fix: future ownership task grant (#1954) (#1955)

pkg/resources/task_grant_acceptance_test.go

@@ -187,3 +187,91 @@ resource "snowflake_task_grant" "test" {
 `
 	return fmt.Sprintf(s, name, name, concurrency, taskNameConfig, privilege)
 }
+
+func TestAcc_TaskOwnershipGrant_onFuture(t *testing.T) {
+	name := strings.ToUpper(acctest.RandStringFromCharSet(10, acctest.CharSetAlpha))
+	new_name := name + "_NEW"
+
+	resource.ParallelTest(t, resource.TestCase{
+		Providers:    providers(),
+		CheckDestroy: nil,
+		Steps: []resource.TestStep{
+			// CREATE SCHEMA level FUTURE ownership grant to role <name>
+			{
+				Config: taskOwnershipGrantConfig(name, onFuture, "OWNERSHIP", name),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("snowflake_task_grant.test", "database_name", name),
+					resource.TestCheckResourceAttr("snowflake_task_grant.test", "schema_name", name),
+					resource.TestCheckResourceAttr("snowflake_task_grant.test", "on_future", "true"),
+					resource.TestCheckResourceAttr("snowflake_task_grant.test", "with_grant_option", "false"),
+					resource.TestCheckResourceAttr("snowflake_task_grant.test", "privilege", "OWNERSHIP"),
+					resource.TestCheckResourceAttr("snowflake_task_grant.test", "roles.0", name),
+				),
+			},
+			// UPDATE SCHEMA level FUTURE OWNERSHIP grant to role <new_name>
+			{
+				Config: taskOwnershipGrantConfig(name, onFuture, "OWNERSHIP", new_name),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("snowflake_task_grant.test", "database_name", name),
+					resource.TestCheckResourceAttr("snowflake_task_grant.test", "schema_name", name),
+					resource.TestCheckResourceAttr("snowflake_task_grant.test", "on_future", "true"),
+					resource.TestCheckResourceAttr("snowflake_task_grant.test", "with_grant_option", "false"),
+					resource.TestCheckResourceAttr("snowflake_task_grant.test", "privilege", "OWNERSHIP"),
+					resource.TestCheckResourceAttr("snowflake_task_grant.test", "roles.0", new_name),
+				),
+			},
+			// IMPORT
+			{
+				ResourceName:      "snowflake_task_grant.test",
+				ImportState:       true,
+				ImportStateVerify: true,
+				ImportStateVerifyIgnore: []string{
+					"enable_multiple_grants", // feature flag attribute not defined in Snowflake, can't be imported
+				},
+			},
+		},
+	})
+}
+
+func taskOwnershipGrantConfig(name string, grantType grantType, privilege string, rolename string) string {
+	var taskNameConfig string
+	switch grantType {
+	case normal:
+		taskNameConfig = "task_name \t= snowflake_task.test.name"
+	case onFuture:
+		taskNameConfig = "on_future = true"
+	case onAll:
+		taskNameConfig = "on_all = true"
+	}
+
+	s := `
+resource "snowflake_database" "test" {
+  name = "%v"
+  comment = "Terraform acceptance test"
+}
+
+resource "snowflake_schema" "test" {
+  name = snowflake_database.test.name
+  database = snowflake_database.test.name
+  comment = "Terraform acceptance test"
+}
+
+resource "snowflake_role" "test" {
+  name = "%v"
+}
+
+resource "snowflake_role" "test_new" {
+	name = "%v_NEW"
+  }
+
+resource "snowflake_task_grant" "test" {
+  %s
+  database_name = snowflake_database.test.name
+  roles             = [ "%s" ]
+  schema_name       = snowflake_schema.test.name
+  privilege 	    = "%s"
+  with_grant_option = false
+}
+`
+	return fmt.Sprintf(s, name, name, name, taskNameConfig, rolename, privilege)
+}

pkg/snowflake/future_grant.go

@@ -257,7 +257,7 @@ func (fge *FutureGrantExecutable) Revoke(p string) []string {
 func (fge *FutureGrantExecutable) RevokeOwnership(r string) []string {
 	// Note: has no effect for ALL GRANTS
 	return []string{
-		fmt.Sprintf(`REVOKE OWNERSHIP ON ALL %vS IN %v %v FROM ROLE "%v"`,
+		fmt.Sprintf(`REVOKE OWNERSHIP ON FUTURE %vS IN %v %v FROM ROLE "%v"`,
 			fge.futureGrantType, fge.futureGrantTarget, fge.grantName, fge.granteeName),
 	}
 }

pkg/snowflake/future_grant_test.go

@@ -204,3 +204,43 @@ func TestFutureFileFormatGrant(t *testing.T) {
 	revoke = fvgd.Role("bob").Revoke("USAGE")
 	b.Equal([]string{`REVOKE USAGE ON FUTURE FILE FORMATS IN DATABASE "test_db" FROM ROLE "bob"`}, revoke)
 }
+
+func TestFutureTaskGrant(t *testing.T) {
+	r := require.New(t)
+	fvg := snowflake.FutureTaskGrant("test_db", "PUBLIC")
+	r.Equal("PUBLIC", fvg.Name())
+
+	s := fvg.Show()
+	r.Equal(`SHOW FUTURE GRANTS IN SCHEMA "test_db"."PUBLIC"`, s)
+
+	s = fvg.Role("bob").Grant("USAGE", false)
+	r.Equal(`GRANT USAGE ON FUTURE TASKS IN SCHEMA "test_db"."PUBLIC" TO ROLE "bob"`, s)
+
+	revoke := fvg.Role("bob").Revoke("USAGE")
+	r.Equal([]string{`REVOKE USAGE ON FUTURE TASKS IN SCHEMA "test_db"."PUBLIC" FROM ROLE "bob"`}, revoke)
+
+	s = fvg.Role("bob").Grant("OWNERSHIP", false)
+	r.Equal(`GRANT OWNERSHIP ON FUTURE TASKS IN SCHEMA "test_db"."PUBLIC" TO ROLE "bob"`, s)
+
+	revoke = fvg.Role("bob").RevokeOwnership("OWNERSHIP")
+	r.Equal([]string{`REVOKE OWNERSHIP ON FUTURE TASKS IN SCHEMA "test_db"."PUBLIC" FROM ROLE "bob"`}, revoke)
+
+	b := require.New(t)
+	fvgd := snowflake.FutureTaskGrant("test_db", "")
+	b.Equal("test_db", fvgd.Name())
+
+	s = fvgd.Show()
+	b.Equal(`SHOW FUTURE GRANTS IN DATABASE "test_db"`, s)
+
+	s = fvgd.Role("bob").Grant("USAGE", false)
+	b.Equal(`GRANT USAGE ON FUTURE TASKS IN DATABASE "test_db" TO ROLE "bob"`, s)
+
+	revoke = fvgd.Role("bob").Revoke("USAGE")
+	b.Equal([]string{`REVOKE USAGE ON FUTURE TASKS IN DATABASE "test_db" FROM ROLE "bob"`}, revoke)
+
+	s = fvgd.Role("bob").Grant("OWNERSHIP", false)
+	b.Equal(`GRANT OWNERSHIP ON FUTURE TASKS IN DATABASE "test_db" TO ROLE "bob"`, s)
+
+	revoke = fvgd.Role("bob").RevokeOwnership("OWNERSHIP")
+	b.Equal([]string{`REVOKE OWNERSHIP ON FUTURE TASKS IN DATABASE "test_db" FROM ROLE "bob"`}, revoke)
+}