diff --git a/warehouse/macros/create_row_access_policy.sql b/warehouse/macros/create_row_access_policy.sql index e32f7fff6d..12ae5f6101 100644 --- a/warehouse/macros/create_row_access_policy.sql +++ b/warehouse/macros/create_row_access_policy.sql @@ -230,3 +230,63 @@ filter using ( ) }}; -- TODO: In the last policy of the macro call above, see if we can get the prod warehouse service account out of context {% endmacro %} + + +{% macro benefits_row_access_policy() %} + +{{ create_row_access_policy( + filter_column = 'event_properties_transit_agency', + filter_value = 'Monterey-Salinas Transit', + principals = ['serviceAccount:mst-payments-user@cal-itp-data-infra.iam.gserviceaccount.com'] +) }}; + +{{ create_row_access_policy( + filter_column = 'event_properties_transit_agency', + filter_value = 'Sacramento Regional Transit', + principals = ['serviceAccount:sacrt-payments-user@cal-itp-data-infra.iam.gserviceaccount.com'] +) }}; + +{{ create_row_access_policy( + filter_column = 'event_properties_transit_agency', + filter_value = 'Santa Barbara MTD', + principals = ['serviceAccount:sbmtd-payments-user@cal-itp-data-infra.iam.gserviceaccount.com'] +) }}; + +{{ create_row_access_policy( + filter_column = 'event_properties_transit_agency', + filter_value = 'Nevada County Connects', + principals = ['serviceAccount:nevada-county-payments-user@cal-itp-data-infra.iam.gserviceaccount.com'] +) }}; + +{{ create_row_access_policy( + filter_column = 'event_properties_transit_agency', + filter_value = 'Ventura County Transportation Commission', + principals = ['serviceAccount:vctc-payments-user@cal-itp-data-infra.iam.gserviceaccount.com'] +) }}; + +{{ create_row_access_policy( + filter_column = 'event_properties_transit_agency', + filter_value = 'El Dorado Transit', + principals = ['serviceAccount:eldorado-payments-user@cal-itp-data-infra.iam.gserviceaccount.com'] +) }}; + +{{ create_row_access_policy( + filter_column = 'event_properties_transit_agency', + filter_value = 'San Luis Obispo RTA', + principals = ['serviceAccount:slorta-payments-user@cal-itp-data-infra.iam.gserviceaccount.com'] +) }}; + +{{ create_row_access_policy( + principals = [ + 'serviceAccount:metabase@cal-itp-data-infra.iam.gserviceaccount.com', + 'serviceAccount:metabase-payments-team@cal-itp-data-infra.iam.gserviceaccount.com', + 'serviceAccount:github-actions-services-accoun@cal-itp-data-infra.iam.gserviceaccount.com', + 'serviceAccount:github-actions-service-account@cal-itp-data-infra.iam.gserviceaccount.com', + 'serviceAccount:github-actions-service-account@cal-itp-data-infra-staging.iam.gserviceaccount.com', + 'serviceAccount:composer-service-account@cal-itp-data-infra.iam.gserviceaccount.com', + 'principalSet://iam.googleapis.com/locations/global/workforcePools/dot-ca-gov/group/DDS_Cloud_Admins', + 'principalSet://iam.googleapis.com/locations/global/workforcePools/dot-ca-gov/group/DOT_DDS_Data_Pipeline_and_Warehouse_Users' + ] +) }}; +-- TODO: In the last policy of the macro call above, see if we can get the prod warehouse service account out of context +{% endmacro %} diff --git a/warehouse/models/mart/benefits/fct_benefits_events.sql b/warehouse/models/mart/benefits/fct_benefits_events.sql index e132b6a1a5..462e3c51bb 100644 --- a/warehouse/models/mart/benefits/fct_benefits_events.sql +++ b/warehouse/models/mart/benefits/fct_benefits_events.sql @@ -1,4 +1,5 @@ -{{ config(materialized='table') }} +{{ config(materialized = 'table', + post_hook="{{ benefits_row_access_policy() }}") }} WITH fct_benefits_events_raw AS ( -- fct_benefits_events_raw extracts JSON columns and