Skip to content

Commit 4f916d7

Browse files
ian-r-roseian-r-rose
authored
Merge pull request #505 from cagov/streamlit-grants
Changes related to STREAMLIT and STAGE creation grants
2 parents 9f958e6 + adad0d2 commit 4f916d7

File tree

1 file changed

+37
-0
lines changed

1 file changed

+37
-0
lines changed

terraform/snowflake/modules/elt/roles.tf

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,13 @@ resource "snowflake_account_role" "logger" {
4444
comment = "Permissions to read the SNOWFLAKE metadatabase for logging purposes"
4545
}
4646

47+
# Adding streamlit role - only for analytics database
48+
resource "snowflake_account_role" "streamlit_analytics" {
49+
provider = snowflake.useradmin
50+
name = "${module.analytics.name}_${var.environment}_STREAMLIT"
51+
comment = "Permissions to create Streamlit applications and stages in the ${module.analytics.name} database for the ${var.environment} environment."
52+
}
53+
4754
######################################
4855
# Role Grants #
4956
######################################
@@ -206,3 +213,33 @@ resource "snowflake_grant_account_role" "transform_read_to_analytics_rwc" {
206213
role_name = "${module.transform.name}_READ"
207214
parent_role_name = "${module.analytics.name}_READWRITECONTROL"
208215
}
216+
217+
# Grant the Streamlit roles to the Reporter role in the current environment
218+
# The cross-environment grant of the ${module.raw.name}_${var.environment}_STREAMLIT role
219+
# to the REPORTER_DEV role will handled outside of this Terraform configuration.
220+
# via manual SQL execution
221+
resource "snowflake_grant_account_role" "streamlit_analytics_to_reporter" {
222+
provider = snowflake.useradmin
223+
role_name = snowflake_account_role.streamlit_analytics.name
224+
parent_role_name = snowflake_account_role.reporter.name
225+
}
226+
227+
locals {
228+
streamlit_roles = {
229+
analytics = snowflake_account_role.streamlit_analytics.name
230+
}
231+
databases = {
232+
analytics = module.analytics.name
233+
}
234+
}
235+
236+
resource "snowflake_grant_privileges_to_account_role" "streamlit_privileges" {
237+
provider = snowflake.accountadmin
238+
for_each = local.streamlit_roles
239+
account_role_name = each.value
240+
privileges = ["CREATE STREAMLIT", "CREATE STAGE"]
241+
on_account_object {
242+
object_type = "DATABASE"
243+
object_name = local.databases[each.key]
244+
}
245+
}

0 commit comments

Comments
 (0)