feat!: Add BQ authorized routine (function) in authorization sub-module (#180)

Author: imrannayer

Makefile

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

build/int.cloudbuild.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

build/lint.cloudbuild.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

examples/basic_bq/main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

examples/basic_bq/outputs.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

examples/basic_bq/variables.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

examples/basic_bq/versions.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2021 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

examples/basic_view/main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

examples/basic_view/outputs.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

examples/basic_view/variables.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

examples/basic_view/versions.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

examples/multiple_tables/main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -168,18 +168,88 @@ module "auth_dataset" {
   access                      = []
 }
 
+resource "google_bigquery_table" "auth_ds_table" {
+  deletion_protection = false
+  dataset_id          = module.auth_dataset.bigquery_dataset.dataset_id
+  project             = module.auth_dataset.bigquery_dataset.project
+  table_id            = "auth_db_table"
+
+  view {
+    query          = "SELECT 1 as col1 from (select SESSION_USER())"
+    use_legacy_sql = false
+  }
+}
+
+resource "google_bigquery_routine" "auth_ds_routine1" {
+  dataset_id      = module.auth_dataset.bigquery_dataset.dataset_id
+  project         = module.auth_dataset.bigquery_dataset.project
+  routine_id      = "auth_ds_routine1"
+  routine_type    = "TABLE_VALUED_FUNCTION"
+  language        = "SQL"
+  definition_body = <<-EOS
+    SELECT 1 + value AS value
+  EOS
+  arguments {
+    name          = "value"
+    argument_kind = "FIXED_TYPE"
+    data_type     = jsonencode({ "typeKind" = "INT64" })
+  }
+  return_table_type = jsonencode({ "columns" = [
+    { "name" = "value", "type" = { "typeKind" = "INT64" } },
+  ] })
+}
+
+resource "google_bigquery_routine" "auth_ds_routine2" {
+  dataset_id      = module.auth_dataset.bigquery_dataset.dataset_id
+  project         = module.auth_dataset.bigquery_dataset.project
+  routine_id      = "auth_ds_routine2"
+  routine_type    = "TABLE_VALUED_FUNCTION"
+  language        = "SQL"
+  definition_body = <<-EOS
+    SELECT 2 + value AS value
+  EOS
+  arguments {
+    name          = "value"
+    argument_kind = "FIXED_TYPE"
+    data_type     = jsonencode({ "typeKind" = "INT64" })
+  }
+  return_table_type = jsonencode({ "columns" = [
+    { "name" = "value", "type" = { "typeKind" = "INT64" } },
+  ] })
+}
+
 module "add_authorization" {
   source = "../../modules/authorization"
 
-  dataset_id       = module.bigquery.bigquery_dataset.dataset_id
-  project_id       = module.bigquery.bigquery_dataset.project
-  authorized_views = []
+  dataset_id = module.bigquery.bigquery_dataset.dataset_id
+  project_id = module.bigquery.bigquery_dataset.project
+  authorized_views = [
+    {
+      project_id = module.auth_dataset.bigquery_dataset.project
+      dataset_id = module.auth_dataset.bigquery_dataset.dataset_id
+      table_id   = google_bigquery_table.auth_ds_table.table_id
+    },
+  ]
   authorized_datasets = [
     {
       dataset_id = module.auth_dataset.bigquery_dataset.dataset_id
       project_id = module.auth_dataset.bigquery_dataset.project
     },
   ]
+
+  authorized_routines = [
+    {
+      dataset_id = google_bigquery_routine.auth_ds_routine1.dataset_id
+      project_id = google_bigquery_routine.auth_ds_routine1.project
+      routine_id = google_bigquery_routine.auth_ds_routine1.routine_id
+    },
+    {
+      dataset_id = google_bigquery_routine.auth_ds_routine2.dataset_id
+      project_id = google_bigquery_routine.auth_ds_routine2.project
+      routine_id = google_bigquery_routine.auth_ds_routine2.routine_id
+    },
+  ]
+
   depends_on = [
     module.auth_dataset
   ]

examples/multiple_tables/outputs.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

examples/multiple_tables/provider.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

examples/multiple_tables/variables.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

examples/multiple_tables/versions.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

examples/scheduled_queries/main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

examples/scheduled_queries/outputs.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

examples/scheduled_queries/versions.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

metadata.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

modules/authorization/README.md

@@ -1,8 +1,7 @@
-# BigQuery Authorized Views
+# BigQuery Authorized Datasets, Views and Routines
 
