Skip to content

getindata/terraform-snowflake-role

BranchesTags

Repository files navigation

Snowflake Role Terraform Module

Snowflake Terraform

License Release

We help companies turn their data into assets

Terraform module for managing Snowflake roles. Additionally, this module allows creating multiple grants on different Snowflake resources, specifying other roles to be granted and grantees (other roles and users).

USAGE

module "snowflake_role" {
  source = "github.com/getindata/terraform-snowflake-role"
  
  name = "LOGS_DATABASE_READER"

  granted_to_users = ["JANE_SMITH", "JOHN_DOE"]

 account_grants = [
    {
      privileges = ["CREATE DATABASE"]
    }
  ]

  account_objects_grants = {
    "DATABASE" = [
      {
        privileges    = ["USAGE"]
        object_name    = "LOGS_DB"
      }
    ]
  }

  schema_grants = [
    {
      database_name = "LOGS_DB"
      schema_name   = "BRONZE"
      privileges    = ["USAGE"]
    }
  ]
  
  schema_objects_grants = {
    TABLE = [
      {
        database_name = "LOGS_DB"
        schema_name   = "BRONZE"
        on_future     = true
        privileges    = ["SELECT"]
      }
    ]

    VIEW = [
      {
        database_name  = snowflake_database.this.name
        on_future      = true
        all_privileges = true
      }
    ]
  }
}

EXAMPLES

  • Simple - creates a role
  • Complete - creates a role with example grants

Breaking changes in v2.x of the module

Due to breaking changes in Snowflake provider and additional code optimizations, breaking changes were introduced in v2.0.0 version of this module.

List of code and variable (API) changes:

  • Switched to snowflake_account_role resource instead of provider-deprecated snowflake_role
  • Switched to snowflake_grant_privileges_to_account_role resource instead of provider-removed snowflake_*_grant
  • Switched to snowflake_grant_account_role resource instead of provider-removed snowflake_role_grants
  • Switched to snowflake_grant_ownership resource instead of provider-removed snowflake_role_ownership_grant
  • Variable account_grants type changed from list(string) to list(object({..}))
  • Variable schema_grants type changed
  • Below variables were removed and replaced with aggregated / complex account_object_grants and schema_object_grants:
    • database_grants
    • table_grants
    • external_table_grants
    • view_grants
    • dynamic_table_grants

When upgrading from v1.x, expect most of the resources to be recreated - if recreation is impossible, then it is possible to import some existing resources.

For more information, refer to variables.tf, list of inputs below and Snowflake provider documentation

Breaking changes in v3.x of the module

Due to replacement of nulllabel (context.tf) with context provider, some breaking changes were introduced in v3.0.0 version of this module.

List od code and variable (API) changes:

  • Removed context.tf file (a single-file module with additonal variables), which implied a removal of all its variables (except name):
    • descriptor_formats
    • label_value_case
    • label_key_case
    • id_length_limit
    • regex_replace_chars
    • label_order
    • additional_tag_map
    • tags
    • labels_as_tags
    • attributes
    • delimiter
    • stage
    • environment
    • tenant
    • namespace
    • enabled
    • context
  • Remove support enabled flag - that might cause some backward compatibility issues with terraform state (please take into account that proper move clauses were added to minimize the impact), but proceed with caution
  • Additional context provider configuration
  • New variables were added, to allow naming configuration via context provider:
    • context_templates
    • name_schema

Inputs

Name Description Type Default Required
account_grants Grants on a account level 
list(object({
    all_privileges    = optional(bool)
    with_grant_option = optional(bool, false)
    privileges        = optional(list(string), null)
  }))
 [] no
account_objects_grants Grants on account object level.
Account objects list: USER | RESOURCE MONITOR | WAREHOUSE | COMPUTE POOL | DATABASE | INTEGRATION | FAILOVER GROUP | REPLICATION GROUP | EXTERNAL VOLUME
Object type is used as a key in the map.

