Skip to content

getindata/terraform-snowflake-database-role

BranchesTags

Repository files navigation

Snowflake Database Role Terraform Module

Snowflake Terraform

License Release

We help companies turn their data into assets

Terraform module for managing Snowflake Database roles.

  • Creates Snowflake database role with specific privileges on database and schemas.
  • Allows granting of privileges on future schemas in a database.
  • Allows granting of privileges on all existing schemas in a database.
  • Allows granting of privileges on specific schema objects like tables.
  • Supports granting of all privileges or specific ones based on the configuration.
  • Can be used to create a hierarchy of roles by assigning parent roles.
  • Can be used to grant roles to other roles.

USAGE

resource "snowflake_database" "this" {
  name = "TEST_DB"
}

resource "snowflake_schema" "this" {
  database = snowflake_database.this.name
  name     = "BRONZE"
}

module "snowflake_database_role" {
  source = "../../"

  database_name = snowflake_database.this.name
  name          = "TEST_DB_ROLE"


  schema_grants = [
    {
      future_schemas_in_database = true
      all_schemas_in_database    = true
      all_privileges             = true
    },
  ]

  schema_objects_grants = {
    "TABLE" = [
      {
        all_privileges = true
        on_future      = true
        on_all         = true
        schema_name    = snowflake_schema.this.name
      }
    ]
  }
}

EXAMPLES

  • Simple - Basic usage of the module
  • Complete - Advanced usage of the module

Breaking changes in v2.x of the module

Due to replacement of nulllabel (context.tf) with context provider, some breaking changes were introduced in v2.0.0 version of this module.

List od code and variable (API) changes:

  • Removed context.tf file (a single-file module with additonal variables), which implied a removal of all its variables (except name):
    • descriptor_formats
    • label_value_case
    • label_key_case
    • id_length_limit
    • regex_replace_chars
    • label_order
    • additional_tag_map
    • tags
    • labels_as_tags
    • attributes
    • delimiter
    • stage
    • environment
    • tenant
    • namespace
    • enabled
    • context
  • Remove support enabled flag - that might cause some backward compatibility issues with terraform state (please take into account that proper move clauses were added to minimize the impact), but proceed with caution
  • Additional context provider configuration
  • New variables were added, to allow naming configuration via context provider:
    • context_templates
    • name_schema

Breaking changes in v3.x of the module

Due to rename of Snowflake terraform provider source, all versions.tf files were updated accordingly.

Please keep in mind to mirror this change in your own repos also.

For more information about provider rename, refer to Snowflake documentation.

Inputs

Name Description Type Default Required
comment Database Role description string null no
context_templates Map of context templates used for naming conventions - this variable supersedes naming_scheme.properties and naming_scheme.delimiter configuration map(string) {} no
database_grants Grants on a database level 
object({
    all_privileges    = optional(bool)
    with_grant_option = optional(bool, false)
    privileges        = optional(list(string), null)
  })
 {} no
database_name The name of the database to create the role in string n/a yes
granted_database_roles Database Roles granted to this role list(string) [] no
granted_to_database_roles Fully qualified Parent Database Role name (DB_NAME.ROLE_NAME), to create parent-child relationship list(string) [] no
granted_to_roles List of Snowflake Account Roles to grant this role to list(string) [] no
granted_to_shares List of Snowflake Shares to grant this role to list(string) [] no
name Name of the resource string n/a yes
name_scheme Naming scheme configuration for the resource. This configuration is used to generate names using context provider:
- properties - list of properties to use when creating the name - is superseded by var.context_templates
- delimiter - delimited used to create the name from properties - is superseded by var.context_templates
- context_template_name - name of the context template used to create the name
- replace_chars_regex - regex to use for replacing characters in property-values created by the provider - any characters that match the regex will be removed from the name
- extra_values - map of extra label-value pairs, used to create a name
- uppercase - convert name to uppercase		 
object({
    properties            = optional(list(string), ["environment", "name"])
    delimiter             = optional(string, "_")
    context_template_name = optional(string, "snowflake-database-role")
    replace_chars_regex   = optional(string, "[^a-zA-Z0-9_]")
    extra_values          = optional(map(string))
    uppercase             = optional(bool, true)
  })
 {} no
parent_database_role DEPRECATED variable - please use granted_to_database_roles instead string null no
schema_grants Grants on a schema level 
list(object({
    all_privileges             = optional(bool)
    with_grant_option          = optional(bool, false)
    privileges                 = optional(list(string), null)
    all_schemas_in_database    = optional(bool, false)
    future_schemas_in_database = optional(bool, false)
    schema_name                = optional(string, null)
  }))
 [] no
schema_objects_grants Grants on a schema object level

Example usage:

schema_objects_grants = {
"TABLE" = [
{
privileges = ["SELECT"]
object_name = snowflake_table.table_1.name
schema_name = snowflake_schema.this.name
},
{
all_privileges = true
object_name = snowflake_table.table_2.name
schema_name = snowflake_schema.this.name
}
]
"ALERT" = [
{
all_privileges = true
on_future = true
on_all = true
}
]
}

Note: If you don't provide a schema_name, the grants will be created for all objects of that type in the database.
You can find a list of all object types here		 
map(list(object({
    all_privileges    = optional(bool)
    with_grant_option = optional(bool)
    privileges        = optional(list(string))
    object_name       = optional(string)
    on_all            = optional(bool, false)
    schema_name       = optional(string)
    on_future         = optional(bool, false)
  })))
 {} no

Modules

No modules.

Outputs

Name Description
fully_qualified_name Name of the database role in fully qualified format ("DB_NAME"."ROLE_NAME")
name Name of the database role

Providers

Name Version
context >=0.4.0
snowflake >= 0.97

Requirements

Name Version
terraform >= 1.3
context >=0.4.0
snowflake >= 0.97

Resources

Name Type
snowflake_database_role.this resource
snowflake_grant_database_role.granted_database_roles resource
snowflake_grant_database_role.granted_to_database_roles resource
snowflake_grant_database_role.granted_to_role resource
snowflake_grant_database_role.granted_to_share resource
snowflake_grant_database_role.parent_database_role resource
snowflake_grant_privileges_to_database_role.database_grants resource
snowflake_grant_privileges_to_database_role.schema_grants resource
snowflake_grant_privileges_to_database_role.schema_objects_grants resource
context_label.this data source

CONTRIBUTING

Contributions are very welcomed!

Start by reviewing contribution guide and our code of conduct. After that, start coding and ship your changes by creating a new PR.

LICENSE

Apache 2 Licensed. See LICENSE for full details.

AUTHORS

Made with contrib.rocks.

About

Terraform Database role module for Snowflake

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing
Activity
Custom properties

Stars

0 stars

Watchers

5 watching

Forks

1 fork
Report repository

Releases 7

Version v3.0.0 Latest
Aug 19, 2025
+ 6 releases

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages