fix: allow multiple cidr blocks (#3)

Author: huttotw

README.md

@@ -22,7 +22,8 @@ This module **does not** create a reader role that can be used to view the data.
 |------|-------------|------|---------|:--------:|
 | <a name="input_database_name"></a> [database\_name](#input\_database\_name) | The name of the Snowflake database to use | `string` | n/a | yes |
 | <a name="input_disable_password"></a> [disable\_password](#input\_disable\_password) | Whether to disable the password for the Snowflake user. If true, the user will only be able to authenticate using the RSA public key. | `bool` | `false` | no |
-| <a name="input_fullstory_cidr_ipv4"></a> [fullstory\_cidr\_ipv4](#input\_fullstory\_cidr\_ipv4) | The CIDR block that Fullstory will use to connect to Snowflake. | `string` | `""` | no |
+| <a name="input_fullstory_cidr_ipv4"></a> [fullstory\_cidr\_ipv4](#input\_fullstory\_cidr\_ipv4) | DEPRECATED: Use fullstory\_cidr\_ipv4s. The CIDR block that Fullstory will use to connect to Snowflake. | `string` | `""` | no |
+| <a name="input_fullstory_cidr_ipv4s"></a> [fullstory\_cidr\_ipv4s](#input\_fullstory\_cidr\_ipv4s) | The CIDR blocks that Fullstory will use to connect to Snowflake. | `list(string)` | `[]` | no |
 | <a name="input_fullstory_data_center"></a> [fullstory\_data\_center](#input\_fullstory\_data\_center) | The data center where your Fullstory account is hosted. Either 'NA1' or 'EU1'. See https://help.fullstory.com/hc/en-us/articles/8901113940375-Fullstory-Data-Residency for more information. | `string` | `"NA1"` | no |
 | <a name="input_fullstory_storage_allowed_locations"></a> [fullstory\_storage\_allowed\_locations](#input\_fullstory\_storage\_allowed\_locations) | The list of allowed locations for the storage provider. This is an advanced option and should only be changed if instructed by Fullstory. Ex. <cloud>://<bucket>/<path>/ | `list(string)` | <pre>[<br>  "gcs://fullstoryapp-warehouse-sync-bundles"<br>]</pre> | no |
 | <a name="input_fullstory_storage_provider"></a> [fullstory\_storage\_provider](#input\_fullstory\_storage\_provider) | The storage provider to use. Either 'S3', 'GCS' or 'AZURE'. This is an advanced option and should only be changed if instructed by Fullstory. | `string` | `"GCS"` | no |

main.tf

@@ -1,6 +1,9 @@
 locals {
-  fullstory_cidr_ipv4 = var.fullstory_cidr_ipv4 != "" ? var.fullstory_cidr_ipv4 : (var.fullstory_data_center == "EU1" ? "34.89.210.80/29" : "8.35.195.0/29")
-  suffix              = upper(var.suffix)
+  fullstory_default_cidr_ip4 = var.fullstory_data_center == "EU1" ? "34.89.210.80/29" : "8.35.195.0/29"
+  fullstory_cidr_ipv4        = var.fullstory_cidr_ipv4 != "" ? var.fullstory_cidr_ipv4 : local.fullstory_default_cidr_ip4
+  fullstory_cidr_ipv4s       = length(var.fullstory_cidr_ipv4s) > 0 ? var.fullstory_cidr_ipv4s : [local.fullstory_cidr_ipv4]
+
+  suffix = upper(var.suffix)
 }
 
 provider "snowflake" {
@@ -41,7 +44,7 @@ resource "snowflake_grant_privileges_to_role" "warehouse" {
 }
 
 resource "random_password" "main" {
-  count = (var.disable_password || var.password != null) ? 0 : 1
+  count            = (var.disable_password || var.password != null) ? 0 : 1
   length           = 16
   special          = true
   override_special = "!#$%&*()-_=+[]{}<>:?"
@@ -53,8 +56,8 @@ resource "snowflake_user" "main" {
   default_warehouse = var.warehouse_name
   default_role      = snowflake_role.main.name
   password          = var.disable_password ? "" : (var.password != null ? var.password : random_password.main[0].result)
-  rsa_public_key = var.rsa_public_key
-  rsa_public_key_2 = var.rsa_public_key_2
+  rsa_public_key    = var.rsa_public_key
+  rsa_public_key_2  = var.rsa_public_key_2
 }
 
 resource "snowflake_grant_privileges_to_role" "user" {
@@ -99,7 +102,7 @@ resource "snowflake_grant_privileges_to_role" "integration" {
 resource "snowflake_network_policy" "main" {
   provider        = snowflake.security_admin
   name            = "FULLSTORY_NETWORK_POLICY_${local.suffix}"
-  allowed_ip_list = [local.fullstory_cidr_ipv4]
+  allowed_ip_list = local.fullstory_cidr_ipv4s
 }
 
 resource "snowflake_network_policy_attachment" "main" {

variables.tf

@@ -4,30 +4,36 @@ variable "database_name" {
 }
 
 variable "role_name" {
-  type = string
+  type        = string
   description = "The name of the Snowflake role to create."
-  default = null
+  default     = null
 }
 
 variable "stage_name" {
-  type = string
+  type        = string
   description = "The name of the Snowflake stage to create."
-  default = null
+  default     = null
 }
 
 variable "password" {
-  type = string
+  type        = string
   description = "The password to use for the Snowflake user."
-  default = null
-  sensitive = true
+  default     = null
+  sensitive   = true
 }
 
 variable "fullstory_cidr_ipv4" {
   type        = string
-  description = "The CIDR block that Fullstory will use to connect to Snowflake."
+  description = "DEPRECATED: Use fullstory_cidr_ipv4s. The CIDR block that Fullstory will use to connect to Snowflake."
   default     = ""
 }
 
+variable "fullstory_cidr_ipv4s" {
+  type        = list(string)
+  description = "The CIDR blocks that Fullstory will use to connect to Snowflake."
+  default     = []
+}
+
 variable "fullstory_data_center" {
   type        = string
   description = "The data center where your Fullstory account is hosted. Either 'NA1' or 'EU1'. See https://help.fullstory.com/hc/en-us/articles/8901113940375-Fullstory-Data-Residency for more information."
@@ -69,19 +75,19 @@ variable "warehouse_name" {
 }
 
 variable "disable_password" {
-  type = bool
-  default = false
+  type        = bool
+  default     = false
   description = "Whether to disable the password for the Snowflake user. If true, the user will only be able to authenticate using the RSA public key."
 }
 
 variable "rsa_public_key" {
-  type = string
+  type        = string
   description = "The RSA public key to use for the Snowflake user. Must be on 1 line without header and trailer."
-  default = null
+  default     = null
 }
 
 variable "rsa_public_key_2" {
-  type = string
+  type        = string
   description = "The second RSA public key to use for the Snowflake user. Used when rotating keys. Must be on 1 line without header and trailer."
-  default = null
+  default     = null
 }