Skip to content

Commit

Permalink
Merge remote-tracking branch 'chanzuckerberg/master'
Browse files Browse the repository at this point in the history
  • Loading branch information
velppa committed Jul 31, 2020
2 parents a43a6d7 + 92a5e27 commit 72b14ee
Show file tree
Hide file tree
Showing 60 changed files with 889 additions and 694 deletions.
32 changes: 32 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: bug
assignees: ''

---

**Provider Version**

The provider version you are using.

**Terraform Version**

The version of Terraform you were using when the bug was encountered.

**Describe the bug**

A clear and concise description of what the bug is.

**Expected behavior**

A clear and concise description of what you expected to happen.

**Code samples and commands**

Please add code examples and commands that were run to cause the problem.

**Additional context**

Add any other context about the problem here.
24 changes: 24 additions & 0 deletions .github/ISSUE_TEMPLATE/feature_request.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: feature-request
assignees: ''

---

**Is your feature request related to a problem? Please describe.**

A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

**Describe the solution you'd like**

A clear and concise description of what you want to happen.

**Describe alternatives you've considered**

A clear and concise description of any alternative solutions or features you've considered.

**Additional context**

Add any other context or screenshots about the feature request here.
8 changes: 4 additions & 4 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -99,12 +99,12 @@ clean: ## clean the repo
rm -rf dist
.PHONY: clean

docs: build ## generate some docs
./scripts/update-readme.sh update
docs:
go run ./docgen
.PHONY: docs

check-docs: build ## check that docs have been generated
./scripts/update-readme.sh check
check-docs: docs ## check that docs have been generated
git diff --exit-code -- docs
.PHONY: check-docs

check-mod:
Expand Down
423 changes: 3 additions & 420 deletions README.md

Large diffs are not rendered by default.

111 changes: 111 additions & 0 deletions docgen/main.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
package main

import (
"fmt"
"log"
"os"
"path"
"sort"
"strings"

"github.com/chanzuckerberg/terraform-provider-snowflake/pkg/provider"
"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
"github.com/olekukonko/tablewriter"
)

func main() {
docsPath := "docs/resources"

resources := provider.Provider().ResourcesMap

for name, resource := range resources {
shortName := strings.TrimPrefix(name, "snowflake_")

f, err := os.Create(path.Join(docsPath, fmt.Sprintf("%s.md", shortName)))
if err != nil {
log.Fatal(err)
}

_, err = f.WriteString(fmt.Sprintf("\n# %s\n\n", name))
if err != nil {
log.Fatalf("unable to write doc file %#v", err)
}

_, err = f.WriteString("<!-- These docs are auto-generated by code in ./docgen, run by with make docs. Manual edits will be overwritten. -->\n\n")
if err != nil {
log.Fatalf("unable to write doc file %#v", err)
}

if strings.HasSuffix(name, "_grant") {
grant_resource_name := strings.Replace(name, "_grant", "", -1)
granted_to_name := strings.Replace(grant_resource_name, "snowflake_", "", -1)
_, err := f.WriteString(fmt.Sprintf(
`**Note**: The %s resource creates exclusive attachments of grants.
Across the entire Snowflake account, all of the %ss to which a single grant is attached must be declared
by a single %s resource. This means that even any %s that have the attached
grant via any other mechanism (including other Terraform resources) will have that attached grant revoked by this resource.
These resources do not enforce exclusive attachment of a grant, it is the user's responsibility to enforce this.
`, name, granted_to_name, name, grant_resource_name))
if err != nil {
log.Fatalf("unable to write doc file %#v", err)
}
_, err = f.WriteString("\n")
if err != nil {
log.Fatalf("unable to write doc file %#v", err)
}
}
_, err = f.WriteString("## properties\n\n")
if err != nil {
log.Fatalf("unable to write doc file %#v", err)
}

table := tablewriter.NewWriter(f)
table.SetAutoWrapText(false)
table.SetHeader([]string{"name", "type", "description", "optional", " required", "computed", "default"})
table.SetBorders(tablewriter.Border{Left: true, Top: false, Right: true, Bottom: false})
table.SetCenterSeparator("|")

properties := make([]string, 0)
for k := range resource.Schema {
properties = append(properties, k)
}
sort.Strings(properties)
for _, property := range properties {
s := resource.Schema[property]
table.Append([]string{property, typeString(s.Type), s.Description, boolString(s.Optional), boolString(s.Required), boolString(s.Computed), interfaceString(s.Default)})
}
table.Render()
f.Close()
}
}

func typeString(t schema.ValueType) string {
switch t {
case schema.TypeBool:
return "bool"
case schema.TypeInt:
return "int"
case schema.TypeFloat:
return "float"
case schema.TypeString:
return "string"
case schema.TypeList:
return "list"
case schema.TypeMap:
return "map"
case schema.TypeSet:
return "set"
}
return "?"
}

func boolString(t bool) string {
return fmt.Sprintf("%t", t)
}

func interfaceString(t interface{}) string {
if t == nil {
return ""
}
return fmt.Sprintf("%#v", t)
}
94 changes: 94 additions & 0 deletions docs/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
# Snowflake Provider

This is a terraform provider plugin for managing [Snowflake](http://snowflakedb.com) accounts.
Coverage is focused on part of Snowflake related to access control.

