Update role grants with new non-deprecated resources

cagov · Apr 15, 2024 · 58c56a7 · 58c56a7
1 parent eaa366f
commit 58c56a7
Show file tree

Hide file tree

Showing 5 changed files with 169 additions and 201 deletions.
diff --git a/docs/snowflake.md b/docs/snowflake.md
@@ -196,14 +196,15 @@ The **elt** module has the following configuration:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_snowflake"></a> [snowflake](#requirement\_snowflake) | ~> 0.61 |
+| <a name="requirement_snowflake"></a> [snowflake](#requirement\_snowflake) | ~> 0.88 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_snowflake.accountadmin"></a> [snowflake.accountadmin](#provider\_snowflake.accountadmin) | ~> 0.61 |
-| <a name="provider_snowflake.useradmin"></a> [snowflake.useradmin](#provider\_snowflake.useradmin) | ~> 0.61 |
+| <a name="provider_snowflake"></a> [snowflake](#provider\_snowflake) | ~> 0.88 |
+| <a name="provider_snowflake.accountadmin"></a> [snowflake.accountadmin](#provider\_snowflake.accountadmin) | ~> 0.88 |
+| <a name="provider_snowflake.useradmin"></a> [snowflake.useradmin](#provider\_snowflake.useradmin) | ~> 0.88 |
 
 ## Modules
 
@@ -221,35 +222,35 @@ The **elt** module has the following configuration:
 
 | Name | Type |
 |------|------|
-| [snowflake_database_grant.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/database_grant) | resource |
+| [snowflake_grant_account_role.analytics_r_to_reader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.analytics_r_to_reporter](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.analytics_rwc_to_transformer](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.loader_to_airflow](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.loader_to_fivetran](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.loader_to_sysadmin](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.loading_to_loader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.logger_to_accountadmin](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.logger_to_sentinel](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.logging_to_logger](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.raw_r_to_reader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.raw_r_to_transformer](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.raw_rwc_to_loader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.reader_to_github_ci](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.reader_to_sysadmin](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.reporter_to_sysadmin](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.reporting_to_reader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.reporting_to_reporter](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.transform_r_to_reader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.transform_rwc_to_transformer](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.transformer_to_dbt](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.transformer_to_sysadmin](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_account_role.transforming_to_transformer](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |
+| [snowflake_grant_privileges_to_account_role.imported_privileges_to_logger](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_account_role) | resource |
 | [snowflake_role.loader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role) | resource |
 | [snowflake_role.logger](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role) | resource |
 | [snowflake_role.reader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role) | resource |
 | [snowflake_role.reporter](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role) | resource |
 | [snowflake_role.transformer](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role) | resource |
-| [snowflake_role_grants.analytics_r_to_reader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.analytics_r_to_reporter](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.analytics_rwc_to_transformer](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.loader_to_airflow](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.loader_to_fivetran](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.loader_to_sysadmin](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.loading_to_loader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.logger_to_accountadmin](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.logger_to_sentinel](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.logging_to_logger](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.raw_r_to_reader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.raw_r_to_transformer](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.raw_rwc_to_loader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.reader_to_github_ci](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.reader_to_sysadmin](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.reporter_to_sysadmin](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.reporting_to_reader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.reporting_to_reporter](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.transform_r_to_reader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.transform_rwc_to_transformer](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.transformer_to_dbt](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.transformer_to_sysadmin](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
-| [snowflake_role_grants.transforming_to_transformer](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
 | [snowflake_user.airflow](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/user) | resource |
 | [snowflake_user.dbt](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/user) | resource |
 | [snowflake_user.fivetran](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/user) | resource |

diff --git a/terraform/snowflake/modules/database/main.tf b/terraform/snowflake/modules/database/main.tf
@@ -57,7 +57,6 @@ locals {
       "CREATE VIEW",
       "MODIFY",
       "MONITOR",
-      "OWNERSHIP",
       "USAGE",
     ]
   }
@@ -74,7 +73,6 @@ locals {
     READWRITECONTROL = [
       "DELETE",
       "INSERT",
-      "OWNERSHIP",
       "TRUNCATE",
       "UPDATE",
     ]
@@ -84,7 +82,7 @@ locals {
   view = {
     READ             = ["SELECT", "REFERENCES"]
     READWRITE        = ["SELECT", "REFERENCES"]
-    READWRITECONTROL = ["SELECT", "REFERENCES", "OWNERSHIP"]
+    READWRITECONTROL = ["SELECT", "REFERENCES"]
   }
 }
 
