Snowflake User Terraform Module

We help companies turn their data into assets

Terraform module for creating Snowflake user.

This module can:

• Create and manage Snowflake Users
• Automatically generate RSA private and public keys for the User
• Automatically grant default_role and default_secondary_roles to the User

Usage

module "terraform_snowflake_user" {
  source = "getindata/terraform-snowflake/user"
  name = "snowflake-user"
}

EXAMPLES

• Simple - Basic usage of the module
• Complete - Advanced usage of the module

Breaking changes in v2.x of the module

Due to breaking changes in Snowflake provider and additional code optimizations, breaking changes were introduced in v2.0.0 version of this module.

List of code and variable (API) changes:

• Support for Snowflake user types, managed by type variable
• Clear differentiation of PERSON, SERVICE and LEGACY_SERVICE users
• snowflake_default_secondary_roles changed to snowflake_default_secondary_roles_option (string)
• Added middle_name, query_tag, timezone, network_policy, trace_level, log_level and enable_unredacted_query_syntax_error variables
• Added disable_mfa flag (false by default), that handles MFA enforcement for PERSON users

When upgrading from v1.x, expect most of the resources to be recreated - if recreation is impossible, then it is possible to import some existing resources.

For more information, refer to variables.tf, list of inputs below and Snowflake provider documentation

Breaking changes in v3.x of the module

Due to replacement of nulllabel (context.tf) with context provider, some breaking changes were introduced in v3.0.0 version of this module.

List od code and variable (API) changes:

• Removed context.tf file (a single-file module with additonal variables), which implied a removal of all its variables (except name):
  • descriptor_formats
  • label_value_case
  • label_key_case
  • id_length_limit
  • regex_replace_chars
  • label_order
  • additional_tag_map
  • tags
  • labels_as_tags
  • attributes
  • delimiter
  • stage
  • environment
  • tenant
  • namespace
  • enabled
  • context
• Remove support enabled flag - that might cause some backward compatibility issues with terraform state (please take into account that proper move clauses were added to minimize the impact), but proceed with caution
• Additional context provider configuration
• New variables were added, to allow naming configuration via context provider:
  • context_templates
  • name_schema

