BigQuery Row Level Security Policy

[aaronclong]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

I can't seem to find any documentation or resources for BigQuery's Row Level Security. Do exists resources provide for this already, or does a new resource or modification of existing resource need to be crafted?

The only workaround to this seems to be a to create BigQuery Job to add the permissions.

New or Affected Resource(s)

• google_bigquery_table
• google_bigquery_table_iam

Potential Terraform Configuration

References

https://cloud.google.com/bigquery/docs/managing-row-level-security#create-policy

b/328133777

[melinath]

Note from triage: This doesn't seem to be supported at the REST API layer, only by calls to BigQuery directly, which means we can't support it in the provider at this time. Support would need to be added to the REST API first.

[aaronclong]

Note from triage: This doesn't seem to be supported at the REST API layer, only by calls to BigQuery directly, which means we can't support it in the provider at this time. Support would need to be added to the REST API first.

That's good know, thank you for pointing that out. I wonder if I can make feature request to Google and link that here.

Update: It looks like there is already an issue created for this from April 2022: https://issuetracker.google.com/issues/229861829

[wj-chen]

RowAccessPolicy is its own GCP resource (https://cloud.google.com/bigquery/docs/reference/rest/v2/rowAccessPolicies), so it'll likely translate to a new resource in the Terraform provider. As mentioned, there is no official API to manage RowAccessPolicy at the time. The standard procedure would be to make the API available first before adding it to the provider. Since it's possible to manage it using DDL statement today, it may be possible to implement the new Terraform resource in such a way that behind the scenes we just execute the DDL statement instead of calling an API, but it's generally not ideal as e.g. it requires careful surface design to be as forward-compatible as possible to match the potential API surface when an API does become available, and it requires the user to have IAM permission for e.g. jobs.create for now to run the BigQuery Job but the actual rowAccessPolicies.create permission in the future, and the transition may break users. If using the Job resource separately unblocks you, I'd suggest doing that for now.

[wj-chen]

There is now work underway to support managing Row Level Security Policies through the API which will unblock adding support for this resource in Terraform. A tentative timeline for availability is Q4. Please continue to follow this bug for updates.

[aaronclong]

There is now work underway to support managing Row Level Security Policies through the API which will unblock adding support for this resource in Terraform. A tentative timeline for availability is Q4. Please continue to follow this bug for updates.

@wj-chen is there any source that you can link here for others to view the ETA or completion? I can't find anything in their public issue webpage or anywhere else.

[wj-chen]

This work is scheduled for Q4 and we'll do planning at the beginning of the quarter. Otherwise progress will be communicated here in this issue.

[wj-chen]

The underlying API support is currently Google-internal and waiting for a public release in early January, after all the waves of end-of-year deployment freeze. The Terraform side of development can begin once the underlying API is ready, tentatively Q1 2025.

[itaispiegel]

We're hoping to see this feature very soon 🙏🏻