Exmpale usage:
account_object_grants = {
    "WAREHOUSE" = [
      {
        all_privileges = true
        with_grant_option = true
        object_name = "TEST_USER"
      }
    ]
    "DATABASE" = [
      {
        privileges = ["CREATE SCHEMA", "CREATE DATABASE ROLE"]
        object_name = "TEST_DATABASE"
      },
      {
        privileges = ["CREATE SCHEMA"]
        object_name = "OTHER_DATABASE"
      }
    ]
  }
Note: You can find a list of all object types here		 
map(list(object({
    all_privileges    = optional(bool)
    with_grant_option = optional(bool, false)
    privileges        = optional(list(string), null)
    object_name       = string
  })))
 {} no
comment Role description string null no
context_templates Map of context templates used for naming conventions - this variable supersedes naming_scheme.properties and naming_scheme.delimiter configuration map(string) {} no
granted_database_roles Database Roles granted to this role list(string) [] no
granted_roles Roles granted to this role list(string) [] no
granted_to_roles Roles which this role is granted to list(string) [] no
granted_to_users Users which this role is granted to list(string) [] no
name Name of the resource string n/a yes
name_scheme Naming scheme configuration for the resource. This configuration is used to generate names using context provider:
- properties - list of properties to use when creating the name - is superseded by var.context_templates
- delimiter - delimited used to create the name from properties - is superseded by var.context_templates
- context_template_name - name of the context template used to create the name
- replace_chars_regex - regex to use for replacing characters in property-values created by the provider - any characters that match the regex will be removed from the name
- extra_values - map of extra label-value pairs, used to create a name		 
object({
    properties            = optional(list(string), ["environment", "name"])
    delimiter             = optional(string, "_")
    context_template_name = optional(string, "snowflake-role")
    replace_chars_regex   = optional(string, "[^a-zA-Z0-9_]")
    extra_values          = optional(map(string))
  })
 {} no
role_ownership_grant The name of the role to grant ownership string null no
schema_grants Grants on a schema level 
list(object({
    all_privileges             = optional(bool)
    with_grant_option          = optional(bool, false)
    privileges                 = optional(list(string), null)
    all_schemas_in_database    = optional(bool, false)
    future_schemas_in_database = optional(bool, false)
    database_name              = string
    schema_name                = optional(string, null)
  }))
 [] no
schema_objects_grants Grants on a schema object level

Example usage:
schema_objects_grants = {
    "TABLE" = [
      {
        privileges  = ["SELECT"]
        object_name = snowflake_table.table_1.name
        schema_name = snowflake_schema.this.name
      },
      {
        all_privileges = true
        object_name    = snowflake_table.table_2.name
        schema_name    = snowflake_schema.this.name
      }
    ]
    "ALERT" = [
      {
        all_privileges = true
        on_future      = true
        on_all         = true
      }
    ]
  }
Note: If you don't provide a schema_name, the grants will be created for all objects of that type in the database.
You can find a list of all object types here		 
map(list(object({
    all_privileges    = optional(bool)
    with_grant_option = optional(bool)
    privileges        = optional(list(string))
    object_name       = optional(string)
    on_all            = optional(bool, false)
    schema_name       = optional(string)
    database_name     = string
    on_future         = optional(bool, false)
  })))
 {} no

Modules

No modules.

Outputs

Name Description
name Name of the role

Providers

Name Version
context >=0.4.0
snowflake ~> 0.94

Requirements

Name Version
terraform >= 1.3
context >=0.4.0
snowflake ~> 0.94

Resources

Name Type
snowflake_account_role.this resource
snowflake_grant_account_role.granted_roles resource
snowflake_grant_account_role.granted_to_roles resource
snowflake_grant_account_role.granted_to_users resource
snowflake_grant_database_role.granted_db_roles resource
snowflake_grant_ownership.this resource
snowflake_grant_privileges_to_account_role.account_grants resource
snowflake_grant_privileges_to_account_role.account_object_grants resource
snowflake_grant_privileges_to_account_role.schema_grants resource
snowflake_grant_privileges_to_account_role.schema_objects_grants resource
context_label.this data source

CONTRIBUTING

Contributions are very welcomed!

Start by reviewing contribution guide and our code of conduct. After that, start coding and ship your changes by creating a new PR.

LICENSE

Apache 2 Licensed. See LICENSE for full details.

AUTHORS

Made with contrib.rocks.

About

Terraform module for managing Snowflake role and grants

Topics

module terraform snowflake

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

9 stars

Watchers

5 watching

Forks

2 forks
Report repository

Releases 14

Version v3.0.1 Latest
Nov 4, 2024
+ 13 releases

Packages

No packages published

Contributors 6

Languages