@@ -45,10 +45,10 @@ resource "snowflake_account_role" "logger" {
4545}
4646
4747# Adding streamlit role - only for analytics database
48- resource "snowflake_account_role" "streamlit_analytics " {
48+ resource "snowflake_account_role" "streamlit_access_role " {
4949 provider = . useradmin
50- name = " ${ module . analytics . name } _STREAMLIT "
51- comment = " Permissions to create Streamlit applications and stages in the ${ module . analytics . name } database for the ${ var . environment } environment. "
50+ name = " ${ module . analytics . name } _STREAMLIT_ACCESS " # Name of the role
51+ comment = " Role to grant Streamlit creation privileges "
5252}
5353
5454# #####################################
@@ -207,7 +207,6 @@ resource "snowflake_grant_privileges_to_account_role" "imported_privileges_to_lo
207207# More backgorund information related to this is found
208208# here - https://github.com/cagov/data-infrastructure/issues/274
209209# #############################################################
210-
211210resource "snowflake_grant_account_role" "transform_read_to_analytics_rwc" {
212211 provider = . useradmin
213212 role_name = " ${ module . transform . name } _READ"
@@ -218,23 +217,46 @@ resource "snowflake_grant_account_role" "transform_read_to_analytics_rwc" {
218217# The cross-environment grant of the ${module.raw.name}_${var.environment}_STREAMLIT role
219218# to the REPORTER_DEV role will handled outside of this Terraform configuration.
220219# via manual SQL execution
221- resource "snowflake_grant_account_role" "streamlit_analytics_to_reporter" {
222- provider = . useradmin
223- role_name = . streamlit_analytics . name
224- parent_role_name = . reporter . name
220+
221+ # Grant the Streamlit access role to the REPORTER role
222+ resource "snowflake_grant_account_role" "streamlit_to_reporter" {
223+ provider = . useradmin
224+ role_name = . streamlit_access_role . name
225+ parent_role_name = . reporter . name # reporter role
225226}
226227
227- resource "snowflake_grant_privileges_to_account_role" "streamlit_database_privileges" {
228- account_role_name = snowflake_account_role . streamlit_analytics . name
229- privileges = [ " CREATE STAGE " ]
230- on_account_object {
231- object_name = module . analytics . name
232- object_type = " DATABASE "
228+ # Grant CREATE STREAMLIT privilege on future schemas in the database to the Streamlit access role
229+ resource "snowflake_grant_privileges_to_account_role" "streamlit_future_streamlit_privileges" {
230+ account_role_name = snowflake_account_role . streamlit_access_role . name
231+ privileges = [ " CREATE STREAMLIT " ]
232+ on_schema {
233+ future_schemas_in_database = module . analytics . name
233234 }
234235}
235236
236- resource "snowflake_grant_privileges_to_account_role" "streamlit_account_privileges" {
237- account_role_name = . streamlit_analytics . name
237+ # Grant CREATE STREAMLIT privilege on the PUBLIC schema in the database to the Streamlit access role
238+ resource "snowflake_grant_privileges_to_account_role" "streamlit_public_streamlit_privileges" {
239+ account_role_name = . streamlit_access_role . name
238240 privileges = " CREATE STREAMLIT"
239- on_account = true
241+ on_schema {
242+ schema_name = " ${ module . analytics . name } .PUBLIC"
243+ }
244+ }
245+
246+ # Grant CREATE STAGE privilege on future schemas in the database to the Streamlit access role
247+ resource "snowflake_grant_privileges_to_account_role" "streamlit_future_stage_privileges" {
248+ account_role_name = . streamlit_access_role . name
249+ privileges = " CREATE STAGE"
250+ on_schema {
251+ future_schemas_in_database = . analytics . name
252+ }
253+ }
254+
255+ # Grant CREATE STAGE privilege on the PUBLIC schema in the database to the Streamlit access role
256+ resource "snowflake_grant_privileges_to_account_role" "streamlit_public_stage_privileges" {
257+ account_role_name = . streamlit_access_role . name
258+ privileges = " CREATE STAGE"
259+ on_schema {
260+ schema_name = " ${ module . analytics . name } .PUBLIC"
261+ }
240262}
0 commit comments