Snowflake Role Terraform Module

We help companies turn their data into assets

---

Terraform module for managing Snowflake roles. Additionally, this module allows creating multiple grants on different Snowflake resources, specifying other roles to be granted and grantees (other roles and users).

USAGE

module "snowflake_role" {
  source = "github.com/getindata/terraform-snowflake-role"
  
  name = "LOGS_DATABASE_READER"

  granted_to_users = ["JANE_SMITH", "JOHN_DOE"]
  granted_application_roles = ["SNOWFLAKE.BUDGET_VIEWER", "SNOWFLAKE.COST_INSIGHTS_USER"]

 account_grants = [
    {
      privileges = ["CREATE DATABASE"]
    }
  ]

  account_objects_grants = {
    "DATABASE" = [
      {
        privileges    = ["USAGE"]
        object_name    = "LOGS_DB"
      }
    ]
  }

  schema_grants = [
    {
      database_name = "LOGS_DB"
      schema_name   = "BRONZE"
      privileges    = ["USAGE"]
    }
  ]
  
  schema_objects_grants = {
    TABLE = [
      {
        database_name = "LOGS_DB"
        schema_name   = "BRONZE"
        on_future     = true
        privileges    = ["SELECT"]
      }
    ]

    VIEW = [
      {
        database_name  = snowflake_database.this.name
        on_future      = true
        all_privileges = true
      }
    ]
  }
}

EXAMPLES

• Simple - creates a role
• Complete - creates a role with example grants

Breaking changes in v2.x of the module

Due to breaking changes in Snowflake provider and additional code optimizations, breaking changes were introduced in v2.0.0 version of this module.

List of code and variable (API) changes:

• Switched to snowflake_account_role resource instead of provider-deprecated snowflake_role
• Switched to snowflake_grant_privileges_to_account_role resource instead of provider-removed snowflake_*_grant
• Switched to snowflake_grant_account_role resource instead of provider-removed snowflake_role_grants
• Switched to snowflake_grant_ownership resource instead of provider-removed snowflake_role_ownership_grant
• Variable account_grants type changed from list(string) to list(object({..}))
• Variable schema_grants type changed
• Below variables were removed and replaced with aggregated / complex account_object_grants and schema_object_grants:
  • database_grants
  • table_grants
  • external_table_grants
  • view_grants
  • dynamic_table_grants

When upgrading from v1.x, expect most of the resources to be recreated - if recreation is impossible, then it is possible to import some existing resources.

For more information, refer to variables.tf, list of inputs below and Snowflake provider documentation

Breaking changes in v3.x of the module

Due to replacement of nulllabel (context.tf) with context provider, some breaking changes were introduced in v3.0.0 version of this module.

List od code and variable (API) changes:

• Removed context.tf file (a single-file module with additonal variables), which implied a removal of all its variables (except name):
  • descriptor_formats
  • label_value_case
  • label_key_case
  • id_length_limit
  • regex_replace_chars
  • label_order
  • additional_tag_map
  • tags
  • labels_as_tags
  • attributes
  • delimiter
  • stage
  • environment
  • tenant
  • namespace
  • enabled
  • context
• Remove support enabled flag - that might cause some backward compatibility issues with terraform state (please take into account that proper move clauses were added to minimize the impact), but proceed with caution
• Additional context provider configuration
• New variables were added, to allow naming configuration via context provider:
  • context_templates
  • name_schema

Breaking changes in v4.x of the module

Due to rename of Snowflake terraform provider source, all versions.tf files were updated accordingly.

Please keep in mind to mirror this change in your own repos also.

For more information about provider rename, refer to Snowflake documentation.

