-
Notifications
You must be signed in to change notification settings - Fork 21
/
cloud_cost_monitoring_base.sql
120 lines (92 loc) · 5.34 KB
/
cloud_cost_monitoring_base.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
/**
This script creates the top-level objects for the
Cloud Cost Monitoring initiative in Snowflake. It also
creates corresponding object access roles to assign to
business function roles as needed.
**/
//=============================================================================
// create databases
//=============================================================================
USE ROLE SYSADMIN;
// Databases
CREATE DATABASE CLOUD_COST_MONITORING_DEV; // local dbt targets this db from developer machines
CREATE DATABASE CLOUD_COST_MONITORING_TEST; // CI from pull requests happens here
CREATE DATABASE CLOUD_COST_MONITORING_PROD; // CI from merges to master happens here
// Reporting schema. This must exist now for reporter permissions.
CREATE SCHEMA CLOUD_COST_MONITORING_PROD.REPORTING;
//=============================================================================
//=============================================================================
// create warehouses
//=============================================================================
USE ROLE SYSADMIN;
// dev warehouse
CREATE WAREHOUSE
CLOUD_COST_MONITORING_DEV_WH
COMMENT='Warehouse for powering developer activities for the cloud cost monitoring project'
WAREHOUSE_SIZE=XSMALL
AUTO_SUSPEND=60
INITIALLY_SUSPENDED=TRUE;
//=============================================================================
//=============================================================================
// create object access roles for databases
//=============================================================================
USE ROLE SECURITYADMIN;
// dev roles
CREATE ROLE CLOUD_COST_MONITORING_DEV_READ_WRITE;
// test roles
CREATE ROLE CLOUD_COST_MONITORING_TEST_READ_WRITE;
// prod roles
CREATE ROLE CLOUD_COST_MONITORING_PROD_READ_WRITE;
// prod reporting roles
CREATE ROLE CLOUD_COST_MONITORING_PROD_REPORTING_READ;
// grant all roles to sysadmin (always do this)
GRANT ROLE CLOUD_COST_MONITORING_DEV_READ_WRITE TO ROLE SYSADMIN;
GRANT ROLE CLOUD_COST_MONITORING_TEST_READ_WRITE TO ROLE SYSADMIN;
GRANT ROLE CLOUD_COST_MONITORING_PROD_READ_WRITE TO ROLE SYSADMIN;
GRANT ROLE CLOUD_COST_MONITORING_PROD_REPORTING_READ TO ROLE SYSADMIN;
//=============================================================================
//=============================================================================
// create object access roles for warehouses
//=============================================================================
USE ROLE SECURITYADMIN;
// dev roles
CREATE ROLE CLOUD_COST_MONITORING_DEV_WH_ALL;
// grant all roles to sysadmin (always do this)
GRANT ROLE CLOUD_COST_MONITORING_DEV_WH_ALL TO ROLE SYSADMIN;
//=============================================================================
//=============================================================================
// grant privileges to object access roles
//=============================================================================
USE ROLE SECURITYADMIN;
// dev permissions
GRANT CREATE SCHEMA, USAGE ON DATABASE CLOUD_COST_MONITORING_DEV TO ROLE CLOUD_COST_MONITORING_DEV_READ_WRITE;
GRANT ALL PRIVILEGES ON WAREHOUSE CLOUD_COST_MONITORING_DEV_WH TO ROLE CLOUD_COST_MONITORING_DEV_WH_ALL;
// test permissions
GRANT CREATE SCHEMA, USAGE ON DATABASE CLOUD_COST_MONITORING_TEST TO ROLE CLOUD_COST_MONITORING_TEST_READ_WRITE;
// prod permissions
GRANT CREATE SCHEMA, USAGE ON DATABASE CLOUD_COST_MONITORING_PROD TO ROLE CLOUD_COST_MONITORING_PROD_READ_WRITE;
// transfer reporting schema ownership
USE ROLE SYSADMIN;
GRANT OWNERSHIP ON SCHEMA CLOUD_COST_MONITORING_PROD.REPORTING TO ROLE CLOUD_COST_MONITORING_PROD_READ_WRITE;
// reporting permissions
USE ROLE SECURITYADMIN;
GRANT USAGE ON DATABASE CLOUD_COST_MONITORING_PROD TO ROLE CLOUD_COST_MONITORING_PROD_REPORTING_READ;
GRANT USAGE ON SCHEMA CLOUD_COST_MONITORING_PROD.REPORTING TO ROLE CLOUD_COST_MONITORING_PROD_REPORTING_READ;
GRANT SELECT ON ALL TABLES IN SCHEMA CLOUD_COST_MONITORING_PROD.REPORTING TO ROLE CLOUD_COST_MONITORING_PROD_REPORTING_READ;
GRANT SELECT ON FUTURE TABLES IN SCHEMA CLOUD_COST_MONITORING_PROD.REPORTING TO ROLE CLOUD_COST_MONITORING_PROD_REPORTING_READ;
GRANT SELECT ON ALL VIEWS IN SCHEMA CLOUD_COST_MONITORING_PROD.REPORTING TO ROLE CLOUD_COST_MONITORING_PROD_REPORTING_READ;
GRANT SELECT ON FUTURE VIEWS IN SCHEMA CLOUD_COST_MONITORING_PROD.REPORTING TO ROLE CLOUD_COST_MONITORING_PROD_REPORTING_READ;
//=============================================================================
//=============================================================================
// create business function roles and grant access to object access roles
//=============================================================================
USE ROLE SECURITYADMIN;
// transformer roles
CREATE ROLE CLOUD_COST_MONITORING_DEV_TRANSFORMER;
// grant all roles to sysadmin (always do this)
GRANT ROLE CLOUD_COST_MONITORING_DEV_TRANSFORMER TO ROLE SYSADMIN;
// dev OA roles
GRANT ROLE CLOUD_COST_MONITORING_DEV_READ_WRITE TO ROLE CLOUD_COST_MONITORING_DEV_TRANSFORMER;
GRANT ROLE CLOUD_COST_MONITORING_DEV_WH_ALL TO ROLE CLOUD_COST_MONITORING_DEV_TRANSFORMER;
GRANT ROLE FIVETRAN_READ_ROLE TO ROLE CLOUD_COST_MONITORING_DEV_TRANSFORMER;
//=============================================================================