Skip to content

Latest commit

 

History

History
202 lines (159 loc) · 16.2 KB

README.md

File metadata and controls

202 lines (159 loc) · 16.2 KB

Snowflake User Terraform Module

Snowflake Terraform

License Release

We help companies turn their data into assets

Terraform module for creating Snowflake user.

This module can:

  • Create and manage Snowflake Users
  • Automatically generate RSA private and public keys for the User
  • Automatically grant default_role and default_secondary_roles to the User

Usage

module "terraform_snowflake_user" {
  source = "getindata/terraform-snowflake/user"
  name = "snowflake-user"
}

EXAMPLES

  • Simple - Basic usage of the module
  • Complete - Advanced usage of the module

Breaking changes in v2.x of the module

Due to breaking changes in Snowflake provider and additional code optimizations, breaking changes were introduced in v2.0.0 version of this module.

List of code and variable (API) changes:

  • Support for Snowflake user types, managed by type variable
  • Clear differentiation of PERSON, SERVICE and LEGACY_SERVICE users
  • snowflake_default_secondary_roles changed to snowflake_default_secondary_roles_option (string)
  • Added middle_name, query_tag, timezone, network_policy, trace_level, log_level and enable_unredacted_query_syntax_error variables
  • Added disable_mfa flag (false by default), that handles MFA enforcement for PERSON users

When upgrading from v1.x, expect most of the resources to be recreated - if recreation is impossible, then it is possible to import some existing resources.

For more information, refer to variables.tf, list of inputs below and Snowflake provider documentation

Breaking changes in v3.x of the module

Due to replacement of nulllabel (context.tf) with context provider, some breaking changes were introduced in v3.0.0 version of this module.

List od code and variable (API) changes:

  • Removed context.tf file (a single-file module with additonal variables), which implied a removal of all its variables (except name):
    • descriptor_formats
    • label_value_case
    • label_key_case
    • id_length_limit
    • regex_replace_chars
    • label_order
    • additional_tag_map
    • tags
    • labels_as_tags
    • attributes
    • delimiter
    • stage
    • environment
    • tenant
    • namespace
    • enabled
    • context
  • Remove support enabled flag - that might cause some backward compatibility issues with terraform state (please take into account that proper move clauses were added to minimize the impact), but proceed with caution
  • Additional context provider configuration
  • New variables were added, to allow naming configuration via context provider:
    • context_templates
    • name_schema

