Skip to content

getindata/terraform-snowflake-stage

BranchesTags

Repository files navigation

Snowflake Stage Terraform Module

Snowflake Terraform

License Release

We help companies turn their data into assets

Terraform module for Snowflake stage management.

  • Creates Snowflake stage
  • Can create custom Snowflake database-roles with role-to-role assignments
  • Can create a set of default roles to simplify access management:
    • READONLY - granted USAGE or READ privilages
    • READWRITE - granted WRITE privileges
    • ADMIN - granted ALL PRIVILEGES

USAGE

module "snowflake_stage" {
  source = "getindata/stage/snowflake"
  # version  = "x.x.x"

  name     = "my_stage"
  schema   = "my_schema"
  database = "my_db"
  
  url         = "s3://com.example.bucket/prefix"
  credentials = "AWS_KEY_ID='${var.example_aws_key_id}' AWS_SECRET_KEY='${var.example_aws_secret_key}'"
  
  create_default_database_roles = true
}

EXAMPLES

  • Simple - Basic usage of the module
  • Complete - Advanced usage of the module

Breaking changes in v2.x of the module

Due to breaking changes in Snowflake provider and additional code optimizations, breaking changes were introduced in v2.0.0 version of this module.

List of code and variable (API) changes:

  • Switched to snowflake_grant_ownership resource instead of provider-removed snowflake_role_ownership_grant

  • Switched to snowflake_database_role module to leverage new database_roles mechanism

  • default_roles and custom_roles are now combined and managed by single module

  • roles variable map received following additions:

    • all_privileges - optional, bool
    • on_all - optional, bool, defaults to false
    • on_future - optional, bool, defaults to false
    • with_grant_option - optional, bool
    • granted_to_database_roles - optional, string
    • granted_database_roles - optional, list of strings

  • and got following items removed:

    • enabled
    • comment
    • role_ownership_grant
    • granted_roles
    • granted_to_users

When upgrading from v1.x, expect most of the resources to be recreated - if recreation is impossible, then it is possible to import some existing resources.

For more information, refer to variables.tf, list of inputs below and Snowflake provider documentation

Breaking changes in v3.x of the module

Due to replacement of nulllabel (context.tf) with context provider, some breaking changes were introduced in v3.0.0 version of this module.

List od code and variable (API) changes:

  • Removed context.tf file (a single-file module with additonal variables), which implied a removal of all its variables (except name):
    • descriptor_formats
    • label_value_case
    • label_key_case
    • id_length_limit
    • regex_replace_chars
    • label_order
    • additional_tag_map
    • tags
    • labels_as_tags
    • attributes
    • delimiter
    • stage
    • environment
    • tenant
    • namespace
    • enabled
    • context
  • Remove support enabled flag - that might cause some backward compatibility issues with terraform state (please take into account that proper move clauses were added to minimize the impact), but proceed with caution
  • Additional context provider configuration
  • New variables were added, to allow naming configuration via context provider:
    • context_templates
    • name_schema

Inputs

Name Description Type Default Required
aws_external_id ID of the customer AWS account string null no
comment Specifies a comment for the stage string null no
context_templates Map of context templates used for naming conventions - this variable supersedes naming_scheme.properties and naming_scheme.delimiter configuration map(string) {} no
copy_options Specifies the copy options for the stage string null no
create_default_roles Whether the default database roles should be created bool false no
credentials Specifies the credentials for the stage string null no
database The database in which to create the stage string n/a yes
directory Specifies the directory settings for the stage string null no
encryption Specifies the encryption settings for the stage string null no
file_format Specifies the file format for the stage string null no
name Name of the resource string n/a yes
name_scheme Naming scheme configuration for the resource. This configuration is used to generate names using context provider:
- properties - list of properties to use when creating the name - is superseded by var.context_templates
- delimiter - delimited used to create the name from properties - is superseded by var.context_templates
- context_template_name - name of the context template used to create the name
- replace_chars_regex - regex to use for replacing characters in property-values created by the provider - any characters that match the regex will be removed from the name
- extra_values - map of extra label-value pairs, used to create a name		 
object({
    properties            = optional(list(string), ["name"])
    delimiter             = optional(string, "_")
    context_template_name = optional(string, "snowflake-stage")
    replace_chars_regex   = optional(string, "[^a-zA-Z0-9_]")
    extra_values          = optional(map(string))
  })
 {} no
roles Database roles created in the stage scope 
map(object({
    name_scheme = optional(object({
      properties            = optional(list(string))
      delimiter             = optional(string)
      context_template_name = optional(string)
      replace_chars_regex   = optional(string)
      extra_labels          = optional(map(string))
    }))
    comment                   = optional(string)
    with_grant_option         = optional(bool)
    granted_to_roles          = optional(list(string))
    granted_to_database_roles = optional(list(string))
    granted_database_roles    = optional(list(string))
    stage_grants              = optional(list(string))
    all_privileges            = optional(bool)
  }))
 {} no
schema The schema in which to create the stage string n/a yes
snowflake_iam_user Specifies the Snowflake IAM user string null no
stage_ownership_grant To which account role the stage ownership should be granted string null no
storage_integration Specifies the name of the storage integration used to delegate authentication responsibility for external cloud storage to a Snowflake identity and access management (IAM) entity string null no
url Specifies the URL for the stage string null no

Modules

Name Source Version
roles_deep_merge Invicton-Labs/deepmerge/null 0.1.5
snowflake_custom_role getindata/database-role/snowflake 2.0.1
snowflake_default_role getindata/database-role/snowflake 2.0.1

Outputs

Name Description
database_roles This stage access roles
fully_qualified_name Fully Qualified Name of the stage
name Name of the stage

Providers

Name Version
context >=0.4.0
snowflake >= 0.95

Requirements

Name Version
terraform >= 1.3
context >=0.4.0
snowflake >= 0.95

Resources

Name Type
snowflake_grant_ownership.stage_ownership resource
snowflake_stage.this resource
context_label.this data source

CONTRIBUTING

Contributions are very welcomed!

Start by reviewing contribution guide and our code of conduct. After that, start coding and ship your changes by creating a new PR.

LICENSE

Apache 2 Licensed. See LICENSE for full details.

AUTHORS

Made with contrib.rocks.

About

Terraform module for managing Snowflake stages

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

1 star

Watchers

6 watching

Forks

0 forks
Report repository

Releases 6

Version v3.0.0 Latest
Nov 5, 2024
+ 5 releases

Packages

No packages published

Contributors 5

Languages