search

Snowflake-Labs / terraform-provider-snowflake

Terraform provider for managing Snowflake accounts
https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest
MIT License
552 stars 420 forks source link

[Feature]: snowflake_grant_database_application_role #3134

Closed yuukiyamanaka closed 1 month ago

yuukiyamanaka commented 1 month ago

Use Cases or Problem Statement

When I want to setup account budget using the docs, I need to quary the below:

GRANT USAGE ON INTEGRATION budgets_notification_integration
  TO APPLICATION snowflake;

I cannnot the terraform resource for this. According to this docs, Application role has already Generally Avaialble.

The latest version only support snowflake_grant_application_role. Do you have roadmap for supporting snowflake_application_role and snowflake_grant_database_application_role resources?

Category

category:resource

Object type(s)

No response

Proposal

Implement

How much impact is this issue causing?

Low

Additional Information

No response

Would you like to implement a fix?

sfc-gh-jmichalak commented 1 month ago

Hi @yuukiyamanaka ๐Ÿ‘‹

  1. We have Application Roles on our roadmap - in the Remaining Objects list. We'll start working on this after we conclude the essential objects, but we don't have a release date yet. As a workaround, you can use the unsafe_execute resource.

  2. snowflake_grant_privileges_to_application_role will not be added to the provider (read more here). Instead, granting privileges to application roles should be done in applicationโ€™s setup script.

yuukiyamanaka commented 1 month ago

@sfc-gh-jmichalak

Thank you for your reply. I have two questions.

  1. If I were to implement a snowflake_application_role and submit a PR, would it be possible to have it merged?
  2. I understand that setup scripts should be used for application roles. On the other hand, if we want to grant permissions to a "Snowflake" Application, as in the Budget example above, is it possible to make changes to the setup script?
sfc-gh-jcieslak commented 1 month ago

Hey @yuukiyamanaka ๐Ÿ‘‹ Both commands are not available to be run fully outside of the application context (setup script) that's why it doesn't make much sense to have it as a terraform resource (because you don't have many options on running those commands outside of the application context). For granting privileges to application roles you can read this. For granting application roles read this. The research on grants was done some time ago, but maybe when we come back to them in the future it will be possible to create such resources. Right now, we focus on other tasks to provide the V1 version of the provider.

yuukiyamanaka commented 1 month ago

@sfc-gh-jcieslak Thank you for your reply. I fully understand. Thank you! ๐Ÿ‘