Open chriselion opened 8 months ago
Hey @chriselion. Thanks for creating the issue.
You are right: an example for snowflake_system_get_aws_sns_iam_policy
is missing - we will add it.
The behavior and the reasons behind snowflake_system_get_aws_sns_iam_policy
are explained in the official docs: https://docs.snowflake.com/en/sql-reference/functions/system_get_aws_sns_iam_policy. We can also add this link to our docs.
Would you like to propose any more additions?
Thanks @sfc-gh-asawicki - the docs for SYSTEM$GET_AWS_SNS_IAM_POLICY
make sense, and it would be great to either link to them or include the same content.
The docs give a good explantion of the "why" but not really the "how" - even with that information, using the results from snowflake_system_get_aws_sns_iam_policy
are potentially confusing (although this is more aws_iam_policy_document
's fault, not Snowflake's!). A larger example like I gave would probably be helpful.
Hey @chriselion, We adjusted the documentation for snowflake_system_get_aws_sns_iam_policy, mostly added important links that may help users with the understanding how to use the data source. Please review and close or add another comment if you think It should be adjusted in any way.
Is your feature request related to a problem? Please describe.
The documentation for
snowflake_system_get_aws_sns_iam_policy
(link) doesn't give an example of how to call it (which isn't that bad), and doesn't explain how it should be used in the bigger picture.Describe the solution you'd like
I assume the primary motivation for
snowflake_system_get_aws_sns_iam_policy
is to grant access to an SNS topic that is receiving S3 bucket notifications (at least that's what I'm using it for). In this case,snowflake_system_get_aws_sns_iam_policy
is a potential foot-gun, because if you pass it blindly to anaws_sns_topic_policy
, it will conflict with anyaws_sns_topic_policy
's that grant the S3 bucket permission to publish on the topic. Instead, you need to combine the two policies withsource_policy_documents
Describe alternatives you've considered
An alternative data source that just provides the IAM user ARN (e.g. "arn:aws:iam::123456789001:user/vj4g-a-abcd1234" from here) might be easier to work with in general, since the user can insert than into their own policy JSON.
Additional context The way that I ended up setting up the SNS policy looked like this
The
source_policy_documents
was the tricky part (at least for me).