This is a terraform provider plugin for managing Snowflake accounts. Initially developed by Chan Zuckerberg, currently maintained by Viostream.
This provider is pre-release - please test carefully and use at your own risk!
go get -u github.com/viostream/terraform-provider-snowflake
# *NIX
mv $GOPATH/bin/terraform-provider-snowflake ~/.terraform.d/plugins
# Windo$e
???We currently only support username + password auth and suggest that you only do so via environment variables. So a config something like:
provider "snowflake" {
account = "..."
role = "..."
region = "..."
}and
export SNOWFLAKE_USER='...'
export SNOWFLAKE_PASSWORD='...'
terraform ...We support managing a subset of snowflakedb resources, with a focus on access control and management.
You can see a number of examples here.
| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|---|---|---|---|---|---|---|
| comment | string | true | false | false | "" | |
| data_retention_time_in_days | int | true | false | true | ||
| from_share | map | Specify a provider and a share in this map to create a database from a share. | true | false | false | |
| name | string | false | true | false |
| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|---|---|---|---|---|---|---|
| database_name | string | The name of the database on which to grant privileges. | false | true | false | |
| privilege | string | The privilege to grant on the database. | true | false | false | "USAGE" |
| roles | set | Grants privilege to these roles. | true | false | false | |
| shares | set | Grants privilege to these shares. | true | false | false |
| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|---|---|---|---|---|---|---|
| admin_name | string | Identifier, as well as login name, for the initial user in the managed account. This user serves as the account administrator for the account. | false | true | false | |
| admin_password | string | Password for the initial user in the managed account. | false | true | false | |
| cloud | string | Cloud in which the managed account is located. | false | false | true | |
| comment | string | Specifies a comment for the managed account. | true | false | false | |
| created_on | string | Date and time when the managed account was created. | false | false | true | |
| locator | string | Display name of the managed account. | false | false | true | |
| name | string | Identifier for the managed account; must be unique for your account. | false | true | false | |
| region | string | Snowflake Region in which the managed account is located. | false | false | true | |
| type | string | Specifies the type of managed account. | true | false | false | "READER" |
| url | string | URL for accessing the managed account, particularly through the web interface. | false | false | true |
| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|---|---|---|---|---|---|---|
| credit_quota | int | The number of credits allocated monthly to the resource monitor. | true | false | true | |
| end_timestamp | string | The date and time when the resource monitor suspends the assigned warehouses. | true | false | false | |
| frequency | string | The frequency interval at which the credit usage resets to 0. If you set a frequency for a resource monitor, you must also set START_TIMESTAMP. | true | false | true | |
| name | string | Identifier for the resource monitor; must be unique for your account. | false | true | false | |
| notify_triggers | set | A list of percentage thresholds at which to send an alert to subscribed users. | true | false | false | |
| start_timestamp | string | The date and time when the resource monitor starts monitoring credit usage for the assigned warehouses. | true | false | true | |
| suspend_immediate_triggers | set | A list of percentage thresholds at which to immediately suspend all warehouses. | true | false | false | |
| suspend_triggers | set | A list of percentage thresholds at which to suspend all warehouses. | true | false | false |
| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|---|---|---|---|---|---|---|
| comment | string | true | false | false | ||
| name | string | false | true | false |
| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|---|---|---|---|---|---|---|
| role_name | string | The name of the role we are granting. | false | true | false | |
| roles | set | Grants role to this specified role. | true | false | false | |
| users | set | Grants role to this specified user. | true | false | false |
| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|---|---|---|---|---|---|---|
| comment | string | Specifies a comment for the schema. | true | false | false | |
| data_retention_days | int | Specifies the number of days for which Time Travel actions (CLONE and UNDROP) can be performed on the schema, as well as specifying the default Time Travel retention time for all tables created in the schema. | true | false | false | 1 |
| database | string | The database in which to create the view. | false | true | false | |
| is_managed | bool | Specifies a managed schema. Managed access schemas centralize privilege management with the schema owner. | true | false | false | false |
| is_transient | bool | Specifies a schema as transient. Transient schemas do not have a Fail-safe period so they do not incur additional storage costs once they leave Time Travel; however, this means they are also not protected by Fail-safe in the event of a data loss. | true | false | false | false |
| name | string | Specifies the identifier for the schema; must be unique for the database in which the schema is created. | false | true | false |
| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|---|---|---|---|---|---|---|
| database_name | string | The name of the database containing the schema on which to grant privileges. | false | true | false | |
| privilege | string | The privilege to grant on the schema. | true | false | false | "USAGE" |
| roles | set | Grants privilege to these roles. | true | false | false | |
| schema_name | string | The name of the schema on which to grant privileges. | false | true | false | |
| shares | set | Grants privilege to these shares. | true | false | false |
| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|---|---|---|---|---|---|---|
| accounts | set | A list of accounts to be added to the share. | true | false | false | |
| comment | string | Specifies a comment for the managed account. | true | false | false | |
| name | string | Specifies the identifier for the share; must be unique for the account in which the share is created. | false | true | false |
| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|---|---|---|---|---|---|---|
| comment | string | true | false | false | ||
| default_namespace | string | Specifies the namespace (database only or database and schema) that is active by default for the user’s session upon login. | true | false | false | |
| default_role | string | Specifies the role that is active by default for the user’s session upon login. | true | false | true | |
| default_warehouse | string | Specifies the virtual warehouse that is active by default for the user’s session upon login. | true | false | false | |
| disabled | bool | true | false | true | ||
| has_rsa_public_key | bool | Will be true if user as an RSA key set. | false | false | true | |
| login_name | string | The name users use to log in. If not supplied, snowflake will use name instead. | true | false | true | |
| must_change_password | bool | Specifies whether the user is forced to change their password on next login (including their first/initial login) into the system. | true | false | false | |
| name | string | Name of the user. Note that if you do not supply login_name this will be used as login_name. doc | false | true | false | |
| password | string | WARNING: this will put the password in the terraform state file. Use carefully. | true | false | false | |
| rsa_public_key | string | Specifies the user’s RSA public key; used for key-pair authentication. Must be on 1 line without header and trailer. | true | false | false | |
| rsa_public_key_2 | string | Specifies the user’s second RSA public key; used to rotate the public and private keys for key-pair authentication based on an expiration schedule set by your organization. Must be on 1 line without header and trailer. | true | false | false |
| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|---|---|---|---|---|---|---|
| comment | string | Specifies a comment for the view. | true | false | false | |
| database | string | The database in which to create the view. Don't use the | character. | false | true | false |
| is_secure | bool | Specifies that the view is secure. | true | false | false | false |
| name | string | Specifies the identifier for the view; must be unique for the schema in which the view is created. Don't use the | character. | false | true | false |
| schema | string | The schema in which to create the view. Don't use the | character. | true | false | false |
| statement | string | Specifies the query used to create the view. | false | true | false |
| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|---|---|---|---|---|---|---|
| database_name | string | The name of the database containing the view on which to grant privileges. | false | true | false | |
| privilege | string | The privilege to grant on the view. | true | false | false | "SELECT" |
| roles | set | Grants privilege to these roles. | true | false | false | |
| schema_name | string | The name of the schema containing the view on which to grant privileges. | true | false | false | "PUBLIC" |
| shares | set | Grants privilege to these shares. | true | false | false | |
| view_name | string | The name of the view on which to grant privileges. | false | true | false |
| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|---|---|---|---|---|---|---|
| auto_resume | bool | Specifies whether to automatically resume a warehouse when a SQL statement (e.g. query) is submitted to it. | true | false | true | |
| auto_suspend | int | Specifies the number of seconds of inactivity after which a warehouse is automatically suspended. | true | false | true | |
| comment | string | true | false | false | "" | |
| initially_suspended | bool | Specifies whether the warehouse is created initially in the ‘Suspended’ state. | true | false | false | |
| max_cluster_count | int | Specifies the maximum number of server clusters for the warehouse. | true | false | true | |
| min_cluster_count | int | Specifies the minimum number of server clusters for the warehouse (only applies to multi-cluster warehouses). | true | false | true | |
| name | string | false | true | false | ||
| resource_monitor | string | Specifies the name of a resource monitor that is explicitly assigned to the warehouse. | true | false | true | |
| scaling_policy | string | Specifies the policy for automatically starting and shutting down clusters in a multi-cluster warehouse running in Auto-scale mode. | true | false | true | |
| wait_for_provisioning | bool | Specifies whether the warehouse, after being resized, waits for all the servers to provision before executing any queued or new queries. | true | false | false | |
| warehouse_size | string | true | false | true |
| NAME | TYPE | DESCRIPTION | OPTIONAL | REQUIRED | COMPUTED | DEFAULT |
|---|---|---|---|---|---|---|
| privilege | string | The privilege to grant on the warehouse. | true | false | false | "USAGE" |
| roles | set | Grants privilege to these roles. | true | false | false | |
| warehouse_name | string | The name of the warehouse on which to grant privileges. | false | true | false |
To do development you need Go installed, this repo cloned and that's about it. It has not been tested on Windows, so if you find problems let us know.
If you want to build and test the provider localling there is a make target
make install-tf that will build the provider binary and install it in a
location that terraform can find.
For the Terraform resources, there are 3 levels of testing - internal, unit and acceptance tests.
The 'internal' tests are run in the
github.com/viostream/terraform-provider-snowflake/pkg/resources package so
that they can test functions that are not exported. These tests are intended to
be limited to unit tests for simple functions.
The 'unit' tests are run in
github.com/viostream/terraform-provider-snowflake/pkg/resources_test, so
they only have access to the exported methods of resources. These tests
exercise the CRUD methods that on the terraform resources. Note that all tests
here make use of database mocking and are run locally. This means the tests are
fast, but are liable to be wrong in suble ways (since the mocks are unlikely to
be perfect).
You can run these first two sets of tests with make test.
The 'acceptance' tests run the full stack, creating, modifying and destroying resources in a live snowflake account. To run them you need a snowflake account and the proper environment variables set: SNOWFLAKE_ACCOUNT, SNOWFLAKE_USER, SNOWFLAKE_PASSWORD, SNOWFLAKE_ROLE. These tests are slower but have higher fidelity.
To run all tests, including the acceptance tests, run make test-acceptance.
Note that we also run all tests in our Travis-CI account.