## Example

```hcl
provider snowflake {
// required
username = "..."
account = "..."
region = "..."
// optional, at exactly one must be set
password = "..."
oauth_access_token = "..."
private_key_path = "..."
// optional
role = "..."
}
```

## Authentication

The Snowflake provider support multiple ways to authenticate:

* Password
* OAuth Access Token
* Browser Auth
* Private Key

In all cases account, username, and region are required.

### Keypair Authentication Environment Variables

You should generate the public and private keys and set up environment variables.

```shell

cd ~/.ssh
openssl genrsa -out snowflake_key 4096
openssl rsa -in snowflake_key -pubout -out snowflake_key.pub
```

To export the variables into your provider:

```shell
export SNOWFLAKE_USER="..."
export SNOWFLAKE_PRIVATE_KEY_PATH="~/.ssh/snowflake_key"
```

### OAuth Access Token

If you have an OAuth access token, export these credentials as environment variables:

```shell
export SNOWFLAKE_USER='...'
export SNOWFLAKE_OAUTH_ACCESS_TOKEN='...'
```

Note that once this access token expires, you'll need to request a new one through an external application.

### Username and Password Environment Variables

If you choose to use Username and Password Authentication, export these credentials:

```shell
export SNOWFLAKE_USER='...'
export SNOWFLAKE_PASSWORD='...'
```

## Argument Reference

In addition to [generic `provider` arguments](https://www.terraform.io/docs/configuration/providers.html)
(e.g. `alias` and `version`), the following arguments are supported in the Snowflake
`provider` block:

* `account` - (required) The name of the Snowflake account. Can also come from the
`SNOWFLAKE_ACCOUNT` environment variable.
* `username` - (required) Username for username+password authentication. Can come from the
`SNOWFLAKE_PASSWORD` environment variable.
* `region` - (required) [Snowflake region](https://docs.snowflake.com/en/user-guide/intro-regions.html) to use. Can be source from the `SNOWFLAKE_REGION` environment variable.
* `password` - (optional) Password for username+password auth. Cannot be used with `browser_auth` or
`private_key_path`. Can be source from `SNOWFLAKE_PASSWORD` environment variable.
* `oauth_access_token` - (optional) Token for use with OAuth. Generating the token is left to other
tools. Cannot be used with `browser_auth`, `private_key_path` or `password`. Can be source from
`SNOWFLAKE_OAUTH_ACCESS_TOKEN` environment variable.
* `private_key_path` - (optional) Path to a private key for using keypair authentication.. Cannot be
used with `browser_auth`, `oauth_access_token` or `password`. Can be source from
`SNOWFLAKE_PRIVATE_KEY_PATH` environment variable.
* `role` - (optional) Snowflake role to use for operations. If left unset, default role for user
will be used. Can come from the `SNOWFLAKE_ROLE` environment variable.
17 changes: 17 additions & 0 deletions docs/resources/account_grant.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@

# snowflake_account_grant

<!-- These docs are auto-generated by code in ./docgen, run by with make docs. Manual edits will be overwritten. -->

**Note**: The snowflake_account_grant resource creates exclusive attachments of grants.
Across the entire Snowflake account, all of the accounts to which a single grant is attached must be declared
by a single snowflake_account_grant resource. This means that even any snowflake_account that have the attached
grant via any other mechanism (including other Terraform resources) will have that attached grant revoked by this resource.
These resources do not enforce exclusive attachment of a grant, it is the user's responsibility to enforce this.

