feat: allow security admin to create network rules (#4)

dsalaj · web-flow · commit a79b5703a5c9 · 2025-11-16T12:23:09.000+01:00
* feat: allow security admin to create network rules

* fix: keys
diff --git a/.github/workflows/github_actions.yaml b/.github/workflows/github_actions.yaml
@@ -108,10 +108,10 @@ jobs:
       - name: Download Encrypted Artifact & Decrypt Artifact
         uses: badgerhobbs/terraform-state@v2
         with:
-          encryption_key: ${{ secrets.encryption_key }}
+          encryption_key: ${{ secrets.ENCRYPTION_KEY }}
           operation: download
           location: artifact
-          github_token: ${{ secrets.gh_access_token }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           directory: terraform
         continue-on-error: true
 
@@ -141,10 +141,10 @@ jobs:
       - name: Download Encrypted Artifact & Decrypt Artifact
         uses: badgerhobbs/terraform-state@v2
         with:
-          encryption_key: ${{ secrets.encryption_key }}
+          encryption_key: ${{ secrets.ENCRYPTION_KEY }}
           operation: download
           location: artifact
-          github_token: ${{ secrets.gh_access_token }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           directory: terraform
         continue-on-error: true
 
@@ -183,10 +183,10 @@ jobs:
       - name: Download Encrypted Artifact & Decrypt Artifact
         uses: badgerhobbs/terraform-state@v2
         with:
-          encryption_key: ${{ secrets.encryption_key }}
+          encryption_key: ${{ secrets.ENCRYPTION_KEY }}
           operation: download
           location: artifact
-          github_token: ${{ secrets.gh_access_token }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           directory: terraform
         continue-on-error: true
 
@@ -216,8 +216,8 @@ jobs:
       - name: Encrypt Artifact & Upload Encrypted Artifact
         uses: badgerhobbs/terraform-state@v2
         with:
-          encryption_key: ${{ secrets.encryption_key }}
+          encryption_key: ${{ secrets.ENCRYPTION_KEY }}
           operation: upload
           location: artifact
-          github_token: ${{ secrets.gh_access_token }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           directory: terraform
diff --git a/terraform/access_roles.tf b/terraform/access_roles.tf
@@ -18,8 +18,8 @@ module "access_roles" {
 }
 
 # SECURITYADMIN needs to be allowed to use COMMON schema for network policies
-# resource "snowflake_execute" "grant_create_network_rule_to_securityadmin" {
-#   provider = snowflake.sysadmin
-#   execute  = "GRANT CREATE NETWORK RULE ON SCHEMA ${snowflake_database.common_db.name}.${snowflake_schema.common_common_schema.name} TO ROLE SECURITYADMIN;"
-#   revert   = "REVOKE CREATE NETWORK RULE ON SCHEMA ${snowflake_database.common_db.name}.${snowflake_schema.common_common_schema.name} FROM ROLE SECURITYADMIN;"
-# }
+resource "snowflake_execute" "grant_create_network_rule_to_securityadmin" {
+  provider = snowflake.sysadmin
+  execute  = "GRANT CREATE NETWORK RULE ON SCHEMA ${snowflake_database.common_db.name}.${snowflake_schema.common_common_schema.name} TO ROLE SECURITYADMIN;"
+  revert   = "REVOKE CREATE NETWORK RULE ON SCHEMA ${snowflake_database.common_db.name}.${snowflake_schema.common_common_schema.name} FROM ROLE SECURITYADMIN;"
+}
