Udfs for managing secrets (#53)

2026-02-06 11:16:44 +00:00 · 2023-10-11 11:21:24 -07:00 · 2023-10-11 11:21:24 -07:00 · 6176d8de27
commit 6176d8de27
parent 04ebabb296
5 changed files with 140 additions and 2 deletions
--- a/dbt_project.yml
+++ b/dbt_project.yml
@ -70,4 +70,5 @@ vars:
  API_INTEGRATION: AWS_LIVE_QUERY{{ "_STG" if target.name != "prod" else "" }}
  AWS_REGION: us-east-1
  STUDIO_TEST_USER_ID: '{{ env_var("STUDIO_TEST_USER_ID", "98d15c30-9fa5-43cd-9c69-3d4c0bb269f5") }}'
+  ENABLE_SNOWFLAKE_SECRETS: '{{ env_var("ENABLE_SNOWFLAKE_SECRETS", "") }}'

--- a/macros/core/_utils.yaml.sql
+++ b/macros/core/_utils.yaml.sql
@ -8,7 +8,6 @@
  api_integration: '{{ var("API_INTEGRATION") }}'
  sql: introspect

-
 - name: {{ schema }}.udf_user_tier
  signature: []
  func_type: SECURE
@ -53,7 +52,7 @@
    - [request_id, STRING]
    - [user_id, STRING]
    - [key, STRING]
-  return_type: TEXT
+  return_type: OBJECT
  func_type: SECURE EXTERNAL
  api_integration: '{{ var("API_INTEGRATION") }}'
  options: |
--- a/macros/core/secrets.yaml.sql
+++ b/macros/core/secrets.yaml.sql
@ -0,0 +1,87 @@
+{% macro config_core_secrets(schema="secrets") %}
+
+
+- name: {{ schema }}.udf_register_secret
+  signature:
+    - [request_id, STRING]
+    - [key, STRING]
+  func_type: SECURE
+  return_type: OBJECT
+  options: |
+    NOT NULL
+    RETURNS NULL ON NULL INPUT
+    IMMUTABLE
+    COMMENT = $$ Registers a secret with the given request ID and key. $$
+  sql: |
+    SELECT
+      _utils.UDF_REGISTER_SECRET(REQUEST_ID, _utils.UDF_WHOAMI(), KEY)
+
+- name: {{ schema }}.udf_get_secret
+  signature:
+    - [name, STRING]
+  func_type: SECURE
+  return_type: OBJECT
+  options: |
+    NOT NULL
+    RETURNS NULL ON NULL INPUT
+    IMMUTABLE
+    COMMENT = $$ Returns the secret value for the given secret name. $$
+  sql: |
+    SELECT
+      live.udf_api(
+        CONCAT_WS('/', {{ construct_api_route("secret") }}, _utils.UDF_WHOAMI(), NAME)
+        ):data::OBJECT
+
+- name: {{ schema }}.udf_get_secrets
+  signature: []
+  func_type: SECURE
+  return_type: OBJECT
+  options: |
+    NOT NULL
+    RETURNS NULL ON NULL INPUT
+    IMMUTABLE
+    COMMENT = $$ Returns all secrets for the current user. $$
+  sql: |
+    SELECT
+      {{ schema }}.udf_get_secret('')
+
+- name: {{ schema }}.udf_create_secret
+  signature:
+    - [name, STRING]
+    - [secret, OBJECT]
+  func_type: SECURE
+  return_type: [INTEGER, the HTTP status code - 200 indicates success]
+  options: |
+    NOT NULL
+    RETURNS NULL ON NULL INPUT
+    IMMUTABLE
+    COMMENT = $$ Creates a new secret with the given name and value. $$
+  sql: |
+    SELECT
+      live.udf_api(
+        CONCAT_WS('/', {{ construct_api_route("secret") }}, _utils.UDF_WHOAMI(), NAME),
+        SECRET
+        ):status_code::INTEGER
+
+- name: {{ schema }}.udf_delete_secret
+  signature:
+    - [name, STRING]
+  func_type: SECURE
+  return_type: [INTEGER, the HTTP status code - 200 indicates success]
+  options: |
+    NULL
+    RETURNS NULL ON NULL INPUT
+    IMMUTABLE
+    COMMENT = $$ Deletes the secret with the given name. $$
+  sql: |
+    SELECT
+      live.udf_api(
+        'DELETE',
+        CONCAT_WS('/', {{ construct_api_route("secret") }}, _utils.UDF_WHOAMI(), NAME),
+        {},
+        {},
+        ''
+        ):status_code::INTEGER
+
+
+{% endmacro %}
--- a/models/deploy/core/secrets.sql
+++ b/models/deploy/core/secrets.sql
@ -0,0 +1,6 @@
+-- depends_on: {{ ref('_utils') }}
+-- depends_on: {{ ref('live') }}
+{% if var("ENABLE_SNOWFLAKE_SECRETS") %}
+  {% set config = config_core_secrets %}
+	{{ ephemeral_deploy_core(config) }}
+{% endif %}
--- a/models/deploy/core/secrets.yml
+++ b/models/deploy/core/secrets.yml
@ -0,0 +1,45 @@
+version: 2
+models:
+  - name: secrets
+    columns:
+      - name: udf_register_secret
+        tests:
+          - test_udf:
+              name: test_secrets__udf_register_secret
+              args: >
+                'test', 'test'
+              assertions:
+              - result = {'request_id':'test','success':false}
+      - name: udf_get_secret
+        tests:
+          - test_udf:
+              name: test_secrets__udf_get_secret
+              args: >
+                'test'
+              assertions:
+                - >
+                  result::OBJECT = {'key': 'value'}
+      - name: udf_get_secrets
+        tests:
+          - test_udf:
+              name: test_secrets__udf_get_secrets
+              args: ''
+              assertions:
+                - >
+                  result = {'test': {'key': 'value'}}
+      - name: udf_create_secret
+        tests:
+          - test_udf:
+              name: test_secrets__udf_create_secret
+              args: >
+                'test', {'key': 'value'}
+              assertions:
+                - result = 200
+      - name: udf_delete_secret
+        tests:
+          - test_udf:
+              name: test_secrets__udf_delete_secret
+              args: >
+                'test_delete'
+              assertions:
+                - result = 200