feat: Tag association v1 readiness #3210
Conversation
|
Integration tests failure for 8aa6ea667b3781751030a662948cb08d39c1c647 |
|
Integration tests failure for f97b0e8b9fdee53a6442fa8b6e76eaf351a5ba06 |
|
Integration tests success for 818d00b33e87a83140565a1320a695221e9e66c1 |
MIGRATION_GUIDE.md
Outdated
| } | ||
| ``` | ||
|
|
||
| The state is migrated automatically. There is no need to adjust configuration files, unless you use resource id like `snowflake_tag_association.example.id`. |
There was a problem hiding this comment.
I don't understand this part: There is no need to adjust configuration files, unless you use resource id like snowflake_tag_association.example.id., could you elaborate?
There was a problem hiding this comment.
Rephrased.
| ConfigVariables: m(), | ||
| Check: resource.ComposeTestCheckFunc( | ||
| resource.TestCheckResourceAttr(resourceName, "object_type", "DATABASE"), | ||
| ConfigVariables: m(tagId, tagValue), |
There was a problem hiding this comment.
Why didn't we use model + custom asserts approach here?
There was a problem hiding this comment.
As stated in the TODO section of the PR description, I'll do this in the next PR.
There was a problem hiding this comment.
Used the generated builders for the new tests.
MIGRATION_GUIDE.md
Outdated
| } | ||
| ``` | ||
|
|
||
| The state is migrated automatically. There is no need to adjust configuration files, unless you use resource id like `snowflake_tag_association.example.id`. |
There was a problem hiding this comment.
nit: unless you use ... as reference in other resources
| @@ -9,6 +9,61 @@ across different versions. | |||
|
|
|||
| ## v0.98.0 ➞ v0.99.0 | |||
|
|
|||
| ### snowflake_tag_association resource changes | |||
| #### *(behavior change)* new id format | |||
| In order to provide more functionality for tagging objects, we have changed the resource id from `"TAG_DATABASE"."TAG_SCHEMA"."TAG_NAME"` to `"TAG_DATABASE"."TAG_SCHEMA"."TAG_NAME"|TAG_VALUE|OBJECT_TYPE`. This allows to group tags associations per tag ID, tag value and object type in one resource. | |||
There was a problem hiding this comment.
so it means that if I want to add the same tag, same value to the same object type, then I have to put all of them in one resource, right? (here it would mean that changing silver to gold in the second resource is not permitted because both these resources would have the same id)
If I understand this correctly, then I think it would be good to add this info, directly to the resource docs, and here too.
There was a problem hiding this comment.
Yes, added more explanation.
| @@ -5,6 +5,8 @@ description: |- | |||
| Resource used to manage authentication policy objects. For more information, check authentication policy documentation https://docs.snowflake.com/en/sql-reference/sql/create-authentication-policy. | |||
| --- | |||
|
|
|||
| -> **Note** According to Snowflake [docs](https://docs.snowflake.com/en/sql-reference/sql/drop-authentication-policy#usage-notes), an authentication policy cannot be dropped successfully if it is currently assigned to another object. Currently, the provider does not unassign such objects automatically. Before dropping the resource, list the assigned objects with `SELECT * from table(information_schema.policy_references(policy_name=>'<string>'));` and unassign them manually with `ALTER ...` or with updated Terraform configuration, if possible. | |||
There was a problem hiding this comment.
nit: maybe even warning for this
There was a problem hiding this comment.
It was done in #3226.
| @@ -5,6 +5,8 @@ description: |- | |||
| Resource used to manage authentication policy objects. For more information, check authentication policy documentation https://docs.snowflake.com/en/sql-reference/sql/create-authentication-policy. | |||
| --- | |||
|
|
|||
| -> **Note** According to Snowflake [docs](https://docs.snowflake.com/en/sql-reference/sql/drop-authentication-policy#usage-notes), an authentication policy cannot be dropped successfully if it is currently assigned to another object. Currently, the provider does not unassign such objects automatically. Before dropping the resource, list the assigned objects with `SELECT * from table(information_schema.policy_references(policy_name=>'<string>'));` and unassign them manually with `ALTER ...` or with updated Terraform configuration, if possible. | |||
There was a problem hiding this comment.
Let's suggest going through terraform config changes in two steps and manual SQL as an alternative. Also, let's add example to guides/ and reference it here.
In guide let's show:
- the example config creating policy assignment
- error that will be a result of just a removal
- step 1 - unnasigning policy (by changing config and running tf plan_apply)
- step 2 - successful removal
There was a problem hiding this comment.
