This module creates all the proper roles, users, grants, and storage integrations so that Fullstory can connect to the database and load data. For more information checkout this KB article.
This module does not create a reader role that can be used to view the data. To query the data inside Snowflake, you should create a role capable of reading the proper tables and columns according to your policies.
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| snowflake | ~> 0.83.1 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| database_name | The name of the Snowflake database to use | string |
n/a | yes |
| fullstory_cidr_ipv4 | DEPRECATED: Use fullstory_cidr_ipv4s. The CIDR block that Fullstory will use to connect to Snowflake. | string |
"" |
no |
| fullstory_cidr_ipv4s | The CIDR blocks that Fullstory will use to connect to Snowflake. | list(string) |
[] |
no |
| fullstory_data_center | The data center where your Fullstory account is hosted. Either 'NA1' or 'EU1'. See https://help.fullstory.com/hc/en-us/articles/8901113940375-Fullstory-Data-Residency for more information. | string |
"NA1" |
no |
| fullstory_storage_allowed_locations | The list of allowed locations for the storage provider. This is an advanced option and should only be changed if instructed by Fullstory. Ex. ://// | list(string) |
[ |
no |
| fullstory_storage_provider | The storage provider to use. Either 'S3', 'GCS' or 'AZURE'. This is an advanced option and should only be changed if instructed by Fullstory. | string |
"GCS" |
no |
| manage_password | Whether to create a random password and use it for the Snowflake user. If false and no password or RSA public key is provided, the user will be created without a password. | bool |
true |
no |
| password | The password to use for the Snowflake user. Use manage_password=true if you want to generate a random password. | string |
null |
no |
| role_name | The name of the Snowflake role to create. | string |
null |
no |
| rsa_public_key | The RSA public key to use for the Snowflake user. Must be on 1 line without header and trailer. | string |
null |
no |
| rsa_public_key_2 | The second RSA public key to use for the Snowflake user. Used when rotating keys. Must be on 1 line without header and trailer. | string |
null |
no |
| stage_name | The name of the Snowflake stage to create. | string |
null |
no |
| suffix | The suffix to append to the names of the resources created by this module so that the module can be instantiated many times. Must only contain letters. | string |
n/a | yes |
| warehouse_name | The name of the Snowflake warehouse to use. | string |
n/a | yes |
| Name | Description |
|---|---|
| gcs_storage_integration | The name of the GCS storage integration that can be used in the Fullstory app when configuring the Snowflake integration. |
| password | The password for the configured user that can be used in the Fullstory app when configuring the Snowflake integration. Will be empty if disable_password is true. |
| role | The Fullstory role that can be used in the Fullstory app when configuring the Snowflake integration. |
| username | The Fullstory username that can be used in the Fullstory app when configuring the Snowflake integration. |
resource "snowflake_database" "main" {
name = "MY_DATABASE"
}
resource "snowflake_warehouse" "main" {
name = "MY_WAREHOUSE"
warehouse_size = "small"
auto_suspend = 60
}
module "fullstory_warehouse_setup" {
source = "fullstorydev/fullstory-warehouse-setup/snowflake"
providers = {
snowflake.account_admin = snowflake.account_admin
snowflake.security_admin = snowflake.security_admin
snowflake.sys_admin = snowflake.sys_admin
}
database_name = snowflake_database.main.name
warehouse_name = snowflake_warehouse.main.name
fullstory_data_center = "NA1"
suffix = "ACME" # This should represent this module's unique identifier
}
output "fullstory_warehouse_setup_role" {
value = module.fullstory_warehouse_setup.role
}
output "fullstory_warehouse_setup_username" {
value = module.fullstory_warehouse_setup.username
}
output "fullstory_warehouse_setup_password" {
value = module.fullstory_warehouse_setup.password
}
output "fullstory_warehouse_setup_gcs_storage_integration" {
value = module.fullstory_warehouse_setup.gcs_storage_integration
}This module does not create a READER role. You can use the following example to create a READER role that will allow a user to use and read all objects and all future objects in the database.
resource "snowflake_role" "data_user_role" {
provider = snowflake.security_admin
name = "READER"
}
resource "snowflake_grant_privileges_to_role" "data_user_database" {
provider = snowflake.security_admin
role_name = snowflake_role.data_user_role.name
privileges = ["USAGE", "MONITOR"]
on_account_object {
object_name = "MY_DATABASE"
object_type = "DATABASE"
}
}
resource "snowflake_grant_privileges_to_role" "data_user_schema" {
provider = snowflake.security_admin
role_name = snowflake_role.data_user_role.name
privileges = [
"USAGE",
"MONITOR",
]
on_schema {
all_schemas_in_database = "MY_DATABASE"
}
}
resource "snowflake_grant_privileges_to_role" "data_user_future_schema" {
provider = snowflake.security_admin
role_name = snowflake_role.data_user_role.name
privileges = [
"USAGE",
"MONITOR",
]
on_schema {
future_schemas_in_database = "MY_DATABASE"
}
}
resource "snowflake_grant_privileges_to_role" "data_user_tables" {
provider = snowflake.security_admin
role_name = snowflake_role.data_user_role.name
privileges = ["SELECT"]
on_schema_object {
all {
object_type_plural = "TABLES"
in_database = "MY_DATABASE"
}
}
}
resource "snowflake_grant_privileges_to_role" "data_user_future_tables" {
provider = snowflake.security_admin
role_name = snowflake_role.data_user_role.name
privileges = ["SELECT"]
on_schema_object {
future {
object_type_plural = "TABLES"
in_database = "MY_DATABASE"
}
}
}
resource "snowflake_grant_privileges_to_role" "data_user_views" {
provider = snowflake.security_admin
role_name = snowflake_role.data_user_role.name
privileges = ["SELECT"]
on_schema_object {
all {
object_type_plural = "VIEWS"
in_database = snowflake_database.db.name
}
}
}
resource "snowflake_grant_privileges_to_role" "data_user_future_views" {
provider = snowflake.security_admin
role_name = snowflake_role.data_user_role.name
privileges = ["SELECT"]
on_schema_object {
future {
object_type_plural = "VIEWS"
in_database = snowflake_database.db.name
}
}
}
resource "snowflake_grant_privileges_to_role" "data_user_mat_views" {
provider = snowflake.security_admin
role_name = snowflake_role.data_user_role.name
privileges = ["SELECT"]
on_schema_object {
all {
object_type_plural = "MATERIALIZED VIEWS"
in_database = snowflake_database.db.name
}
}
}
resource "snowflake_grant_privileges_to_role" "data_user_future_mat_views" {
provider = snowflake.security_admin
role_name = snowflake_role.data_user_role.name
privileges = ["SELECT"]
on_schema_object {
future {
object_type_plural = "MATERIALIZED VIEWS"
in_database = snowflake_database.db.name
}
}
}This module outputs the role, username, password and storage integration that can be pasted into Fullstory in order for Fullstory to connect to your database. After using this module, you must output the value of these variables in your root module (see above example). Once that is done, you should be able to access outputs with
terraform output <name of your output varible> | pbcopyThe password output is a sensitive value. You need to use a slighly different command in order to see it.
terraform output -raw <name of your output varible> | pbcopyAlternatively, you can find all of the inputs in your Snowflake account.
See CONTRIBUTING.md for best practices and instructions on setting up your dev environment.