Skip to content

Commit

Permalink
Merge branch 'current' into blog/evolving-the-craft
Browse files Browse the repository at this point in the history
  • Loading branch information
@KiraFuruichi
KiraFuruichi authored May 8, 2023
2 parents 0a02347 + 283aba2 commit 747cfc7
Show file tree
Hide file tree
Showing 66 changed files with 230 additions and 69 deletions.
2 changes: 1 addition & 1 deletion website/blog/2021-09-15-september-21-product-email.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ Give Jeremy a win and check out the [blog](http://blog.getdbt.com/getting-ready
### dbt v0.21.0-rc1
- Check out the [#dbt-prereleases](https://getdbt.slack.com/archives/C016X6ABVUK?utm_campaign=Monthly%20Product%20Updates&utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz-8nIpohDBSr7SvpXrqY-5ONmnjdIgW0XMiAPkjQTb9Pgwt24nzqAWNX2Xgtj8LA0LrPoHpD) channel in the dbt Community Slack, and Jeremy's [Discourse post](https://discourse.getdbt.com/t/prerelease-dbt-core-v0-21-louis-kahn/3077?utm_campaign=Monthly%20Product%20Updates&utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz-8nIpohDBSr7SvpXrqY-5ONmnjdIgW0XMiAPkjQTb9Pgwt24nzqAWNX2Xgtj8LA0LrPoHpD)!
- dbt build: Did you catch our teaser last month at [Staging](https://www.youtube.com/watch?v=-XRD_IjWX2U&utm_campaign=Monthly%20Product%20Updates&utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz-8nIpohDBSr7SvpXrqY-5ONmnjdIgW0XMiAPkjQTb9Pgwt24nzqAWNX2Xgtj8LA0LrPoHpD)?
- Defining resource configs in all the places you'd expect (i.e. yaml files)
- Defining resource configs in all the places you'd expect (i.e. YAML files)
- Capture changes to macros in state:modified, for best-yet Slim CI

![Screen Shot 2021-09-20 at 11.34.47 AM (1)](https://hs-8698602.f.hubspotemail.net/hub/8698602/hubfs/Screen%20Shot%202021-09-20%20at%2011.34.47%20AM%20(1).png?upscale=true&width=600&upscale=true&name=Screen%20Shot%202021-09-20%20at%2011.34.47%20AM%20(1).png)
Expand Down
4 changes: 2 additions & 2 deletions website/blog/2023-02-14-passing-the-dbt-certification-exam.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,13 @@ In this article, two Montreal Analytics consultants, Jade and Callie, discuss th

**C:** To prepare for the exam I reviewed the official dbt Certification Study Guide and the [official dbt docs](https://docs.getdbt.com/), and attended group study and learning sessions that were hosted by Montreal Analytics for all employees interested in taking the exam. As a group, we prioritized subjects that we felt less familiar with; for the first cohort of test takers this was mainly newer topics that haven’t yet become integral to a typical dbt project, such as [doc blocks](https://docs.getdbt.com/docs/collaborate/documentation#using-docs-blocks) and [configurations versus properties](https://docs.getdbt.com/reference/configs-and-properties). These sessions mainly covered the highlights and common “gotchas” that are experienced using these techniques. The sessions were moderated by a team member who had already successfully completed the dbt Certification, but operated in a very collaborative environment, so everyone could provide additional information, ask questions to the group, and provide feedback to other members of our certification taking group.

I felt comfortable with the breadth of my dbt knowledge and had familiarity with most topics. However in my day-to-day implementation, I am often reliant on documentation or copying and pasting specific configurations in order to get the correct settings. Therefore, my focus was on memorizing important criteria for *how to use* certain features, particularly on the order/nesting of how the key yaml files are configured (dbt_project.yml, table.yml, source.yml).
I felt comfortable with the breadth of my dbt knowledge and had familiarity with most topics. However in my day-to-day implementation, I am often reliant on documentation or copying and pasting specific configurations in order to get the correct settings. Therefore, my focus was on memorizing important criteria for *how to use* certain features, particularly on the order/nesting of how the key YAML files are configured (dbt_project.yml, table.yml, source.yml).

