Add database usage variable to application_database

immuta · Sep 29, 2021 · 29fa31f · 29fa31f
1 parent 7693974
commit 29fa31f
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/modules/application_database/privileges.tf b/modules/application_database/privileges.tf
@@ -72,7 +72,10 @@ resource "snowflake_database_grant" "read" {
 
   database_name = snowflake_database.app.name
   privilege     = each.key
-  roles         = local.all_read_roles
+  roles         = concat(
+    local.all_read_roles,
+    var.grant_database_usage_to_roles
+  )
 }
 
 resource "snowflake_schema_grant" "read" {
@@ -90,7 +93,10 @@ resource "snowflake_schema_grant" "public_read" {
   database_name = snowflake_database.app.name
   schema_name   = local.public_schema_name
   privilege     = each.key
-  roles         = local.all_read_roles
+  roles         = concat(
+    local.all_read_roles,
+    var.grant_database_usage_to_roles
+  )
 }
 
 resource "snowflake_table_grant" "read" {

diff --git a/modules/application_database/variables.tf b/modules/application_database/variables.tf
@@ -81,6 +81,12 @@ variable "grant_read_to_users" {
   type        = list(string)
 }
 
+variable "grant_database_usage_to_roles" {
+  default     = []
+  description = "Additional roles that should have only the USAGE privilege on the module database. This allows sub-resources to be granted individually by the admin role."
+  type        = list(string)
+}
+
 variable "reader_role_name_suffix" {
   default     = "_READER"
   description = "The suffix appended to the database name to determine the reader role (e.g. APP_READER)."