Hello Folks We are using pulumi currently to manage Snowflak Pulumi Community #general

Hello Folks! We are using pulumi currently to man...

astonishing-monitor-79630

10/26/2022, 6:17 AM

Hello Folks! We are using pulumi currently to manage Snowflake, and our idea in handling accesses has been to do this generally on a schema level, having two generic bundles of privileges: • Read privileges • Read/Write privileges ..and utilising constructs like:

Copy code

import pulumi_snowflake as snowflake


class Snowflake(ComponentResource):
    # Select privilege
    snowflake.TableGrant(
        f"{schema_name}_SCHEMA_TABLE_SELECT_GRANT",
        schema_name=schema_name,
        roles=all_roles,
        privilege="SELECT",
        on_future=True,
        database_name=database
    )
    # Update privilege
    snowflake.TableGrant(
        f"{schema_name}_SCHEMA_TABLE_UPDATE_GRANT",
        schema_name=schema_name,
        roles=read_write_role_names,
        privilege="UPDATE",
        on_future=True,
        database_name=database
    )

However, this poses a problem the future grants will only apply to objects (i.e. tables, views etc.) created after the deployment of the new infra, while existing schema-level objects are not affected. I am thinking the best approach would be to run SQL code like:

Copy code

import snowflake.connector as sfc
sf_conn = sfc.connect()

with sf_conn.cursor() as cursor:
    for role in all_roles:
        cursor.execute(f"grant select on all tables in {schema} to role {role})

Would it be possible to configure such “manual” “post-hooks” to be run on each
pulumi up
call?

Open in Slack

Previous Next