-This submodule is used to add [authorized views](https://cloud.google.com/bigquery/docs/share-access-views#authorize_the_view_to_access_the_source_dataset).
-The views that are created at another dataset are given readonly access so that even if the user does not have read access to the real dataset,
-they can read data over the view.
+This submodule is used to add [authorized datasets](https://cloud.google.com/bigquery/docs/authorized-datasets), [authorized views](https://cloud.google.com/bigquery/docs/share-access-views#authorize_the_view_to_access_the_source_dataset) and [authorized routines](https://cloud.google.com/bigquery/docs/authorized-functions).
+An `authorized dataset` lets you authorize all of the views in a specified dataset to access the data in a second dataset. An `authorized view` lets you share query results with particular users and groups without giving them access to the underlying source data. `Authorized Routine (Function)` let you share query results with particular users or groups without giving those users or groups access to the underlying tables
 
 ## Background
 It is possible to define authorized views while creating a dataset. However, we have a chicken&egg problem if we create all at the same time. This module has the goal of solving that.
@@ -65,7 +64,8 @@ module "add_authorization" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | authorized\_datasets | An array of datasets to be authorized on the dataset | <pre>list(object({<br>    dataset_id = string,<br>    project_id = string,<br>  }))</pre> | `[]` | no |
-| authorized\_views | An array of views to give authorize for the dataset | <pre>list(object({<br>    dataset_id = string,<br>    project_id = string,<br>    table_id   = string # this is the view id, but we keep table_id to stay consistent as the resource<br>  }))</pre> | n/a | yes |
+| authorized\_routines | An array of authorized routine to be authorized on the dataset | <pre>list(object({<br>    project_id = string,<br>    dataset_id = string,<br>    routine_id = string<br>  }))</pre> | `[]` | no |
+| authorized\_views | An array of views to give authorize for the dataset | <pre>list(object({<br>    dataset_id = string,<br>    project_id = string,<br>    table_id   = string # this is the view id, but we keep table_id to stay consistent as the resource<br>  }))</pre> | `[]` | no |
 | dataset\_id | Unique ID for the dataset being provisioned. | `string` | n/a | yes |
 | project\_id | Project where the dataset and table are created | `string` | n/a | yes |
 | roles | An array of objects that define dataset access for one or more entities. | `any` | `[]` | no |

modules/authorization/main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,6 +28,7 @@ locals {
   roles    = zipmap(local.role_keys, var.roles)
   views    = { for view in var.authorized_views : "${view["project_id"]}_${view["dataset_id"]}_${view["table_id"]}" => view }
   datasets = { for dataset in var.authorized_datasets : "${dataset["project_id"]}_${dataset["dataset_id"]}" => dataset }
+  routines = { for routine in var.authorized_routines : "${routine["project_id"]}_${routine["dataset_id"]}_${routine["routine_id"]}" => routine }
 
   iam_to_primitive = {
     "roles/bigquery.dataOwner" : "OWNER"
@@ -73,3 +74,14 @@ resource "google_bigquery_dataset_access" "authorized_dataset" {
     target_types = ["VIEWS"]
   }
 }
+
+resource "google_bigquery_dataset_access" "authorized_routine" {
+  for_each   = local.routines
+  dataset_id = var.dataset_id
+  project    = var.project_id
+  routine {
+    project_id = each.value.project_id
+    dataset_id = each.value.dataset_id
+    routine_id = each.value.routine_id
+  }
+}

modules/authorization/metadata.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

modules/authorization/outputs.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

modules/authorization/variables.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,6 +43,7 @@ variable "authorized_views" {
     project_id = string,
     table_id   = string # this is the view id, but we keep table_id to stay consistent as the resource
   }))
+  default = []
 }
 
 variable "authorized_datasets" {
@@ -53,3 +54,13 @@ variable "authorized_datasets" {
   }))
   default = []
 }
+
+variable "authorized_routines" {
+  description = "An array of authorized routine to be authorized on the dataset"
+  type = list(object({
+    project_id = string,
+    dataset_id = string,
+    routine_id = string
+  }))
+  default = []
+}

modules/authorization/versions.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,7 +20,7 @@ terraform {
 
     google = {
       source  = "hashicorp/google"
-      version = ">= 3.53, < 5.0"
+      version = ">= 4.44, < 5.0"
     }
   }
 

modules/scheduled_queries/main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

modules/scheduled_queries/metadata.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

modules/scheduled_queries/outputs.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

modules/scheduled_queries/variables.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

modules/scheduled_queries/versions.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

modules/udf/main.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

modules/udf/metadata.yaml

@@ -1,4 +1,4 @@
-# Copyright 2022 Google LLC
+# Copyright 2023 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

modules/udf/outputs.tf

@@ -1,5 +1,5 @@
 /**
- * Copyright 2022 Google LLC
+ * Copyright 2023 Google LLC
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.