ | ||
{ | ||
Name: "a", | ||
Type: "TEXT", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit-pick: why we are sometimes using sdk.DataType and sometimes string?
// set all fields | ||
{ | ||
ConfigDirectory: acc.ConfigurationDirectory("TestAcc_MaskingPolicy/complete"), | ||
ConfigVariables: tfconfig.ConfigVariablesFromModel(t, policyModel.WithBody(body).WithComment("Terraform acceptance test").WithExemptOtherPolicies(r.BooleanTrue)), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in the next step there are more fields set, so the "all" is inappropriate here
{ | ||
Config: maskingPolicyConfig(newId.Name(), comment2, acc.TestDatabaseName, acc.TestSchemaName), | ||
ConfigDirectory: acc.ConfigurationDirectory("TestAcc_MaskingPolicy/complete"), | ||
ConfigVariables: tfconfig.ConfigVariablesFromModel(t, policyModel.WithBody(bodyWithBooleanReturnType).WithReturnDataType(string(sdk.DataTypeBoolean)).WithArgument(argumentWithChangedFirstArgumentType).WithComment("Terraform acceptance test - changed comment").WithExemptOtherPolicies(r.BooleanFalse)), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The way that policyModel is reused here is interesting/unsafe - that was not the initial intention to reuse it this way. It bases on the order of execution and is a bit misleading (e.g. in step 4 and step 5 we want to validate only external change but we use "different" config variables - different only in the written way, underneath it's the same pointer, with fields already set in the previous step).
Maybe the design of model is a bit flawed and we should not use the pointer but the model directly, so that we always get the copied struct. Either way, I am raising it as a topic to discuss internally.
Test Plan
References
https://docs.snowflake.com/en/sql-reference/sql/create-masking-policy
TODO