Inputs

Name	Description	Type	Default	Required
comment	Comment / description of Snowflake user	string	null	no
context_templates	Map of context templates used for naming conventions - this variable supersedes naming_scheme.properties and naming_scheme.delimiter configuration	map(string)	{}	no
default_namespace	Specifies the namespace (database only or database and schema) that is active by default for the user's session upon login.	string	null	no
default_role	Specifies the role that is active by default for the user's session upon login.	string	null	no
default_secondary_roles_option	Specifies the secondary roles that are active for the user’s session upon login. Valid values are (case-insensitive): DEFAULT | NONE | ALL	string	"DEFAULT"	no
default_warehouse	Specifies the virtual warehouse that is active by default for the user's session upon login.	string	null	no
disable_mfa	Disable Multi-Factor Authentication for the user (works only with type = PERSON)	bool	false	no
disabled	Specifies whether the user is disabled, which prevents logging in and aborts all the currently-running queries for the user.	bool	false	no
display_name	Name displayed for the user in the Snowflake web interface.	string	null	no
email	Email address for the user	string	null	no
enable_unredacted_query_syntax_error	Controls whether query text is redacted if a SQL query fails due to a syntax or parsing error. If FALSE, the content of a failed query is redacted in the views, pages, and functions that provide a query history. Only users with a role that is granted or inherits the AUDIT privilege can set the ENABLE_UNREDACTED_QUERY_SYNTAX_ERROR parameter. When using the ALTER USER command to set the parameter to TRUE for a particular user, modify the user that you want to see the query text, not the user who executed the query (if those are different users).	bool	null	no
first_name	First name of the user (works only with type = PERSON)	string	null	no
generate_password	Generate a random password using Terraform	bool	false	no
generate_rsa_key	Whether automatically generate an RSA key - IMPORTANT The private key generated by this resource will be stored unencrypted in your Terraform state file. Use of this resource for production deployments is not recommended.	bool	false	no
grant_default_roles	Whether to grant default_role to Snowflake User	bool	true	no
ignore_changes_on_defaults	Whether to ignore configuration of default_warehouse, default_role and default_namespace (works only with type = PERSON)	bool	false	no
last_name	Last name of the user (works only with type = PERSON)	string	null	no
log_level	Specifies the severity level of messages that should be ingested and made available in the active event table. Messages at the specified level (and at more severe levels) are ingested.	string	null	no
login_name	The name users use to log in. If not supplied, snowflake will use name instead.	string	null	no
middle_name	Middle name of the user (works only with type = PERSON)	string	null	no
must_change_password	Should the user change the password on login. Should be set to true for non service account users	bool	true	no
name	Name of the resource	string	n/a	yes
name_scheme	Naming scheme configuration for the resource. This configuration is used to generate names using context provider: - properties - list of properties to use when creating the name - is superseded by var.context_templates - delimiter - delimited used to create the name from properties - is superseded by var.context_templates - context_template_name - name of the context template used to create the name - replace_chars_regex - regex to use for replacing characters in property-values created by the provider - any characters that match the regex will be removed from the name - extra_values - map of extra label-value pairs, used to create a name	object({ properties = optional(list(string), ["environment", "name"]) delimiter = optional(string, "_") context_template_name = optional(string, "snowflake-user") replace_chars_regex = optional(string, "[^a-zA-Z0-9_]") extra_values = optional(map(string)) })	{}	no
network_policy	Specifies the network policy to enforce for your account. Network policies enable restricting access to your account based on users’ IP address.	string	null	no
query_tag	Optional string that can be used to tag queries and other SQL statements executed within a session.	string	null	no
rsa_public_key	Specifies the user's RSA public key; used for key-pair authentication. Must be on 1 line without header and trailer.	string	null	no
rsa_public_key_2	Specifies the user's second RSA public key; used to rotate the public and private keys for key-pair authentication based on an expiration schedule set by your organization. Must be on 1 line without header and trailer."	string	null	no
timezone	Specifies the time zone for the session. You can specify a time zone name or a link name from release 2021a of the IANA Time Zone Database (e.g. America/Los_Angeles, Europe/London, UTC, Etc/GMT, etc.).	string	null	no
trace_level	Controls how trace events are ingested into the event table.	string	null	no
type	Type of the user. Valid values are PERSON, SERVICE, LEGACY_SERVICE	string	"PERSON"	no

Modules

No modules.

Outputs

Name	Description
default_namespace	Specifies the namespace (database only or database and schema) that is active by default for the user's session upon login
default_role	Specifies the role that is active by default for the user's session upon login
default_secondary_roles_option	Specifies the secondary roles that are active for the user’s session upon login
default_warehouse	Specifies the virtual warehouse that is active by default for the user's session upon login
disable_mfa	Whether multi-factor authentication is disabled for the user
disabled	Whether user account is disabled
display_name	Name displayed for the user in the Snowflake web interface
email	Email address for the user
enable_unredacted_query_syntax_error	Enable access to unredacted query syntax error for the user
first_name	First name of the user (only if type == PERSON)
last_name	Last name of the user (only if type == PERSON)
log_level	Log level
login_name	The name users use to log in
middle_name	Middle name of the user (only if type == PERSON)
name	Name of the user
network_policy	Network policy associated with the user
password	Password set for the user (only if type == PERSON or type == LEGACY_SERVICE)
query_tag	Query tag
rsa_private_key	RSA Private key used for authentication
timezone	Timezone
trace_level	Trace level
type	User type

Providers

Name	Version
context	>=0.4.0
random	>= 3.0.0
snowflake	~> 0.96
tls	~> 4.0

Requirements

Name	Version
terraform	>= 1.3.0
context	>=0.4.0
random	>= 3.0.0
snowflake	~> 0.96
tls	~> 4.0

Resources

Name	Type
random_password.this	resource
snowflake_grant_account_role.default_role	resource
snowflake_legacy_service_user.this	resource
snowflake_service_user.this	resource
snowflake_user.defaults_not_enforced	resource
snowflake_user.this	resource
tls_private_key.this	resource
context_label.this	data source

CONTRIBUTING

Contributions are very welcomed!

Start by reviewing contribution guide and our code of conduct. After that, start coding and ship your changes by creating a new PR.

LICENSE

Apache 2 Licensed. See LICENSE for full details.

AUTHORS

Made with contrib.rocks.