Snowflake Storage Integration Terraform Module

We help companies turn their data into assets

---

Terraform module for Snowflake storage integration management.

• Creates Snowflake storage integration
• Can create custom Snowflake roles with role-to-role, role-to-user assignments
• Can create a set of default roles to simplify access management:
  • READONLY - granted USAGE privilege

Breaking changes in v3.x of the module

Due to replacement of nulllabel (context.tf) with context provider, some breaking changes were introduced in v3.0.0 version of this module.

List od code and variable (API) changes:

• Removed context.tf file (a single-file module with additonal variables), which implied a removal of all its variables (except name):
  • descriptor_formats
  • label_value_case
  • label_key_case
  • id_length_limit
  • regex_replace_chars
  • label_order
  • additional_tag_map
  • tags
  • labels_as_tags
  • attributes
  • delimiter
  • stage
  • environment
  • tenant
  • namespace
  • enabled
  • context
• Changed support for enabled flag - that might cause some backward compatibility issues with terraform state (please take into account that proper move clauses were added to minimize the impact), but proceed with caution
• Additional context provider configuration
• New variables were added, to allow naming configuration via context provider:
  • context_templates
  • name_schema

Breaking changes in v4.x of the module

• Due to rename of Snowflake terraform provider source, all versions.tf files were updated accordingly.

  Please keep in mind to mirror this change in your own repos also.

  For more information about provider rename, refer to Snowflake documentation.

• Maximal version of supported provider was also unblocked in version v4.1.x , so keep in mind that, starting with Snowflake provider version 1.x, the snowflake_stage resource is considered a preview feature and must be explicitly enabled in the provider configuration.

  Required Provider Configuration:

  provider "snowflake" {
    preview_features_enabled = ["snowflake_storage_integration_resource"]
  }

  Without this configuration, you will encounter the following error:

  Error: snowflake_storage_integration_resource is currently a preview feature, and must be enabled by adding snowflake_storage_integration_resource to preview_features_enabled in Terraform configuration.

  For more information about preview features, refer to the Snowflake provider documentation and Snowflake storage integration resource documentation.

USAGE

data "azurerm_client_config" "current" {}

module "snowflake_storage_integration" {
  source = "getindata/storage-integration/snowflake"
  # version  = "x.x.x"

  name = "my_integration"

  type                      = "EXTERNAL_STAGE"
  storage_provider          = "AZURE"
  storage_allowed_locations = ["azure://mystorageaccount.blob.core.windows.net/raw/"]
  azure_tenant_id           = data.azurerm_client_config.current.tenant_id
  
  create_default_roles = true
}

EXAMPLES

• Azure integration - Advanced usage of the module with Azure Storage integration

Inputs

Name	Description	Type	Default	Required
azure_tenant_id	Azure tenant ID. Required if storage provider is type of AZURE	string	null	no
comment	Specifies comment for the storage integration	string	null	no
context_templates	Map of context templates used for naming conventions - this variable supersedes naming_scheme.properties and naming_scheme.delimiter configuration	map(string)	{}	no
create_default_roles	Whether the default roles should be created	bool	false	no
enabled	Whether the storage integration is enabled	bool	true	no
name	Name of the resource	string	n/a	yes
name_scheme	Naming scheme configuration for the resource. This configuration is used to generate names using context provider: - properties - list of properties to use when creating the name - is superseded by var.context_templates - delimiter - delimited used to create the name from properties - is superseded by var.context_templates - context_template_name - name of the context template used to create the name - replace_chars_regex - regex to use for replacing characters in property-values created by the provider - any characters that match the regex will be removed from the name - extra_values - map of extra label-value pairs, used to create a name - uppercase - convert name to uppercase	object({ properties = optional(list(string), ["environment", "name"]) delimiter = optional(string, "_") context_template_name = optional(string, "snowflake-storage-integration") replace_chars_regex = optional(string, "[^a-zA-Z0-9_]") extra_values = optional(map(string)) uppercase = optional(bool, true) })	{}	no
roles	Roles created in the database scope	map(object({ name_scheme = optional(object({ properties = optional(list(string)) delimiter = optional(string) context_template_name = optional(string) replace_chars_regex = optional(string) extra_labels = optional(map(string)) uppercase = optional(bool) })) comment = optional(string) role_ownership_grant = optional(string) granted_roles = optional(list(string)) granted_to_roles = optional(list(string)) granted_to_users = optional(list(string)) integration_grants = optional(object({ all_privileges = optional(bool) with_grant_option = optional(bool, false) privileges = optional(list(string)) })) }))	{}	no
storage_allowed_locations	Explicitly limits external stages that use the integration to reference one or more storage locations	list(string)	n/a	yes
storage_aws_object_acl	Value of "bucket-owner-full-control" enables support for AWS access control lists (ACLs) to grant the bucket owner full control	string	null	no
storage_aws_role_arn	AWS Role ARN	string	null	no
storage_blocked_locations	Explicitly prohibits external stages that use the integration from referencing one or more storage locations	list(string)	[]	no
storage_provider	Storage provider name. Possible values are: S3, S3GOV, GCS, AZURE	string	n/a	yes
type	Type of the storage integration. Defaults: EXTERNAL_STAGE	string	"EXTERNAL_STAGE"	no

Modules

Name	Source	Version
roles_deep_merge	Invicton-Labs/deepmerge/null	0.1.5
snowflake_custom_role	getindata/role/snowflake	4.0.0
snowflake_default_role	getindata/role/snowflake	4.0.0

Outputs

Name	Description
azure_consent_url	The consent URL that is used to create an Azure Snowflake service principle inside your tenant
azure_multi_tenant_app_name	This is the name of the Snowflake client application created for your account
azure_tenant_id	ID of the tenant
comment	Specifies comment for the storage integration
enabled	Whether the storage integration is enabled
name	Name of the storage integration
roles	This storage integration access roles
storage_allowed_locations	Explicitly limits external stages that use the integration to reference one or more storage locations
storage_aws_external_id	The external ID that Snowflake will use when assuming the AWS role
storage_aws_iam_user_arn	The Snowflake user that will attempt to assume the AWS role
storage_aws_object_acl	Name of the AWS access control lists (ACLs)
storage_aws_role_arn	AWS Role ARN
storage_blocked_locations	Explicitly prohibits external stages that use the integration from referencing one or more storage locations
storage_gcp_service_account	This is the name of the Snowflake Google Service Account created for your account
storage_provider	Storage provider name
type	Type of the storage integration

Providers

Name	Version
context	>=0.4.0
snowflake	>= 0.94

Requirements

Name	Version
terraform	>= 1.3
context	>=0.4.0
snowflake	>= 0.94

Resources

Name	Type
snowflake_storage_integration.this	resource
context_label.this	data source

CONTRIBUTING

Contributions are very welcomed!

Start by reviewing contribution guide and our code of conduct. After that, start coding and ship your changes by creating a new PR.

LICENSE

Apache 2 Licensed. See LICENSE for full details.

AUTHORS

Made with contrib.rocks.