tundri 1.3.3__tar.gz

tundri-1.3.3/.github/pull_request_template.md

@@ -0,0 +1,16 @@
+## Description 
+
+<!--- In this section, concisely describe what your Pull Request does, and why it is important (both in a technical and business value sense) -->
+
+## Changes
+
+<!--- Please document here, if relevant, what has changed, and in which specific models -->
+
+## Checklist
+
+<!--- Please make sure all of the below are checked off before submitting your PR ;) -->
+
+- [ ] My pull request represents one logical piece of work
+- [ ] My commits are related to the pull request and look clean
+- [ ] I tested my changes locally with `uv run pytest -vv`
+- [ ] I formatted my code with `uv run black .`

tundri-1.3.3/.github/workflows/manual-release.yml

@@ -0,0 +1,81 @@
+name: Manual Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version_type:
+        description: "Type of version bump (major, minor, patch)"
+        required: true
+        default: "patch"
+        type: choice
+        options:
+          - major
+          - minor
+          - patch
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.12'
+
+      - name: Bump version
+        id: bump_version
+        run: |
+          CURRENT_VERSION=$(grep '^version = ' pyproject.toml | sed -E "s/version = \"([0-9]+\.[0-9]+\.[0-9]+)\"/\1/")
+          echo "Current version: $CURRENT_VERSION"
+
+          # Determine the version type to bump (major, minor, patch)
+          VERSION_TYPE=${{ github.event.inputs.version_type }}
+          IFS='.' read -r MAJOR MINOR PATCH <<< "$CURRENT_VERSION"
+
+          if [ "$VERSION_TYPE" == "major" ]; then
+            MAJOR=$((MAJOR + 1))
+            MINOR=0
+            PATCH=0
+          elif [ "$VERSION_TYPE" == "minor" ]; then
+            MINOR=$((MINOR + 1))
+            PATCH=0
+          elif [ "$VERSION_TYPE" == "patch" ]; then
+            PATCH=$((PATCH + 1))
+          else
+            echo "Invalid version type: $VERSION_TYPE"
+            exit 1
+          fi
+
+          NEW_VERSION="$MAJOR.$MINOR.$PATCH"
+          echo "New version: $NEW_VERSION"
+
+          # Update pyproject.toml with the new version
+          sed -i "s/version = \"$CURRENT_VERSION\"/version = \"$NEW_VERSION\"/" pyproject.toml
+
+          echo "new_version=$NEW_VERSION" >> $GITHUB_ENV
+
+      - name: Create release branch
+        id: create_branch
+        run: |
+          NEW_VERSION=${{ env.new_version }}
+          BRANCH_NAME="release/v$NEW_VERSION"
+          git checkout -b "$BRANCH_NAME"
+          git push origin "$BRANCH_NAME"
+          echo "branch_name=$BRANCH_NAME" >> $GITHUB_ENV
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          branch: ${{ env.branch_name }}
+          base: main
+          title: "Release ${{ env.new_version }}"
+          body: |
+            This PR bumps the version to ${{ env.new_version }} and prepares the release.
+
+      # Tag and release creation will be handled by on-release-merge.yml workflow
+      # when this PR is merged

tundri-1.3.3/.github/workflows/on-release-merge.yml

@@ -0,0 +1,84 @@
+name: On Release Merge
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+    paths:
+      - 'pyproject.toml'
+
+jobs:
+  create-tag-and-release:
+    if: github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'release/')
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.12'
+
+      - name: Get version
+        id: get_version
+        run: |
+          VERSION=$(grep '^version = ' pyproject.toml | sed -E "s/version = \"([0-9]+\.[0-9]+\.[0-9]+)\"/\1/")
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Create tag
+        run: |
+          VERSION=${{ steps.get_version.outputs.version }}
+          TAG_NAME="v$VERSION"
+          git config user.name "github-actions"
+          git config user.email "github-actions@github.com"
+          git tag "$TAG_NAME"
+          git push origin "$TAG_NAME"
+
+      - name: Create release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: v${{ steps.get_version.outputs.version }}
+          release_name: v${{ steps.get_version.outputs.version }}
+          body: |
+            This release includes the following changes:
+            - Version bump to ${{ steps.get_version.outputs.version }}
+          draft: false
+          prerelease: false
+
+  publish-to-pypi:
+    if: github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'release/')
+    runs-on: ubuntu-latest
+    needs: create-tag-and-release
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.12'
+
+      - name: Install build dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install build twine
+
+      - name: Build package
+        run: python -m build
+
+      - name: Check package
+        run: twine check dist/*
+
+      - name: Publish to PyPI
+        env:
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        run: twine upload dist/* 