Inputs

Name	Description	Type	Default	Required
account_grants	Grants on a account level	list(object({ all_privileges = optional(bool) with_grant_option = optional(bool, false) privileges = optional(list(string), null) }))	[]	no
account_objects_grants	Grants on account object level. Account objects list: USER | RESOURCE MONITOR | WAREHOUSE | COMPUTE POOL | DATABASE | INTEGRATION | FAILOVER GROUP | REPLICATION GROUP | EXTERNAL VOLUME Object type is used as a key in the map. Exmpale usage: account_object_grants = { "WAREHOUSE" = [ { all_privileges = true with_grant_option = true object_name = "TEST_USER" } ] "DATABASE" = [ { privileges = ["CREATE SCHEMA", "CREATE DATABASE ROLE"] object_name = "TEST_DATABASE" }, { privileges = ["CREATE SCHEMA"] object_name = "OTHER_DATABASE" } ] } Note: You can find a list of all object types here	map(list(object({ all_privileges = optional(bool) with_grant_option = optional(bool, false) privileges = optional(list(string), null) object_name = string })))	{}	no
comment	Role description	string	null	no
context_templates	Map of context templates used for naming conventions - this variable supersedes naming_scheme.properties and naming_scheme.delimiter configuration	map(string)	{}	no
granted_application_roles	Application Roles granted to this role	list(string)	[]	no
granted_database_roles	Database Roles granted to this role	list(string)	[]	no
granted_roles	Roles granted to this role	list(string)	[]	no
granted_to_roles	Roles which this role is granted to	list(string)	[]	no
granted_to_users	Users which this role is granted to	list(string)	[]	no
name	Name of the resource	string	n/a	yes
name_scheme	Naming scheme configuration for the resource. This configuration is used to generate names using context provider: - properties - list of properties to use when creating the name - is superseded by var.context_templates - delimiter - delimited used to create the name from properties - is superseded by var.context_templates - context_template_name - name of the context template used to create the name - replace_chars_regex - regex to use for replacing characters in property-values created by the provider - any characters that match the regex will be removed from the name - extra_values - map of extra label-value pairs, used to create a name - uppercase - convert name to uppercase	object({ properties = optional(list(string), ["environment", "name"]) delimiter = optional(string, "_") context_template_name = optional(string, "snowflake-role") replace_chars_regex = optional(string, "[^a-zA-Z0-9_]") extra_values = optional(map(string)) uppercase = optional(bool, true) })	{}	no
role_ownership_grant	The name of the role to grant ownership	string	null	no
schema_grants	Grants on a schema level	list(object({ all_privileges = optional(bool) with_grant_option = optional(bool, false) privileges = optional(list(string), null) all_schemas_in_database = optional(bool, false) future_schemas_in_database = optional(bool, false) database_name = string schema_name = optional(string, null) }))	[]	no
schema_objects_grants	Grants on a schema object level Example usage: schema_objects_grants = { "TABLE" = [ { privileges = ["SELECT"] object_name = snowflake_table.table_1.name schema_name = snowflake_schema.this.name }, { all_privileges = true object_name = snowflake_table.table_2.name schema_name = snowflake_schema.this.name } ] "ALERT" = [ { all_privileges = true on_future = true on_all = true } ] } Note: If you don't provide a schema_name, the grants will be created for all objects of that type in the database. You can find a list of all object types here	map(list(object({ all_privileges = optional(bool) with_grant_option = optional(bool) privileges = optional(list(string)) object_name = optional(string) on_all = optional(bool, false) schema_name = optional(string) database_name = string on_future = optional(bool, false) })))	{}	no

Modules

No modules.

Outputs

Name	Description
name	Name of the role

Providers

Name	Version
context	>=0.4.0
snowflake	>= 0.94

Requirements

Name	Version
terraform	>= 1.3
context	>=0.4.0
snowflake	>= 0.94

Resources

Name	Type
snowflake_account_role.this	resource
snowflake_grant_account_role.granted_roles	resource
snowflake_grant_account_role.granted_to_roles	resource
snowflake_grant_account_role.granted_to_users	resource
snowflake_grant_application_role.granted_app_roles	resource
snowflake_grant_database_role.granted_db_roles	resource
snowflake_grant_ownership.this	resource
snowflake_grant_privileges_to_account_role.account_grants	resource
snowflake_grant_privileges_to_account_role.account_object_grants	resource
snowflake_grant_privileges_to_account_role.schema_grants	resource
snowflake_grant_privileges_to_account_role.schema_objects_grants	resource
context_label.this	data source

CONTRIBUTING

Contributions are very welcomed!

Start by reviewing contribution guide and our code of conduct. After that, start coding and ship your changes by creating a new PR.

LICENSE

Apache 2 Licensed. See LICENSE for full details.

AUTHORS

Made with contrib.rocks.