Inputs

Name Description Type Default Required
comment Comment / description of Snowflake user string null no
context_templates Map of context templates used for naming conventions - this variable supersedes naming_scheme.properties and naming_scheme.delimiter configuration map(string) {} no
default_namespace Specifies the namespace (database only or database and schema) that is active by default for the user's session upon login. string null no
default_role Specifies the role that is active by default for the user's session upon login. string null no
default_secondary_roles_option Specifies the secondary roles that are active for the user’s session upon login.
Valid values are (case-insensitive): DEFAULT | NONE | ALL
string "DEFAULT" no
default_warehouse Specifies the virtual warehouse that is active by default for the user's session upon login. string null no
disable_mfa Disable Multi-Factor Authentication for the user (works only with type = PERSON) bool false no
disabled Specifies whether the user is disabled, which prevents logging in and aborts all the currently-running queries for the user. bool false no
display_name Name displayed for the user in the Snowflake web interface. string null no
email Email address for the user string null no
enable_unredacted_query_syntax_error Controls whether query text is redacted if a SQL query fails due to a syntax or parsing error. If FALSE, the content of a failed query is redacted in the views, pages, and functions that provide a query history.
Only users with a role that is granted or inherits the AUDIT privilege can set the ENABLE_UNREDACTED_QUERY_SYNTAX_ERROR parameter.
When using the ALTER USER command to set the parameter to TRUE for a particular user, modify the user that you want to see the query text, not the user who executed the query (if those are different users).
bool null no
first_name First name of the user (works only with type = PERSON) string null no
generate_password Generate a random password using Terraform bool false no
generate_rsa_key Whether automatically generate an RSA key - IMPORTANT
The private key generated by this resource will be stored
unencrypted in your Terraform state file.
Use of this resource for production deployments is not recommended.
bool false no
grant_default_roles Whether to grant default_role to Snowflake User bool true no
ignore_changes_on_defaults Whether to ignore configuration of default_warehouse, default_role and default_namespace (works only with type = PERSON) bool false no
last_name Last name of the user (works only with type = PERSON) string null no
log_level Specifies the severity level of messages that should be ingested and made available in the active event table. Messages at the specified level (and at more severe levels) are ingested. string null no
login_name The name users use to log in. If not supplied, snowflake will use name instead. string null no
middle_name Middle name of the user (works only with type = PERSON) string null no
must_change_password Should the user change the password on login. Should be set to true for non service account users bool true no
name Name of the resource string n/a yes
name_scheme Naming scheme configuration for the resource. This configuration is used to generate names using context provider:
- properties - list of properties to use when creating the name - is superseded by var.context_templates
- delimiter - delimited used to create the name from properties - is superseded by var.context_templates
- context_template_name - name of the context template used to create the name
- replace_chars_regex - regex to use for replacing characters in property-values created by the provider - any characters that match the regex will be removed from the name
- extra_values - map of extra label-value pairs, used to create a name
object({
properties = optional(list(string), ["environment", "name"])
delimiter = optional(string, "_")
context_template_name = optional(string, "snowflake-user")
replace_chars_regex = optional(string, "[^a-zA-Z0-9_]")
extra_values = optional(map(string))
})
{} no
network_policy Specifies the network policy to enforce for your account. Network policies enable restricting access to your account based on users’ IP address. string null no
query_tag Optional string that can be used to tag queries and other SQL statements executed within a session. string null no
rsa_public_key Specifies the user's RSA public key; used for key-pair authentication. Must be on 1 line without header and trailer. string null no
rsa_public_key_2 Specifies the user's second RSA public key; used to rotate the public and private keys
for key-pair authentication based on an expiration schedule set by your organization.
Must be on 1 line without header and trailer."
string null no
timezone Specifies the time zone for the session. You can specify a time zone name or a link name from release 2021a of the IANA Time Zone Database (e.g. America/Los_Angeles, Europe/London, UTC, Etc/GMT, etc.). string null no
trace_level Controls how trace events are ingested into the event table. string null no
type Type of the user. Valid values are PERSON, SERVICE, LEGACY_SERVICE string "PERSON" no

Modules

No modules.

Outputs

Name Description
default_namespace Specifies the namespace (database only or database and schema) that is active by default for the user's session upon login
default_role Specifies the role that is active by default for the user's session upon login
default_secondary_roles_option Specifies the secondary roles that are active for the user’s session upon login
default_warehouse Specifies the virtual warehouse that is active by default for the user's session upon login
disable_mfa Whether multi-factor authentication is disabled for the user
disabled Whether user account is disabled
display_name Name displayed for the user in the Snowflake web interface
email Email address for the user
enable_unredacted_query_syntax_error Enable access to unredacted query syntax error for the user
first_name First name of the user (only if type == PERSON)
last_name Last name of the user (only if type == PERSON)
log_level Log level
login_name The name users use to log in
middle_name Middle name of the user (only if type == PERSON)
name Name of the user
network_policy Network policy associated with the user
password Password set for the user (only if type == PERSON or type == LEGACY_SERVICE)
query_tag Query tag
rsa_private_key RSA Private key used for authentication
timezone Timezone
trace_level Trace level
type User type

Providers

Name Version
context >=0.4.0
random >= 3.0.0
snowflake ~> 0.96
tls ~> 4.0

Requirements

Name Version
terraform >= 1.3.0
context >=0.4.0
random >= 3.0.0
snowflake ~> 0.96
tls ~> 4.0

Resources

Name Type
random_password.this resource
snowflake_grant_account_role.default_role resource
snowflake_legacy_service_user.this resource
snowflake_service_user.this resource
snowflake_user.defaults_not_enforced resource
snowflake_user.this resource
tls_private_key.this resource
context_label.this data source

CONTRIBUTING

Contributions are very welcomed!

Start by reviewing contribution guide and our code of conduct. After that, start coding and ship your changes by creating a new PR.

LICENSE

Apache 2 Licensed. See LICENSE for full details.

AUTHORS

Made with contrib.rocks.