tundri-1.3.3/.github/workflows/pr-tests.yml

@@ -0,0 +1,53 @@
+name: PR Unit Tests
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    env:
+      PERMISSION_BOT_USER: ${{ secrets.SNOWFLAKE_USER }}
+      PERMISSION_BOT_KEY_PATH: "./.ssh/private_key.p8"
+      PERMISSION_BOT_KEY_PASSPHRASE: ${{ secrets.SNOWFLAKE_KEY_PASSPHRASE }}
+      PERMISSION_BOT_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}
+      PERMISSION_BOT_DATABASE: ${{ secrets.SNOWFLAKE_DATABASE }}
+      PERMISSION_BOT_ROLE: ${{ secrets.SNOWFLAKE_ROLE }}
+      PERMISSION_BOT_WAREHOUSE: ${{ secrets.SNOWFLAKE_WAREHOUSE }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.12'
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v1
+        with:
+          version: "latest"
+
+      # tundri currently only supports connecting to Snowflake by providing
+      # the path to the user's private key, so we need to dump the key somewhere in
+      # the Ubuntu environment. While connecting via password is also possible, we are
+      # opting for key-pair to be future-proof
+      #
+      # TODO: extend get_snowflake_cursor() function to allow
+      # passing raw keys, so we can avoid exposing the private key
+      - name: Create folder for private key
+        run: mkdir -p ./.ssh
+
+      - name: Write private key to file
+        run: |
+          echo "${{ secrets.SNOWFLAKE_PRIVATE_KEY }}" > $PERMISSION_BOT_KEY_PATH
+
+      - name: Install dependencies
+        run: uv sync
+
+      - name: Run tests
+        run: uv run pytest -vv

tundri-1.3.3/.github/workflows/publish-on-release.yml

@@ -0,0 +1,35 @@
+name: Publish to PyPI on Release
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish-to-pypi:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.12'
+
+      - name: Install build dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install build twine
+
+      - name: Build package
+        run: python -m build
+
+      - name: Check package
+        run: twine check dist/*
+
+      - name: Publish to PyPI
+        env:
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        run: twine upload dist/*

tundri-1.3.3/.github/workflows/publish-to-testpypi.yml

@@ -0,0 +1,54 @@
+name: Publish to TestPyPI
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'pyproject.toml'
+      - 'tundri/**'
+
+jobs:
+  publish-to-testpypi:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.merged == false
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.12'
+
+      - name: Install build dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install build twine
+
+      - name: Build package
+        run: python -m build
+
+      - name: Check package
+        run: twine check dist/*
+
+      - name: Publish to TestPyPI
+        env:
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ secrets.TEST_PYPI_API_TOKEN }}
+        run: twine upload --repository testpypi dist/*
+
+      - name: Comment PR with TestPyPI link
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const version = require('fs').readFileSync('pyproject.toml', 'utf8')
+              .match(/version = "([^"]+)"/)[1];
+            const testpypiUrl = `https://test.pypi.org/project/tundri/${version}/`;
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `🚀 Package published to TestPyPI!\n\nYou can test the installation with:\n\`\`\`bash\npip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple/ tundri==${version}\n\`\`\`\n\nView package: ${testpypiUrl}`
+            });

tundri-1.3.3/.gitignore

@@ -0,0 +1,18 @@
+# Developer-specific notes
+TODO.md
+launch.json
+
+# Environment variables
+.env
+
+# Python-generated files
+__pycache__/
+*.py[oc]
+build/
+dist/
+wheels/
+*.egg-info
+
+# Virtual environments
+.venv
+