## How did the test go?

**J:** With a cup of coffee I started my exam in high spirits and high stress. I had never taken a proctored exam before, so going into this I had to adjust to being on camera while taking a test and in general taking a test in my living room felt strange!

The first few questions were trickier than I’d anticipated, and my heart started beating a little faster as a result. I found the build-list questions, five lines of code to create a valid yaml or SQL file that accomplishes a certain task, particularly difficult.
The first few questions were trickier than I’d anticipated, and my heart started beating a little faster as a result. I found the build-list questions, five lines of code to create a valid YAML or SQL file that accomplishes a certain task, particularly difficult.

The exam consists of 65 questions, usually containing multiple parts, so by 90 minutes in I started to get tired. I’d flagged several questions and went back to check on those before submitting. At the time, I thought I answered about 60% of these questions right? Having lost my coffee buzz and with shaky confidence I submitted the test to see my result. Failed.

Expand Down
2 changes: 1 addition & 1 deletion website/docs/docs/build/seeds.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ Seeds are configured in your `dbt_project.yml`, check out the [seed configuratio


## Documenting and testing seeds
You can document and test seeds in yaml by declaring properties — check out the docs on [seed properties](seed-properties) for more information.
You can document and test seeds in YAML by declaring properties — check out the docs on [seed properties](seed-properties) for more information.

## FAQs
<FAQ src="Seeds/load-raw-data-with-seed" />
Expand Down
2 changes: 1 addition & 1 deletion website/docs/docs/building-a-dbt-project/building-models/python-models.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ def model(dbt, session):

</File>

There's a limit to how fancy you can get with the `dbt.config()` method. It accepts _only_ literal values (strings, booleans, and numeric types). Passing another function or a more complex data structure is not possible. The reason is that dbt statically analyzes the arguments to `config()` while parsing your model without executing your Python code. If you need to set a more complex configuration, we recommend you define it using the [`config` property](resource-properties/config) in a yaml file.
There's a limit to how fancy you can get with the `dbt.config()` method. It accepts _only_ literal values (strings, booleans, and numeric types). Passing another function or a more complex data structure is not possible. The reason is that dbt statically analyzes the arguments to `config()` while parsing your model without executing your Python code. If you need to set a more complex configuration, we recommend you define it using the [`config` property](resource-properties/config) in a YAML file.

#### Accessing project context

Expand Down
2 changes: 1 addition & 1 deletion website/docs/docs/cloud/about-cloud/architecture.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ For more detailed information on our security practices, read our [Security page

dbt Cloud's primary role is as a data processor, not a data store. The dbt Cloud application enables users to dispatch SQL to the warehouse for transformation. However, users can post SQL that returns customer data into the dbt Cloud application. This data never persists and will only exist in memory on the instance for the duration of the session. To lock down customer data correctly, proper <Term id="data-warehouse" /> permissions must be applied to prevent improper access or storage of sensitive data.

Some data warehouse providers offer advanced security features that can be leveraged in dbt Cloud. [PrivateLink](/docs/cloud/privatelink/about-privatelink) allows supported data platforms on AWS to communicate with dbt Cloud without the traffic traversing the public internet. [Snowflake](/docs/cloud/manage-access/set-up-snowflake-oauth) and [BigQuery](/docs/cloud/manage-access/set-up-bigquery-oauth) offer Oauth integration which adds a layer of security for the data platforms (Enterprise plan only).
Some data warehouse providers offer advanced security features that can be leveraged in dbt Cloud. [PrivateLink](/docs/cloud/secure/about-privatelink) allows supported data platforms on AWS to communicate with dbt Cloud without the traffic traversing the public internet. [Snowflake](/docs/cloud/manage-access/set-up-snowflake-oauth) and [BigQuery](/docs/cloud/manage-access/set-up-bigquery-oauth) offer Oauth integration which adds a layer of security for the data platforms (Enterprise plan only).