## properties

| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|-----------|--------|---------------------------------------|----------|-----------|----------|---------|
| privilege | string | The privilege to grant on the schema. | true | false | false | "USAGE" |
| roles | set | Grants privilege to these roles. | true | false | false | |
14 changes: 14 additions & 0 deletions docs/resources/database.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@

# snowflake_database

<!-- These docs are auto-generated by code in ./docgen, run by with make docs. Manual edits will be overwritten. -->

## properties

| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|-----------------------------|--------|-------------------------------------------------------------------------------|----------|-----------|----------|---------|
| comment | string | | true | false | false | "" |
| data_retention_time_in_days | int | | true | false | true | |
| from_database | string | Specify a database to create a clone from. | true | false | false | |
| from_share | map | Specify a provider and a share in this map to create a database from a share. | true | false | false | |
| name | string | | false | true | false | |
19 changes: 19 additions & 0 deletions docs/resources/database_grant.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@

# snowflake_database_grant

<!-- These docs are auto-generated by code in ./docgen, run by with make docs. Manual edits will be overwritten. -->

**Note**: The snowflake_database_grant resource creates exclusive attachments of grants.
Across the entire Snowflake account, all of the databases to which a single grant is attached must be declared
by a single snowflake_database_grant resource. This means that even any snowflake_database that have the attached
grant via any other mechanism (including other Terraform resources) will have that attached grant revoked by this resource.
These resources do not enforce exclusive attachment of a grant, it is the user's responsibility to enforce this.

## properties

| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|---------------|--------|--------------------------------------------------------|----------|-----------|----------|---------|
| database_name | string | The name of the database on which to grant privileges. | false | true | false | |
| privilege | string | The privilege to grant on the database. | true | false | false | "USAGE" |
| roles | set | Grants privilege to these roles. | true | false | false | |
| shares | set | Grants privilege to these shares. | true | false | false | |
18 changes: 18 additions & 0 deletions docs/resources/integration_grant.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@

# snowflake_integration_grant

<!-- These docs are auto-generated by code in ./docgen, run by with make docs. Manual edits will be overwritten. -->

**Note**: The snowflake_integration_grant resource creates exclusive attachments of grants.
Across the entire Snowflake account, all of the integrations to which a single grant is attached must be declared
by a single snowflake_integration_grant resource. This means that even any snowflake_integration that have the attached
grant via any other mechanism (including other Terraform resources) will have that attached grant revoked by this resource.
These resources do not enforce exclusive attachment of a grant, it is the user's responsibility to enforce this.

## properties

| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|------------------|--------|------------------------------------------------------------------|----------|-----------|----------|---------|
| integration_name | string | Identifier for the integration; must be unique for your account. | false | true | false | |
| privilege | string | The privilege to grant on the integration. | true | false | false | "USAGE" |
| roles | set | Grants privilege to these roles. | true | false | false | |
19 changes: 19 additions & 0 deletions docs/resources/managed_account.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@

# snowflake_managed_account

<!-- These docs are auto-generated by code in ./docgen, run by with make docs. Manual edits will be overwritten. -->

## properties

| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|----------------|--------|------------------------------------------------------------------------------------------------------------------------------------------------|----------|-----------|----------|----------|
| admin_name | string | Identifier, as well as login name, for the initial user in the managed account. This user serves as the account administrator for the account. | false | true | false | |
| admin_password | string | Password for the initial user in the managed account. | false | true | false | |
| cloud | string | Cloud in which the managed account is located. | false | false | true | |
| comment | string | Specifies a comment for the managed account. | true | false | false | |
| created_on | string | Date and time when the managed account was created. | false | false | true | |
| locator | string | Display name of the managed account. | false | false | true | |
| name | string | Identifier for the managed account; must be unique for your account. | false | true | false | |
| region | string | Snowflake Region in which the managed account is located. | false | false | true | |
| type | string | Specifies the type of managed account. | true | false | false | "READER" |
| url | string | URL for accessing the managed account, particularly through the web interface. | false | false | true | |
17 changes: 17 additions & 0 deletions docs/resources/pipe.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@

# snowflake_pipe

<!-- These docs are auto-generated by code in ./docgen, run by with make docs. Manual edits will be overwritten. -->

## properties

| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|----------------------|--------|-----------------------------------------------------------------------------------------------------------------|----------|-----------|----------|---------|
| auto_ingest | bool | Specifies a auto_ingest param for the pipe. | true | false | false | false |
| comment | string | Specifies a comment for the pipe. | true | false | false | |
| copy_statement | string | Specifies the copy statement for the pipe. | false | true | false | |
| database | string | The database in which to create the pipe. | false | true | false | |
| name | string | Specifies the identifier for the pipe; must be unique for the database and schema in which the pipe is created. | false | true | false | |
| notification_channel | string | Amazon Resource Name of the Amazon SQS queue for the stage named in the DEFINITION column. | false | false | true | |
| owner | string | Name of the role that owns the pipe. | false | false | true | |
| schema | string | The schema in which to create the pipe. | false | true | false | |
Loading

0 comments on commit 72b14ee

Please sign in to comment.