feat: add network rules (#2746)

resolves
#2482

<!-- summary of changes -->
- adds network rules
- adds network rule lists to network policies
- fixes network policies

## Test Plan
<!-- detail ways in which this PR has been tested or needs to be tested
-->
* [x] acceptance tests
<!-- add more below if you think they are relevant -->
* [ ] …

## References
<!-- issues documentation links, etc  -->

*

---------

Co-authored-by: Arkadius Schuchhardt <[email protected]>
Co-authored-by: Artur Sawicki <[email protected]>

docs/resources/network_policy.md

@@ -12,6 +12,32 @@ description: |-
 ## Example Usage
 
 ```terraform
+##################################
+### using network rules
+##################################
+
+resource "snowflake_network_rule" "rule" {
+  name       = "rule"
+  database   = "EXAMPLE_DB"
+  schema     = "EXAMPLE_SCHEMA"
+  comment    = "A rule."
+  type       = "IPV4"
+  mode       = "INGRESS"
+  value_list = ["192.168.0.100/24", "29.254.123.20"]
+}
+
+resource "snowflake_network_policy" "policy" {
+  name    = "policy"
+  comment = "A policy."
+
+  allowed_network_rule_list = [snowflake_network_rule.rule.qualified_name]
+}
+
+
+##################################
+### using ip lists
+##################################
+
 resource "snowflake_network_policy" "policy" {
   name    = "policy"
   comment = "A policy."
@@ -26,12 +52,14 @@ resource "snowflake_network_policy" "policy" {
 
 ### Required
 
-- `allowed_ip_list` (Set of String) Specifies one or more IPv4 addresses (CIDR notation) that are allowed access to your Snowflake account
 - `name` (String) Specifies the identifier for the network policy; must be unique for the account in which the network policy is created.
 
 ### Optional
 
-- `blocked_ip_list` (Set of String) Specifies one or more IPv4 addresses (CIDR notation) that are denied access to your Snowflake account<br><br>**Do not** add `0.0.0.0/0` to `blocked_ip_list`
+- `allowed_ip_list` (Set of String) Specifies one or more IPv4 addresses (CIDR notation) that are allowed access to your Snowflake account.
+- `allowed_network_rule_list` (Set of String) Specifies a list of fully qualified network rules that contain the network identifiers that are allowed access to Snowflake.
+- `blocked_ip_list` (Set of String) Specifies one or more IPv4 addresses (CIDR notation) that are denied access to your Snowflake account<br><br>**Do not** add `0.0.0.0/0` to `blocked_ip_list`.
+- `blocked_network_rule_list` (Set of String) Specifies a list of fully qualified network rules that contain the network identifiers that are denied access to Snowflake.
 - `comment` (String) Specifies a comment for the network policy.
 
 ### Read-Only

docs/resources/network_rule.md

@@ -0,0 +1,53 @@
+---
+page_title: "snowflake_network_rule Resource - terraform-provider-snowflake"
+subcategory: ""
+description: |-
+  
+---
+
+# snowflake_network_rule (Resource)
+
+
+
+## Example Usage
+
+```terraform
+resource "snowflake_network_rule" "rule" {
+  name       = "rule"
+  database   = "EXAMPLE_DB"
+  schema     = "EXAMPLE_SCHEMA"
+  comment    = "A rule."
+  type       = "IPV4"
+  mode       = "INGRESS"
+  value_list = ["192.168.0.100/24", "29.254.123.20"]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `database` (String) The database in which to create the network rule.
+- `mode` (String) Specifies what is restricted by the network rule. Valid values are INGRESS, INTERNAL_STAGE and EGRESS; see https://docs.snowflake.com/en/sql-reference/sql/create-network-rule#required-parameters for details.
+- `name` (String) Specifies the identifier for the network rule; must be unique for the database and schema in which the network rule is created.
+- `schema` (String) The schema in which to create the network rule.
+- `type` (String) Specifies the type of network identifiers being allowed or blocked. A network rule can have only one type. Allowed values are IPV4, AWSVPCEID, AZURELINKID and HOST_PORT; allowed values are determined by the mode of the network rule; see https://docs.snowflake.com/en/sql-reference/sql/create-network-rule#required-parameters for details.