### Git sync

Expand Down
82 changes: 82 additions & 0 deletions website/docs/docs/cloud/manage-access/auth0-migration.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
---
title: "Migrating to Auth0 for SSO"
id: "auth0-migration"
sidebar: "SSO Auth0 Migration"
description: "Required actions for migrating to Auth0 for SSO services on dbt Cloud"
---

dbt Labs is partnering with Auth0 to bring enhanced features to dbt Cloud's single sign-on (SSO) capabilities. Auth0 is an identity and access management (IAM) platform with advanced security features, and it will be leveraged by dbt Cloud. These changes will require some action from customers with SSO configured in dbt Cloud today, and this guide will outline the necessary changes for each environment.

If you have not yet configured SSO in dbt Cloud, refer instead to our setup guides for [SAML](docs/cloud/manage-access/set-up-sso-saml-2.0), [Okta](docs/cloud/manage-access/set-up-sso-okta), [Google Workspace](docs/cloud/manage-access/set-up-sso-google-workspace), or [Azure Active Directory](docs/cloud/manage-access/set-up-sso-azure-active-directory) single sign-on services.

<Snippet src="auth0-uri" />

## SAML 2.0 and Okta

SAML 2.0 users must update a few fields in the SSO app configuration to match the new Auth0 URL and URI. You can approach this by editing the existing SSO app settings or creating a new one to accommodate the Auth0 settings. One approach isn't inherently better, so choose whichever works best for your organization.

The fields that will be updated are:
- Single sign-on URL &mdash; `https://<YOUR_AUTH0_URI>/login/callback?connection={slug}`
- Audience URI (SP Entity ID) &mdash; `urn:auth0:<YOUR_AUTH0_ENTITYID>:{slug}`

Replace {slug} with your organization’s login slug. It must be unique across all dbt Cloud instances and is usually something like your company name separated by dashes (for example, `dbt-labs`).

Here is an example of an updated SAML 2.0 setup in Okta.

<Lightbox src="/img/docs/dbt-cloud/access-control/new-okta-config.png" title="Okta configuration with new URL"/>

After the configuration is saved, your SAML settings should look something like this:

<Lightbox src="/img/docs/dbt-cloud/access-control/new-okta-completed.png" title="New Okta configuration completed"/>

Once you have saved this information in the SSO environment, you must edit some information in the dbt Cloud settings. Navigate to the **Account Settings**, update the single sign-on URL fields, and provide the updated x.509 certificate.

Make sure to enable the "Use Auth0" option to ensure that the traffic is routed correctly. _The Auth0 migration action is final and cannot be undone_

<Lightbox src="/img/docs/dbt-cloud/access-control/enable-auth0.png" title="Enable Auth0"/>

Save the settings and test the new configuration using the SSO login URL provided on the settings page.

## Google Workspace

Google Workspace admins updating their SSO APIs with the Auth0 URL won't have to do much if it is an existing setup. This can be done as a new project or by editing an existing SSO setup. No additional scopes are needed since this is migrating from an existing setup. All scopes were defined during the initial configuration.

Steps to update:

1. Open the [Google Cloud console](https://console.cloud.google.com/) and select the project with your dbt Cloud single sign-on settings. From the project page **Quick Access**, select **APIs and Services**

<Lightbox src="/img/docs/dbt-cloud/access-control/google-cloud-sso.png" title="Google Cloud Console"/>

2. Click **Credentials** from the left side pane and click the appropriate name from **OAuth 2.0 Client IDs**

<Lightbox src="/img/docs/dbt-cloud/access-control/sso-project.png" title="Select the OAuth 2.0 Client ID"/>

3. In the **Client ID for Web application** window, find the **Authorized Redirect URIs** field and click **Add URI** and enter `https://<YOUR_AUTH0_URI>/login/callback`.

Click **Save** once you are done.

