fix: Fix roles option merge (#4)

* fix: Fix roles option merge

* fix: Remove tfplans

Author: jakubigla

.github/workflows/pre-commit.yml

@@ -8,7 +8,6 @@ on:
 
 env:
   TERRAFORM_DOCS_VERSION: v0.16.0
-  TFLINT_VERSION: v0.41.0
 
 jobs:
   collectInputs:

.gitignore

@@ -29,3 +29,5 @@ override.tf.json
 # Include override files you do wish to add to version control using negated pattern
 #
 # !example_override.tf
+
+tfplan*

.pre-commit-config.yaml

@@ -16,9 +16,10 @@ repos:
         args: ["."]
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: "2.2.168" # Get the latest from: https://github.com/bridgecrewio/checkov/releases
+    rev: "2.2.246" # Get the latest from: https://github.com/bridgecrewio/checkov/releases
     hooks:
       - id: checkov
+        args: [--skip-check, "CKV2_GHA_1"] #Flase positive for top-level permissions
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: "v4.3.0" # Get the latest from: https://github.com/pre-commit/pre-commit-hooks/releases

.tflint.hcl

@@ -1,3 +1,9 @@
+config {
+  ignore_module = {
+    "Invicton-Labs/deepmerge/null" = true
+  }
+}
+
 rule "terraform_deprecated_interpolation" {
   enabled = true
 }

README.md

@@ -99,7 +99,7 @@ _Additional information that should be made public, for ex. how to solve known i
 | <a name="input_query_acceleration_max_scale_factor"></a> [query\_acceleration\_max\_scale\_factor](#input\_query\_acceleration\_max\_scale\_factor) | Specifies the maximum scale factor for leasing compute resources for query acceleration. The scale factor is used as a multiplier based on warehouse size. | `number` | `null` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | <a name="input_resource_monitor"></a> [resource\_monitor](#input\_resource\_monitor) | Specifies the name of a resource monitor that is explicitly assigned to the warehouse. | `string` | `null` | no |
-| <a name="input_roles"></a> [roles](#input\_roles) | Roles created on the warehouse level | `any` | `{}` | no |
+| <a name="input_roles"></a> [roles](#input\_roles) | Roles created on the warehouse level | <pre>map(object({<br>    enabled              = optional(bool, true)<br>    descriptor_name      = optional(string, "snowflake-role")<br>    comment              = optional(string)<br>    role_ownership_grant = optional(string)<br>    granted_roles        = optional(list(string))<br>    granted_to_roles     = optional(list(string))<br>    granted_to_users     = optional(list(string))<br>    warehouse_grants     = optional(list(string))<br>  }))</pre> | `{}` | no |
 | <a name="input_scaling_policy"></a> [scaling\_policy](#input\_scaling\_policy) | Specifies the policy for automatically starting and shutting down clusters in a multi-cluster warehouse running in Auto-scale mode. | `string` | `null` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | <a name="input_statement_queued_timeout_in_seconds"></a> [statement\_queued\_timeout\_in\_seconds](#input\_statement\_queued\_timeout\_in\_seconds) | Object parameter that specifies the time, in seconds, a SQL statement (query, DDL, DML, etc.) can be queued on a warehouse before it is canceled by the system. | `number` | `null` | no |
@@ -113,15 +113,16 @@ _Additional information that should be made public, for ex. how to solve known i
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_roles_deep_merge"></a> [roles\_deep\_merge](#module\_roles\_deep\_merge) | Invicton-Labs/deepmerge/null | 0.1.5 |
-| <a name="module_snowflake_role"></a> [snowflake\_role](#module\_snowflake\_role) | getindata/role/snowflake | 1.0.3 |
+| <a name="module_snowflake_custom_role"></a> [snowflake\_custom\_role](#module\_snowflake\_custom\_role) | getindata/role/snowflake | 1.0.3 |
+| <a name="module_snowflake_default_role"></a> [snowflake\_default\_role](#module\_snowflake\_default\_role) | getindata/role/snowflake | 1.0.3 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 | <a name="module_warehouse_label"></a> [warehouse\_label](#module\_warehouse\_label) | cloudposse/label/null | 0.25.0 |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_roles"></a> [roles](#output\_roles) | Functional roles created for warehouse |
+| <a name="output_roles"></a> [roles](#output\_roles) | Access roles created for warehouse |
 | <a name="output_warehouse"></a> [warehouse](#output\_warehouse) | Details of the warehouse |
 
 ## Providers

examples/complete/.env.dist

@@ -0,0 +1,4 @@
+SNOWFLAKE_USER=
+SNOWFLAKE_PASSWORD=
+SNOWFLAKE_ROLE=
+SNOWFLAKE_ACCOUNT=

examples/complete/.envrc

@@ -0,0 +1,2 @@
+#Override defaults
+command -v dotenv && test -f .env && dotenv

examples/complete/.gitignore

@@ -0,0 +1 @@
+.env

examples/complete/Makefile

@@ -0,0 +1,11 @@
+init:
+	terraform init
+
+plan:
+	terraform plan -out tfplan
+
+apply:
+	terraform apply tfplan
+
+destroy:
+	terraform destroy

examples/complete/main.tf

@@ -62,7 +62,7 @@ module "terraform_snowflake_warehouse" {
       granted_to_roles = [snowflake_role.this_admin.name]
     }
     custom_role = {
-      privileges       = ["USAGE", "MODIFY"]
+      warehouse_grants = ["USAGE", "MODIFY"]
       granted_to_roles = [snowflake_role.this_dev.name]
     }
   }