+- `value_list` (Set of String) Specifies the network identifiers that will be allowed or blocked. Valid values in the list are determined by the type of network rule, see https://docs.snowflake.com/en/sql-reference/sql/create-network-rule#required-parameters for details.
+
+### Optional
+
+- `comment` (String) Specifies a comment for the network rule.
+
+### Read-Only
+
+- `id` (String) The ID of this resource.
+- `qualified_name` (String) Qualified name of the network rule.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import snowflake_network_rule.example 'databaseName|schemaName|networkRuleName'
+```

examples/resources/snowflake_network_policy/resource.tf

@@ -1,3 +1,29 @@
+##################################
+### using network rules
+##################################
+
+resource "snowflake_network_rule" "rule" {
+  name       = "rule"
+  database   = "EXAMPLE_DB"
+  schema     = "EXAMPLE_SCHEMA"
+  comment    = "A rule."
+  type       = "IPV4"
+  mode       = "INGRESS"
+  value_list = ["192.168.0.100/24", "29.254.123.20"]
+}
+
+resource "snowflake_network_policy" "policy" {
+  name    = "policy"
+  comment = "A policy."
+
+  allowed_network_rule_list = [snowflake_network_rule.rule.qualified_name]
+}
+
+
+##################################
+### using ip lists
+##################################
+
 resource "snowflake_network_policy" "policy" {
   name    = "policy"
   comment = "A policy."

examples/resources/snowflake_network_rule/import.sh

@@ -0,0 +1 @@
+terraform import snowflake_network_rule.example 'databaseName|schemaName|networkRuleName'

examples/resources/snowflake_network_rule/resource.tf

@@ -0,0 +1,9 @@
+resource "snowflake_network_rule" "rule" {
+  name       = "rule"
+  database   = "EXAMPLE_DB"
+  schema     = "EXAMPLE_SCHEMA"
+  comment    = "A rule."
+  type       = "IPV4"
+  mode       = "INGRESS"
+  value_list = ["192.168.0.100/24", "29.254.123.20"]
+}

pkg/acceptance/check_destroy.go

@@ -109,6 +109,9 @@ var showByIdFunctions = map[resources.Resource]showByIdFunc{
 	resources.NetworkPolicy: func(ctx context.Context, client *sdk.Client, id sdk.ObjectIdentifier) error {
 		return runShowById(ctx, id, client.NetworkPolicies.ShowByID)
 	},
+	resources.NetworkRule: func(ctx context.Context, client *sdk.Client, id sdk.ObjectIdentifier) error {
+		return runShowById(ctx, id, client.NetworkRules.ShowByID)
+	},
 	resources.NotificationIntegration: func(ctx context.Context, client *sdk.Client, id sdk.ObjectIdentifier) error {
 		return runShowById(ctx, id, client.NotificationIntegrations.ShowByID)
 	},

pkg/provider/provider.go

@@ -479,6 +479,7 @@ func getResources() map[string]*schema.Resource {
 		"snowflake_materialized_view":                       resources.MaterializedView(),
 		"snowflake_network_policy":                          resources.NetworkPolicy(),
 		"snowflake_network_policy_attachment":               resources.NetworkPolicyAttachment(),
+		"snowflake_network_rule":                            resources.NetworkRule(),
 		"snowflake_notification_integration":                resources.NotificationIntegration(),
 		"snowflake_oauth_integration":                       resources.OAuthIntegration(),
 		"snowflake_object_parameter":                        resources.ObjectParameter(),

pkg/provider/resources/resources.go

@@ -19,6 +19,7 @@ const (
 	MaskingPolicy                resource = "snowflake_masking_policy"
 	MaterializedView             resource = "snowflake_materialized_view"
 	NetworkPolicy                resource = "snowflake_network_policy"
+	NetworkRule                  resource = "snowflake_network_rule"
 	NotificationIntegration      resource = "snowflake_notification_integration"
 	PasswordPolicy               resource = "snowflake_password_policy"
 	Pipe                         resource = "snowflake_pipe"