@@ -118,13 +116,11 @@ resource "snowflake_role" "this" {
 #            Role Grants             #
 ######################################
 
-resource "snowflake_role_grants" "this_to_sysadmin" {
-  provider               = snowflake.useradmin
-  for_each               = toset(keys(local.database))
-  role_name              = snowflake_role.this[each.key].name
-  enable_multiple_grants = true
-  roles                  = ["SYSADMIN"]
-  depends_on             = [snowflake_role.this]
+resource "snowflake_grant_account_role" "this_to_sysadmin" {
+  provider         = snowflake.useradmin
+  for_each         = toset(keys(local.database))
+  role_name        = snowflake_role.this[each.key].name
+  parent_role_name = "SYSADMIN"
 }
 
 ######################################
@@ -140,11 +136,11 @@ resource "snowflake_role_grants" "this_to_sysadmin" {
 # https://community.snowflake.com/s/article/How-to-grant-select-on-all-future-tables-in-a-schema-and-database-level
 
 # Database grants
-resource "snowflake_grant_privileges_to_role" "database" {
-  provider   = snowflake.securityadmin
-  for_each   = local.database
-  privileges = each.value
-  role_name  = snowflake_role.this[each.key].name
+resource "snowflake_grant_privileges_to_account_role" "database" {
+  provider          = snowflake.securityadmin
+  for_each          = local.database
+  privileges        = each.value
+  account_role_name = snowflake_role.this[each.key].name
   on_account_object {
     object_type = "DATABASE"
     object_name = snowflake_database.this.name
@@ -153,34 +149,34 @@ resource "snowflake_grant_privileges_to_role" "database" {
 }
 
 # Schema grants
-resource "snowflake_grant_privileges_to_role" "schemas" {
-  provider   = snowflake.securityadmin
-  for_each   = local.schema
-  privileges = each.value
-  role_name  = snowflake_role.this[each.key].name
+resource "snowflake_grant_privileges_to_account_role" "schemas" {
+  provider          = snowflake.securityadmin
+  for_each          = local.schema
+  privileges        = each.value
+  account_role_name = snowflake_role.this[each.key].name
   on_schema {
     future_schemas_in_database = snowflake_database.this.name
   }
   with_grant_option = false
 }
 
-resource "snowflake_grant_privileges_to_role" "public" {
-  provider   = snowflake.securityadmin
-  for_each   = local.schema
-  privileges = each.value
-  role_name  = snowflake_role.this[each.key].name
+resource "snowflake_grant_privileges_to_account_role" "public" {
+  provider          = snowflake.securityadmin
+  for_each          = local.schema
+  privileges        = each.value
+  account_role_name = snowflake_role.this[each.key].name
   on_schema {
     schema_name = "${snowflake_database.this.name}.PUBLIC"
   }
   with_grant_option = false
 }
 
 # Table grants
-resource "snowflake_grant_privileges_to_role" "tables" {
-  provider   = snowflake.securityadmin
-  for_each   = local.table
-  privileges = each.value
-  role_name  = snowflake_role.this[each.key].name
+resource "snowflake_grant_privileges_to_account_role" "tables" {
+  provider          = snowflake.securityadmin
+  for_each          = local.table
+  privileges        = each.value
+  account_role_name = snowflake_role.this[each.key].name
   on_schema_object {
     future {
       object_type_plural = "TABLES"
@@ -191,11 +187,11 @@ resource "snowflake_grant_privileges_to_role" "tables" {
 }
 
 # View grants
-resource "snowflake_grant_privileges_to_role" "views" {
-  provider   = snowflake.securityadmin
-  for_each   = local.view
-  privileges = each.value
-  role_name  = snowflake_role.this[each.key].name
+resource "snowflake_grant_privileges_to_account_role" "views" {
+  provider          = snowflake.securityadmin
+  for_each          = local.view
+  privileges        = each.value
+  account_role_name = snowflake_role.this[each.key].name
   on_schema_object {
     future {
       object_type_plural = "VIEWS"