Skip to content

Commit

Permalink
Fix handling compute pools privileges
Browse files Browse the repository at this point in the history
References: #2717
  • Loading branch information
sfc-gh-asawicki committed Nov 7, 2024
1 parent 9888d49 commit 09f67b4
Show file tree
Hide file tree
Showing 6 changed files with 118 additions and 0 deletions.
47 changes: 47 additions & 0 deletions pkg/acceptance/helpers/compute_pool_client.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
package helpers

import (
"context"
"fmt"
"testing"

"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk"
"github.com/stretchr/testify/require"
)

// TODO [SNOW-1790174]: change raw sqls to proper client
type ComputePoolClient struct {
context *TestClientContext
ids *IdsGenerator
}

func NewComputePoolClient(context *TestClientContext, idsGenerator *IdsGenerator) *ComputePoolClient {
return &ComputePoolClient{
context: context,
ids: idsGenerator,
}
}

func (c *ComputePoolClient) client() *sdk.Client {
return c.context.client
}

func (c *ComputePoolClient) CreateComputePool(t *testing.T) (sdk.AccountObjectIdentifier, func()) {
t.Helper()
ctx := context.Background()

id := c.ids.RandomAccountObjectIdentifier()
_, err := c.client().ExecForTests(ctx, fmt.Sprintf(`CREATE COMPUTE POOL %s MIN_NODES = 1 MAX_NODES = 1 INSTANCE_FAMILY = CPU_X64_XS`, id.FullyQualifiedName()))
require.NoError(t, err)
return id, c.DropComputePoolFunc(t, id)
}

func (c *ComputePoolClient) DropComputePoolFunc(t *testing.T, id sdk.AccountObjectIdentifier) func() {
t.Helper()
ctx := context.Background()

return func() {
_, err := c.client().ExecForTests(ctx, fmt.Sprintf(`DROP COMPUTE POOL IF EXISTS %s`, id.FullyQualifiedName()))
require.NoError(t, err)
}
}
2 changes: 2 additions & 0 deletions pkg/acceptance/helpers/test_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ type TestClient struct {
ApplicationPackage *ApplicationPackageClient
AuthenticationPolicy *AuthenticationPolicyClient
BcrBundles *BcrBundlesClient
ComputePool *ComputePoolClient
Connection *ConnectionClient
Context *ContextClient
CortexSearchService *CortexSearchServiceClient
Expand Down Expand Up @@ -85,6 +86,7 @@ func NewTestClient(c *sdk.Client, database string, schema string, warehouse stri
ApplicationPackage: NewApplicationPackageClient(context, idsGenerator),
AuthenticationPolicy: NewAuthenticationPolicyClient(context, idsGenerator),
BcrBundles: NewBcrBundlesClient(context),
ComputePool: NewComputePoolClient(context, idsGenerator),
Connection: NewConnectionClient(context, idsGenerator),
Context: NewContextClient(context),
CortexSearchService: NewCortexSearchServiceClient(context, idsGenerator),
Expand Down
3 changes: 3 additions & 0 deletions pkg/resources/grant_privileges_to_account_role.go
Original file line number Diff line number Diff line change
Expand Up @@ -1183,6 +1183,9 @@ func createGrantPrivilegesToAccountRoleIdFromSchema(d *schema.ResourceData) (id
case on.AccountObject.ReplicationGroup != nil:
onAccountObjectGrantData.ObjectType = sdk.ObjectTypeReplicationGroup
onAccountObjectGrantData.ObjectName = *on.AccountObject.ReplicationGroup
case on.AccountObject.ComputePool != nil:
onAccountObjectGrantData.ObjectType = sdk.ObjectTypeComputePool
onAccountObjectGrantData.ObjectName = *on.AccountObject.ComputePool
case on.AccountObject.ExternalVolume != nil:
onAccountObjectGrantData.ObjectType = sdk.ObjectTypeExternalVolume
onAccountObjectGrantData.ObjectName = *on.AccountObject.ExternalVolume
Expand Down
47 changes: 47 additions & 0 deletions pkg/resources/grant_privileges_to_account_role_acceptance_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,53 @@ func TestAcc_GrantPrivilegesToAccountRole_OnAccountObject(t *testing.T) {
})
}

func TestAcc_GrantPrivilegesToAccountRole_OnAccountObject_gh2717(t *testing.T) {
_ = testenvs.GetOrSkipTest(t, testenvs.EnableAcceptance)
acc.TestAccPreCheck(t)

computePoolId, computePoolCleanup := acc.TestClient().ComputePool.CreateComputePool(t)
t.Cleanup(computePoolCleanup)

roleId := acc.TestClient().Ids.RandomAccountObjectIdentifier()
roleFullyQualifiedName := roleId.FullyQualifiedName()
configVariables := config.Variables{
"name": config.StringVariable(roleFullyQualifiedName),
"compute_pool": config.StringVariable(computePoolId.Name()),
"privileges": config.ListVariable(
config.StringVariable(string(sdk.AccountObjectPrivilegeUsage)),
),
}
resourceName := "snowflake_grant_privileges_to_account_role.test"

resource.Test(t, resource.TestCase{
ProtoV6ProviderFactories: acc.TestAccProtoV6ProviderFactories,
PreCheck: func() { acc.TestAccPreCheck(t) },
TerraformVersionChecks: []tfversion.TerraformVersionCheck{
tfversion.RequireAbove(tfversion.Version1_5_0),
},
CheckDestroy: acc.CheckAccountRolePrivilegesRevoked(t),
Steps: []resource.TestStep{
{
PreConfig: func() {
_, roleCleanup := acc.TestClient().Role.CreateRoleWithIdentifier(t, roleId)
t.Cleanup(roleCleanup)
},
ConfigDirectory: acc.ConfigurationDirectory("TestAcc_GrantPrivilegesToAccountRole/OnAccountObject_gh2717"),
ConfigVariables: configVariables,
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr(resourceName, "account_role_name", roleFullyQualifiedName),
resource.TestCheckResourceAttr(resourceName, "privileges.#", "1"),
resource.TestCheckResourceAttr(resourceName, "privileges.0", string(sdk.AccountObjectPrivilegeUsage)),
resource.TestCheckResourceAttr(resourceName, "on_account_object.#", "1"),
resource.TestCheckResourceAttr(resourceName, "on_account_object.0.object_type", string(sdk.ObjectTypeComputePool)),
resource.TestCheckResourceAttr(resourceName, "on_account_object.0.object_name", computePoolId.Name()),
resource.TestCheckResourceAttr(resourceName, "id", fmt.Sprintf("%s|false|false|USAGE|OnAccountObject|%s|%s", roleFullyQualifiedName, sdk.ObjectTypeComputePool, computePoolId.FullyQualifiedName())),
),
},
},
})
}

// This proves that infinite plan is not produced as in snowflake_grant_privileges_to_role.
// More details can be found in the fix pr https://github.com/Snowflake-Labs/terraform-provider-snowflake/pull/2364.
func TestAcc_GrantPrivilegesToApplicationRole_OnAccountObject_InfinitePlan(t *testing.T) {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
resource "snowflake_grant_privileges_to_account_role" "test" {
account_role_name = var.name
privileges = var.privileges
on_account_object {
object_type = "COMPUTE POOL"
object_name = var.compute_pool
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
variable "name" {
type = string
}

variable "compute_pool" {
type = string
}

variable "privileges" {
type = list(string)
}

0 comments on commit 09f67b4

Please sign in to comment.