-
Notifications
You must be signed in to change notification settings - Fork 428
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Unsafe execute v1 readiness (#3266)
### Changes - Deprecated unsafe execute resource - Add new snowflake_execute resource - Adjust tests to use the new resource - Add more tests for other corner cases - Make sure the new resource is importable
- Loading branch information
1 parent
13401d5
commit c4f1e8f
Showing
27 changed files
with
632 additions
and
231 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,128 @@ | ||
--- | ||
# generated by /~https://github.com/hashicorp/terraform-plugin-docs | ||
page_title: "snowflake_execute Resource - terraform-provider-snowflake" | ||
subcategory: "" | ||
description: |- | ||
Resource allowing execution of ANY SQL statement. | ||
--- | ||
|
||
# snowflake_execute (Resource) | ||
|
||
!> **Warning** This is a dangerous resource that allows executing **ANY** SQL statement. It may destroy resources if used incorrectly. It may behave incorrectly combined with other resources. Use at your own risk. | ||
|
||
~> **Note** It can be theoretically used to manage resource that are not supported by the provider. This is risky and may brake other resources if used incorrectly. | ||
|
||
~> **Note** Use `query` parameter with caution. It will fetch **ALL** the results returned by the query provided. Try to limit the number of results by writing query with filters. Query failure does not stop resource creation; it simply results in `query_results` being empty. | ||
|
||
Resource allowing execution of ANY SQL statement. | ||
|
||
## Example Usage | ||
|
||
```terraform | ||
################################## | ||
### simple use cases | ||
################################## | ||
# create and destroy resource | ||
resource "snowflake_execute" "test" { | ||
execute = "CREATE DATABASE ABC" | ||
revert = "DROP DATABASE ABC" | ||
} | ||
# create and destroy resource using qualified name | ||
resource "snowflake_execute" "test" { | ||
execute = "CREATE DATABASE \"abc\"" | ||
revert = "DROP DATABASE \"abc\"" | ||
} | ||
# with query | ||
resource "snowflake_execute" "test" { | ||
execute = "CREATE DATABASE ABC" | ||
revert = "DROP DATABASE ABC" | ||
query = "SHOW DATABASES LIKE '%ABC%'" | ||
} | ||
################################## | ||
### grants example | ||
################################## | ||
# grant and revoke privilege USAGE to ROLE on database | ||
resource "snowflake_execute" "test" { | ||
execute = "GRANT USAGE ON DATABASE ABC TO ROLE XYZ" | ||
revert = "REVOKE USAGE ON DATABASE ABC FROM ROLE XYZ" | ||
} | ||
# grant and revoke with for_each | ||
variable "database_grants" { | ||
type = list(object({ | ||
database_name = string | ||
role_id = string | ||
privileges = list(string) | ||
})) | ||
} | ||
resource "snowflake_execute" "test" { | ||
for_each = { for index, db_grant in var.database_grants : index => db_grant } | ||
execute = "GRANT ${join(",", each.value.privileges)} ON DATABASE ${each.value.database_name} TO ROLE ${each.value.role_id}" | ||
revert = "REVOKE ${join(",", each.value.privileges)} ON DATABASE ${each.value.database_name} FROM ROLE ${each.value.role_id}" | ||
} | ||
################################## | ||
### fixing bad configuration | ||
################################## | ||
# bad revert | ||
# 1 - resource created with a bad revert; it is constructed, revert is not validated before destroy happens | ||
resource "snowflake_execute" "test" { | ||
execute = "CREATE DATABASE ABC" | ||
revert = "SELECT 1" | ||
} | ||
# 2 - fix the revert first; resource won't be recreated | ||
resource "snowflake_execute" "test" { | ||
execute = "CREATE DATABASE ABC" | ||
revert = "DROP DATABASE ABC" | ||
} | ||
# bad query | ||
# 1 - resource will be created; query_results will be empty | ||
resource "snowflake_execute" "test" { | ||
execute = "CREATE DATABASE ABC" | ||
revert = "DROP DATABASE ABC" | ||
query = "bad query" | ||
} | ||
# 2 - fix the query; query_results will be calculated; resource won't be recreated | ||
resource "snowflake_execute" "test" { | ||
execute = "CREATE DATABASE ABC" | ||