<Lightbox src="/img/docs/dbt-cloud/access-control/google-uri.png" title="Add Redirect URI"/>

4. _You will need a person with Google Workspace admin privileges to complete these steps in dbt Cloud_. In dbt Cloud, navigate to the **Account Settings**, click on **Single Sign-on**, and then click **Edit** on the right side of the SSO pane. Enable the **Use Auth0** option and select **Save**. This will trigger an authorization window from Google that will require admin credentials. _The Auth0 migration action is final and cannot be undone_. Once the authentication has gone through, test the new configuration using the SSO login URL provided on the settings page.

<Lightbox src="/img/docs/dbt-cloud/access-control/enable-auth0.png" title="Enable Auth0"/>

## Azure Active Directory

Azure Active Directory admins will need to make a slight adjustment to the existing authentication app in the Azure AD portal. This migration does not require that the entire app be deleted or recreated; you can edit the existing app. Start by opening the Azure portal and navigating to the Active Directory overview.

1. Click **App Regitstrations** on the left side menu.

<Lightbox src="/img/docs/dbt-cloud/access-control/aad-app-registration.png" title="Select App Registrations"/>

2. Select the proper **dbt Cloud** app (name may vary) from the list. From the app overview, click on the hyperlink next to **Redirect URI**

<Lightbox src="/img/docs/dbt-cloud/access-control/app-overview.png" title="Click the Redirect URI hyperlink"/>

3. In the **Web** pane with **Redirect URIs**, click **Add URI** and enter the appropriate `https://<YOUR_AUTH0_URI>/login/callback`. Save the settings and verify it is counted in the updated app overview.

<Lightbox src="/img/docs/dbt-cloud/access-control/redirect-URI.png" title="Enter new redirect URI"/>

4. Navigate to the dbt Cloud environment and open the **Account Settings**. Click the **Single Sign-on** option from the left side menu and click the **Edit** option from the right side of the SSO pane. Select the **Enable Auth0** option and **Save**. _Once this option is enabled, it cannot be undone._

<Lightbox src="/img/docs/dbt-cloud/access-control/enable-auth0.png" title="Enable Auth0"/>
2 changes: 1 addition & 1 deletion website/docs/docs/cloud/manage-access/set-up-sso-azure-active-directory.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,4 +171,4 @@ Now you have completed setting up SSO with Azure AD, the next steps will be to s

Ensure that the domain name under which user accounts exist in Azure matches the domain you supplied in [Supplying credentials](#supplying-credentials) when you configured SSO.

<Lightbox collapsed="true" src="/img/docs/dbt-cloud/dbt-cloud-enterprise/azure/azure-get-domain.png" title="Obtaining the user domain from Azure" />
<Lightbox collapsed="true" src="/img/docs/dbt-cloud/dbt-cloud-enterprise/azure/azure-get-domain.png" title="Obtaining the user domain from Azure" />
0 ...cs/cloud/privatelink/about-privatelink.md → ...cs/docs/cloud/secure/about-privatelink.md
View file
File renamed without changes.
0 ...oud/privatelink/databricks-privatelink.md → ...cs/cloud/secure/databricks-privatelink.md
View file
File renamed without changes.
64 changes: 64 additions & 0 deletions website/docs/docs/cloud/secure/ip-restrictions.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
---
title: "Configuring IP restrictions"
id: ip-restrictions
description: "Configuring IP retrictions to outside traffic from accessing your dbt Cloud environment"
sidebar_label: "IP restrictions"
---

## About IP Restrictions

IP Restrictions help control which IP addresses are allowed to connect to dbt Cloud. IP restrictions allow dbt Cloud customers to meet security and compliance controls by only allowing approved IPs to connect to their dbt Cloud environment. This feature is supported in all regions across NA, Europe, and Asia-Pacific, but contact us if you have questions about availability.