This change was merged in #3226. I'll add such a guide in a next PR.
pkg/acceptance/check_destroy.go
Outdated
| tag, err := TestClient().SystemFunctions.GetTag(t, tagId, id, objectType) | ||
| if err != nil { | ||
| if strings.Contains(err.Error(), "does not exist or not authorized") { | ||
| // Note: this can happen if the object has been deleted as well; in this case, ignore the error |
There was a problem hiding this comment.
nit: t.Logf at least in such a case
| if objectType == string(sdk.ObjectTypeAccount) { | ||
| id = sdk.NewAccountIdentifierFromFullyQualifiedName(obj["name"].(string)) | ||
| } else { | ||
| database := obj["database"].(string) |
There was a problem hiding this comment.
nit: there is getTagObjectIdentifier function already; maybe we could extend and use it (or at least use it for the else part)
pkg/resources/tag_association.go
Outdated
| return diag.FromErr(err) | ||
| } | ||
|
|
||
| addedids, removedids := ListDiff(oldIds, newIds) |
There was a problem hiding this comment.
nit: addedIds and removedIds
pkg/resources/tag_association.go
Outdated
| if err != nil { | ||
| return diag.FromErr(err) | ||
| } | ||
| if d.HasChange("tag_value") { |
There was a problem hiding this comment.
in this two subsequent ifs we do exactly the same "setup" logic:
- we get the tag value
- we get the lists of ids (old, new, common)
Let's merge this logic:
- If object is removed, unset the tag, no matter the value
- If the object is added, set the tag, no matter if the value changed (we just use the new one in all cases)
- If object is common, set only if the value changed
It covers all the cases (I guess) but is more straightforward
| resource.TestCheckResourceAttr(resourceName, "tag_value", tagValue), | ||
| ), | ||
| }, | ||
| // external change |
There was a problem hiding this comment.
external change can be either unset or setting to different value which are a bit different, please add also this one.
| "github.com/hashicorp/terraform-plugin-testing/terraform" | ||
| "github.com/hashicorp/terraform-plugin-testing/tfversion" | ||
| ) | ||
|
|
||
| func TestAcc_TagAssociation(t *testing.T) { | ||
| _ = testenvs.GetOrSkipTest(t, testenvs.EnableAcceptance) |
There was a problem hiding this comment.
Can we have two more tests, please:
- Test with more objects, so that we verify the logic behind added, removed, common (i.e. we have 3 objects, we remove 1 and add 1 and verify all)
- Test for object type change (maybe I missed this one) - let's verify forceNew and proper removal of all previous yags
#3215) <!-- Feel free to delete comments as you fill this in --> - remove deprecated data sources and resources - some of the tag related fields are not removed - will be done after merging #3210 - some resources (procedures, functions, unsafe_execute) are not removed - can be done after reworking - remove deprecated fields in the provider config - deprecated fields in the resources/data sources that we haven't reworked are still there - remove some unused code from `snowflake` package - remove deprecated `JWT` value from `authenticator` - improve doc generator, so that the headers are added only in case of non-empty lists - I have left some comments in the templates because the generated files must not be blank <!-- summary of changes --> ## Test Plan <!-- detail ways in which this PR has been tested or needs to be tested --> * [ ] acceptance tests <!-- add more below if you think they are relevant --> * [ ] … ## TODO - remove objects related with tags, procedures, functions, unsafe_execute
<!-- Feel free to delete comments as you fill this in --> Changes included (they are really small or fix some wrong changes done during tag rework that were not released yet): - smaller fixes extracted from https://github.com/Snowflake-Labs/terraform-provider-snowflake/pull/3210/files - support tagging account for identifiers with org name - add notes about manually unassigning policies from objects, add a todo with an issue number - fix a wrong issue number in essential objects list Changes NOT included - rework tag_association resource - return nil from GetTag instead of failing - add more tests regarding tag/masking policy: assert that ALTER MASKING POLICY SET TAG differs from ALTER TAG SET MASKING POLICY - support IF EXISTS for unsetting tags <!-- summary of changes --> ## Test Plan <!-- detail ways in which this PR has been tested or needs to be tested --> * [ ] acceptance tests <!-- add more below if you think they are relevant --> * [ ] … ## References <!-- issues documentation links, etc --> #3210
|
Integration tests failure for b53d7c5c60883896a65720d0a81b8fb529229552 |
|
Integration tests failure for c856aa87d6273a8cebd47d5826f6432795eb93df |
| @@ -11,7 +11,8 @@ description: |- | |||
|
|
|||
| !> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0950--v0960) to use it. | |||
|
|
|||
| -> **Note** According to Snowflake [docs](https://docs.snowflake.com/en/sql-reference/sql/drop-row-access-policy#usage-notes), a row access policy cannot be dropped successfully if it is currently assigned to another object. Currently, the provider does not unassign such objects automatically. Before dropping the resource, list the assigned objects with `SELECT * from table(information_schema.policy_references(policy_name=>'<string>'));` and unassign them manually with `ALTER ...` or with updated Terraform configuration, if possible. | |||
| > [!WARNING] | |||
| > According to Snowflake [docs](https://docs.snowflake.com/en/sql-reference/sql/drop-row-access-policy#usage-notes), a row access policy cannot be dropped successfully if it is currently assigned to another object. Currently, the provider does not unassign such objects automatically. Before dropping the resource, list the assigned objects with `SELECT * from table(information_schema.policy_references(policy_name=>'<string>'));` and unassign them manually with `ALTER ...` or with updated Terraform configuration, if possible. | |||
There was a problem hiding this comment.
why this format? Warning has different one, it won't show properly in the docs as warning section.
tag_associationresourcenilfrom GetTag instead of failingALTER MASKING POLICY SET TAGdiffers fromALTER TAG SET MASKING POLICYIF EXISTSfor unsetting tagsTest Plan
References
https://docs.snowflake.com/en/user-guide/object-tagging
https://docs.snowflake.com/en/sql-reference/functions/system_get_tag
#3145
#1910
#2943
#3235
TODO
tffilesIdeas