Skip to content

Latest commit

 

History

History
169 lines (128 loc) · 11.4 KB

File metadata and controls

169 lines (128 loc) · 11.4 KB

Snowflake Storage Integration Terraform Module

Snowflake Terraform

License Release

We help companies turn their data into assets


Terraform module for Snowflake storage integration management.

  • Creates Snowflake storage integration
  • Can create custom Snowflake roles with role-to-role, role-to-user assignments
  • Can create a set of default roles to simplify access management:
    • READONLY - granted USAGE privilege

Breaking changes in v3.x of the module

Due to replacement of nulllabel (context.tf) with context provider, some breaking changes were introduced in v3.0.0 version of this module.

List od code and variable (API) changes:

  • Removed context.tf file (a single-file module with additonal variables), which implied a removal of all its variables (except name):
    • descriptor_formats
    • label_value_case
    • label_key_case
    • id_length_limit
    • regex_replace_chars
    • label_order
    • additional_tag_map
    • tags
    • labels_as_tags
    • attributes
    • delimiter
    • stage
    • environment
    • tenant
    • namespace
    • enabled
    • context
  • Changed support for enabled flag - that might cause some backward compatibility issues with terraform state (please take into account that proper move clauses were added to minimize the impact), but proceed with caution
  • Additional context provider configuration
  • New variables were added, to allow naming configuration via context provider:
    • context_templates
    • name_schema

USAGE

data "azurerm_client_config" "current" {}

module "snowflake_storage_integration" {
  source = "getindata/storage-integration/snowflake"
  # version  = "x.x.x"

  name = "my_integration"

  type                      = "EXTERNAL_STAGE"
  storage_provider          = "AZURE"
  storage_allowed_locations = ["azure://mystorageaccount.blob.core.windows.net/raw/"]
  azure_tenant_id           = data.azurerm_client_config.current.tenant_id
  
  create_default_roles = true
}

EXAMPLES

Inputs

Name Description Type Default Required
azure_tenant_id Azure tenant ID. Required if storage provider is type of AZURE string null no
comment Specifies comment for the storage integration string null no
context_templates Map of context templates used for naming conventions - this variable supersedes naming_scheme.properties and naming_scheme.delimiter configuration map(string) {} no
create_default_roles Whether the default roles should be created bool false no
enabled Whether the storage integration is enabled bool true no
name Name of the resource string n/a yes
name_scheme Naming scheme configuration for the resource. This configuration is used to generate names using context provider:
- properties - list of properties to use when creating the name - is superseded by var.context_templates
- delimiter - delimited used to create the name from properties - is superseded by var.context_templates
- context_template_name - name of the context template used to create the name
- replace_chars_regex - regex to use for replacing characters in property-values created by the provider - any characters that match the regex will be removed from the name
- extra_values - map of extra label-value pairs, used to create a name
- uppercase - convert name to uppercase
object({
properties = optional(list(string), ["environment", "name"])
delimiter = optional(string, "_")
context_template_name = optional(string, "snowflake-warehouse")
replace_chars_regex = optional(string, "[^a-zA-Z0-9_]")
extra_values = optional(map(string))
uppercase = optional(bool, true)
})
{} no
roles Roles created in the database scope
map(object({
name_scheme = optional(object({
properties = optional(list(string))
delimiter = optional(string)
context_template_name = optional(string)
replace_chars_regex = optional(string)
extra_labels = optional(map(string))
uppercase = optional(bool)
}))
comment = optional(string)
role_ownership_grant = optional(string)
granted_roles = optional(list(string))
granted_to_roles = optional(list(string))
granted_to_users = optional(list(string))
integration_grants = optional(object({
all_privileges = optional(bool)
with_grant_option = optional(bool, false)
privileges = optional(list(string))
}))
}))
{} no
storage_allowed_locations Explicitly limits external stages that use the integration to reference one or more storage locations list(string) n/a yes
storage_aws_object_acl Value of "bucket-owner-full-control" enables support for AWS access control lists (ACLs) to grant the bucket owner full control string null no
storage_aws_role_arn AWS Role ARN string null no
storage_blocked_locations Explicitly prohibits external stages that use the integration from referencing one or more storage locations list(string) [] no
storage_provider Storage provider name. Possible values are: S3, S3GOV, GCS, AZURE string n/a yes
type Type of the storage integration. Defaults: EXTERNAL_STAGE string "EXTERNAL_STAGE" no

Modules

Name Source Version
roles_deep_merge Invicton-Labs/deepmerge/null 0.1.5
snowflake_custom_role getindata/role/snowflake 3.1.0
snowflake_default_role getindata/role/snowflake 3.1.0

Outputs

Name Description
azure_consent_url The consent URL that is used to create an Azure Snowflake service principle inside your tenant
azure_multi_tenant_app_name This is the name of the Snowflake client application created for your account
azure_tenant_id ID of the tenant
comment Specifies comment for the storage integration
enabled Whether the storage integration is enabled
name Name of the storage integration
roles This storage integration access roles
storage_allowed_locations Explicitly limits external stages that use the integration to reference one or more storage locations
storage_aws_external_id The external ID that Snowflake will use when assuming the AWS role
storage_aws_iam_user_arn The Snowflake user that will attempt to assume the AWS role
storage_aws_object_acl Name of the AWS access control lists (ACLs)
storage_aws_role_arn AWS Role ARN
storage_blocked_locations Explicitly prohibits external stages that use the integration from referencing one or more storage locations
storage_gcp_service_account This is the name of the Snowflake Google Service Account created for your account
storage_provider Storage provider name
type Type of the storage integration

Providers

Name Version
context >=0.4.0
snowflake ~> 0.94

Requirements

Name Version
terraform >= 1.3
context >=0.4.0
snowflake ~> 0.94

Resources

Name Type
snowflake_storage_integration.this resource
context_label.this data source

CONTRIBUTING

Contributions are very welcomed!

Start by reviewing contribution guide and our code of conduct. After that, start coding and ship your changes by creating a new PR.

LICENSE

Apache 2 Licensed. See LICENSE for full details.

AUTHORS

Made with contrib.rocks.