tundri-1.3.3/.python-version

@@ -0,0 +1 @@
+3.11.9

tundri-1.3.3/PKG-INFO

@@ -0,0 +1,147 @@
+Metadata-Version: 2.4
+Name: tundri
+Version: 1.3.3
+Summary: Drop, create and alter Snowflake objects and set permissions with Permifrost
+Project-URL: Homepage, https://github.com/Gemma-Analytics/tundri
+Project-URL: Repository, https://github.com/Gemma-Analytics/tundri
+Project-URL: Issues, https://github.com/Gemma-Analytics/tundri/issues
+Author-email: Gemma Analytics <bijan.soltani@gemmaanalytics.com>
+License: MIT
+Keywords: database,ddl,permifrost,snowflake
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.8
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.8
+Requires-Dist: gemma-permifrost
+Requires-Dist: python-dotenv
+Requires-Dist: pyyaml
+Requires-Dist: rich
+Requires-Dist: snowflake-connector-python
+Description-Content-Type: text/markdown
+
+<div align="center">
+  <img src="docs/images/logo.jpg" alt="tundri Logo" width="200">
+</div>
+
+**tundri** is a Python package to declaratively create, drop, and alter Snowflake objects and manage their permissions with [Permifrost](https://gitlab.com/gitlab-data/permifrost).
+
+## Motivation
+
+Permifrost is great at managing permissions, but it doesn't create or alter objects. As [GitLab's data team handbook](https://handbook.gitlab.com/handbook/enterprise-data/platform/permifrost/) states:
+> Object creation and deletion is not managed by permifrost
+
+With only Permifrost, one would have to manually create the objects and then run Permifrost to set the permissions. This is error prone and time consuming. That is where tundri comes in.
+
+### In a nutshell
+**tundri** reads the [Permifrost spec file](https://gitlab.com/gitlab-data/permifrost#spec_file) and compares with the current state of the Snowflake account. It then creates, drops, and alters the objects to match. It leverages Permifrost's YAML `meta` tags to set attributes like `default_role` for users and `warehouse_size` for warehouses. Once the objects are created, tundri runs Permifrost to set the permissions.
+
+## Getting started
+
+### Prerequisites
+
+- Credentials to a Snowflake user account with the `securityadmin` role
+- A Permifrost spec file
+
+### Install
+
+```bash
+pip install tundri
+```
+
+### Configure
+
+#### Permifrost
+Add a valid [Permifrost spec file](https://gitlab.com/gitlab-data/permifrost#spec_file) to your repository. You can use the files in the `examples` folder as reference.
+
+#### Snowflake
+Set up your Snowflake connection details in the environment variables listed below.
+
+> [!TIP]
+> You can use a `.env` file to store your credentials. Place it in the same folder as the Permifrost spec file.
+
+```bash
+PERMISSION_BOT_ACCOUNT=abc134.west-europe.azure  # Your account identifier
+PERMISSION_BOT_USER=PERMIFROST
+PERMISSION_BOT_PASSWORD=...
+PERMISSION_BOT_ROLE=SECURITYADMIN    # Permifrost requires it to be `SECURITYADMIN`
+PERMISSION_BOT_DATABASE=PERMIFROST
+PERMISSION_BOT_WAREHOUSE=ADMIN
+```
+
+### Usage
+The `run` subcommand is going to drop/create objects and run Permifrost.
+
+#### Dry run
+```bash
+tundri run --permifrost_spec_path examples/permifrost.yml --dry
+```
+
+#### Normal run
+```bash
+tundri run --permifrost_spec_path examples/permifrost.yml
+```
+
+#### Getting help
+```bash
+tundri --help
+```
+
+## Development
+### Local setup
+Install the development dependencies
+
+```bash
+uv sync
+```
+
+### Run tests
+Run the tests
+```bash
+uv run pytest -v
+```
+
+### Formatting
+Run the command below to format the code
+```bash
+uv run black .
+```
+
+### Testing locally
+Dry run with the example spec file
+```bash
+uv run tundri run --dry -p examples/permifrost.yml
+```
+
+## Contributing
+
+### Release process
+
+The release process is automated using GitHub Actions. Here's how it works:
+
+1. **Adding new features or bug fixes**
+   - PR tests run automatically to verify the changes on each PR
+   - Multiple PRs can be merged to main until a release-ready state is reached
+
+1. **Initiating a Release**
+   - A maintainer triggers the manual release workflow
+   - They specify the version bump type (`major`, `minor`, or `patch`)
+   - This creates a release branch and PR with updated version
+
+1. **Release Creation**
+   - When the release PR is merged to main:
+     - A Git tag is created (e.g., `v1.2.3`)
+     - A GitHub release is created
+     - The package is published to PyPI
+
+The process requires the following GitHub secrets to be configured:
+- `PYPI_API_TOKEN`: For production PyPI publishing
+- `TEST_PYPI_API_TOKEN`: For TestPyPI publishing
+- `SNOWFLAKE_*`: Snowflake credentials for running tests
+
+For full details on the release workflow, see [RELEASE_WORKFLOW.md](docs/RELEASE_WORKFLOW.md).

