https://pulumi.com
Join Slack
Hello Folks! We are using pulumi currently to manage Snowflake, and our idea in handling accesses h...
# general
a
Hello Folks! We are using pulumi currently to manage Snowflake, and our idea in handling accesses has been to do this generally on a schema level, having two generic bundles of privileges: • Read privileges • Read/Write privileges ..and utilising constructs like:
Copy code
import pulumi_snowflake as snowflake


class Snowflake(ComponentResource):
    # Select privilege
    snowflake.TableGrant(
        f"{schema_name}_SCHEMA_TABLE_SELECT_GRANT",
        schema_name=schema_name,
        roles=all_roles,
        privilege="SELECT",
        on_future=True,
        database_name=database
    )
    # Update privilege
    snowflake.TableGrant(
        f"{schema_name}_SCHEMA_TABLE_UPDATE_GRANT",
        schema_name=schema_name,
        roles=read_write_role_names,
        privilege="UPDATE",
        on_future=True,
        database_name=database
    )
However, this poses a problem the future grants will only apply to objects (i.e. tables, views etc.) created after the deployment of the new infra, while existing schema-level objects are not affected. I am thinking the best approach would be to run SQL code like:
Copy code
import snowflake.connector as sfc
sf_conn = sfc.connect()

with sf_conn.cursor() as cursor:
    for role in all_roles:
        cursor.execute(f"grant select on all tables in {schema} to role {role})
Would it be possible to configure such “manual” “post-hooks” to be run on each 
pulumi up
call?
Open in Slack
PreviousNext
Powered by

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Powered by