## Configuring IP Restrictions

To configure IP restrictions, go to **Account Settings****IP Restrictions**. IP restrictions provide two methods for determining which IPs can access dbt Cloud: an allowlist and a blocklist. IPs in the allowlist are allowed to access dbt Cloud, and IPs in the deny list will be blocked from accessing dbt Cloud. IP Restrictions can be used for a range of use cases, including:

- Only allowing corporate VPN traffic and deny all other traffic
- Deny IPs flagged by the Security team
- Allow only VPN traffic but make an exception for contractors’ IP addresses

IP restrictions will block all user requests done via the API (via personal user token) and the UI. Service tokens are exempt from IP restrictions and can still make requests to dbt Cloud API.

### Allowing IPs

To add an IP to the allowlist, from the **IP Restrictions** page:

1. Click **edit**
2. Click **Add Rule**
3. Add name and description for the rule
- For example, Corporate VPN CIDR Range
4. Select **Allow**
5. Add the ranges in the CIDR notation
- For example, 1.1.1.1/8
- You can add multiple ranges followed by commas
6. Click **Save**

Note that simply adding the IP Ranges will not enforce IP restrictions. For more information, see the section “Enabling Restrictions.”

If you only want to allow the IP ranges added to this list and deny all other requests, adding a denylist is not necessary. By default, if only an allow list is added, dbt Cloud will only allow IPs in the allowable range and deny all other IPs. However, you can add a denylist if you want to deny specific IP addresses within your allowlist CIDR range.

### Blocking IPs (deny)

If you have an IP(s) defined in the allowlist that needs to be denied, you can add those IP ranges to the denylist by doing the following:

1. Click **Edit**
2. Click **Add Rule**
3. Add name and description for the rule
- For example, "Corporate VPN Deny Range"
4. Select **Deny**
5. Add the ranges or the individual IP addresses in CIDR notation
6. Click **Save**

:::note Duplicate IP addresses

If identical IP addresses are in both the allow and block configurations, whichever is entered second will fail to save.

It is possible to put an IP range on one list and then a sub-range or IP address that is part of it on the other. Using USA (Range) and NY(sub-range) as an example, the expected behavior is:
- USA is on denylist and NY in allowlist - Traffic from the USA will be blocked, but IPs from NY will be allowed.
- USA is on the allowlist, and NY is on the denylist - USA traffic will be allowed, but IPs from NY will be blocked.

:::

## Enabling Restrictions

Once you are done adding all your ranges, IP restrictions can be enabled by selecting the **Enable IP restrictions** button and clicking **Save**. If your IP address is in any of the denylist ranges, you won’t be able to save or enable IP restrictions - this is done to prevent accidental account lockouts. If you do get locked out due to IP changes on your end, please reach out to [email protected]
0 ...cloud/privatelink/redshift-privatelink.md → ...docs/cloud/secure/redshift-privatelink.md
View file
File renamed without changes.
0 ...loud/privatelink/snowflake-privatelink.md → ...ocs/cloud/secure/snowflake-privatelink.md
View file
File renamed without changes.
2 changes: 1 addition & 1 deletion website/docs/docs/collaborate/govern/model-access.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ models:
</File>
Each model can only belong to one `group`, and groups cannot be nested. If you set a different `group` in that model's yaml or in-file config, it will override the `group` applied at the project level.
Each model can only belong to one `group`, and groups cannot be nested. If you set a different `group` in that model's YAML or in-file config, it will override the `group` applied at the project level.

## Access modifiers

Expand Down
2 changes: 1 addition & 1 deletion website/docs/docs/collaborate/govern/model-contracts.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ models:
</File>

When building a model with a defined contract, dbt will do two things differently:
1. dbt will run a "preflight" check to ensure that the model's query will return a set of columns with names and data types matching the ones you have defined. This check is agnostic to the order of columns specified in your model (SQL) or yaml spec.
1. dbt will run a "preflight" check to ensure that the model's query will return a set of columns with names and data types matching the ones you have defined. This check is agnostic to the order of columns specified in your model (SQL) or YAML spec.
2. dbt will include the column names, data types, and constraints in the DDL statements it submits to the data platform, which will be enforced while building or updating the model's table.

## FAQs
Expand Down
Loading

0 comments on commit 747cfc7

Please sign in to comment.