tundri-1.3.3/README.md

@@ -0,0 +1,120 @@
+<div align="center">
+  <img src="docs/images/logo.jpg" alt="tundri Logo" width="200">
+</div>
+
+**tundri** is a Python package to declaratively create, drop, and alter Snowflake objects and manage their permissions with [Permifrost](https://gitlab.com/gitlab-data/permifrost).
+
+## Motivation
+
+Permifrost is great at managing permissions, but it doesn't create or alter objects. As [GitLab's data team handbook](https://handbook.gitlab.com/handbook/enterprise-data/platform/permifrost/) states:
+> Object creation and deletion is not managed by permifrost
+
+With only Permifrost, one would have to manually create the objects and then run Permifrost to set the permissions. This is error prone and time consuming. That is where tundri comes in.
+
+### In a nutshell
+**tundri** reads the [Permifrost spec file](https://gitlab.com/gitlab-data/permifrost#spec_file) and compares with the current state of the Snowflake account. It then creates, drops, and alters the objects to match. It leverages Permifrost's YAML `meta` tags to set attributes like `default_role` for users and `warehouse_size` for warehouses. Once the objects are created, tundri runs Permifrost to set the permissions.
+
+## Getting started
+
+### Prerequisites
+
+- Credentials to a Snowflake user account with the `securityadmin` role
+- A Permifrost spec file
+
+### Install
+
+```bash
+pip install tundri
+```
+
+### Configure
+
+#### Permifrost
+Add a valid [Permifrost spec file](https://gitlab.com/gitlab-data/permifrost#spec_file) to your repository. You can use the files in the `examples` folder as reference.
+
+#### Snowflake
+Set up your Snowflake connection details in the environment variables listed below.
+
+> [!TIP]
+> You can use a `.env` file to store your credentials. Place it in the same folder as the Permifrost spec file.
+
+```bash
+PERMISSION_BOT_ACCOUNT=abc134.west-europe.azure  # Your account identifier
+PERMISSION_BOT_USER=PERMIFROST
+PERMISSION_BOT_PASSWORD=...
+PERMISSION_BOT_ROLE=SECURITYADMIN    # Permifrost requires it to be `SECURITYADMIN`
+PERMISSION_BOT_DATABASE=PERMIFROST
+PERMISSION_BOT_WAREHOUSE=ADMIN
+```
+
+### Usage
+The `run` subcommand is going to drop/create objects and run Permifrost.
+
+#### Dry run
+```bash
+tundri run --permifrost_spec_path examples/permifrost.yml --dry
+```
+
+#### Normal run
+```bash
+tundri run --permifrost_spec_path examples/permifrost.yml
+```
+
+#### Getting help
+```bash
+tundri --help
+```
+
+## Development
+### Local setup
+Install the development dependencies
+
+```bash
+uv sync
+```
+
+### Run tests
+Run the tests
+```bash
+uv run pytest -v
+```
+
+### Formatting
+Run the command below to format the code
+```bash
+uv run black .
+```
+
+### Testing locally
+Dry run with the example spec file
+```bash
+uv run tundri run --dry -p examples/permifrost.yml
+```
+
+## Contributing
+
+### Release process
+
+The release process is automated using GitHub Actions. Here's how it works:
+
+1. **Adding new features or bug fixes**
+   - PR tests run automatically to verify the changes on each PR
+   - Multiple PRs can be merged to main until a release-ready state is reached
+
+1. **Initiating a Release**
+   - A maintainer triggers the manual release workflow
+   - They specify the version bump type (`major`, `minor`, or `patch`)
+   - This creates a release branch and PR with updated version
+
+1. **Release Creation**
+   - When the release PR is merged to main:
+     - A Git tag is created (e.g., `v1.2.3`)
+     - A GitHub release is created
+     - The package is published to PyPI
+
+The process requires the following GitHub secrets to be configured:
+- `PYPI_API_TOKEN`: For production PyPI publishing
+- `TEST_PYPI_API_TOKEN`: For TestPyPI publishing
+- `SNOWFLAKE_*`: Snowflake credentials for running tests
+
+For full details on the release workflow, see [RELEASE_WORKFLOW.md](docs/RELEASE_WORKFLOW.md).