revert = "DROP DATABASE ABC" | ||
query = "SHOW DATABASES LIKE '%ABC%'" | ||
} | ||
``` | ||
-> **Note** Instead of using fully_qualified_name, you can reference objects managed outside Terraform by constructing a correct ID, consult [identifiers guide](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/guides/identifiers#new-computed-fully-qualified-name-field-in-resources). | ||
<!-- TODO(SNOW-1634854): include an example showing both methods--> | ||
|
||
<!-- schema generated by tfplugindocs --> | ||
## Schema | ||
|
||
### Required | ||
|
||
- `execute` (String) SQL statement to execute. Forces recreation of resource on change. | ||
- `revert` (String) SQL statement to revert the execute statement. Invoked when resource is being destroyed. | ||
|
||
### Optional | ||
|
||
- `query` (String) Optional SQL statement to do a read. Invoked on every resource refresh and every time it is changed. | ||
|
||
### Read-Only | ||
|
||
- `id` (String) The ID of this resource. | ||
- `query_results` (List of Map of String) List of key-value maps (text to text) retrieved after executing read query. Will be empty if the query results in an error. | ||
|
||
## Import | ||
|
||
Import is supported using the following syntax: | ||
|
||
```shell | ||
terraform import snowflake_execute.example '<random_uuid>' | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
terraform import snowflake_execute.example '<random_uuid>' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
################################## | ||
### simple use cases | ||
################################## | ||
|
||
# create and destroy resource | ||
resource "snowflake_execute" "test" { | ||
execute = "CREATE DATABASE ABC" | ||
revert = "DROP DATABASE ABC" | ||
} | ||
|
||
# create and destroy resource using qualified name | ||
resource "snowflake_execute" "test" { | ||
execute = "CREATE DATABASE \"abc\"" | ||
revert = "DROP DATABASE \"abc\"" | ||
} | ||
|
||
# with query | ||
resource "snowflake_execute" "test" { | ||
execute = "CREATE DATABASE ABC" | ||
revert = "DROP DATABASE ABC" | ||
query = "SHOW DATABASES LIKE '%ABC%'" | ||
} | ||
|
||
################################## | ||
### grants example | ||
################################## | ||
|
||
# grant and revoke privilege USAGE to ROLE on database | ||
resource "snowflake_execute" "test" { | ||
execute = "GRANT USAGE ON DATABASE ABC TO ROLE XYZ" | ||
revert = "REVOKE USAGE ON DATABASE ABC FROM ROLE XYZ" | ||
} | ||
|
||
# grant and revoke with for_each | ||
variable "database_grants" { | ||
type = list(object({ | ||
database_name = string | ||
role_id = string | ||
privileges = list(string) | ||
})) | ||
} | ||
|
||
resource "snowflake_execute" "test" { | ||
for_each = { for index, db_grant in var.database_grants : index => db_grant } | ||
execute = "GRANT ${join(",", each.value.privileges)} ON DATABASE ${each.value.database_name} TO ROLE ${each.value.role_id}" | ||
revert = "REVOKE ${join(",", each.value.privileges)} ON DATABASE ${each.value.database_name} FROM ROLE ${each.value.role_id}" | ||
} | ||
|
||
################################## | ||
### fixing bad configuration | ||
################################## | ||
|
||
# bad revert | ||
# 1 - resource created with a bad revert; it is constructed, revert is not validated before destroy happens | ||
resource "snowflake_execute" "test" { | ||
execute = "CREATE DATABASE ABC" | ||
revert = "SELECT 1" | ||
} | ||
|
||
# 2 - fix the revert first; resource won't be recreated | ||
resource "snowflake_execute" "test" { | ||
execute = "CREATE DATABASE ABC" | ||
revert = "DROP DATABASE ABC" | ||
} | ||
|
||
# bad query | ||
# 1 - resource will be created; query_results will be empty | ||
resource "snowflake_execute" "test" { | ||
execute = "CREATE DATABASE ABC" | ||
revert = "DROP DATABASE ABC" | ||
query = "bad query" | ||
} | ||
|
||
# 2 - fix the query; query_results will be calculated; resource won't be recreated | ||
resource "snowflake_execute" "test" { | ||
execute = "CREATE DATABASE ABC" | ||
revert = "DROP DATABASE ABC" | ||
query = "SHOW DATABASES LIKE '%ABC%'" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.