{"id":21514846,"url":"https://github.com/getindata/terraform-snowflake-role","last_synced_at":"2025-04-09T20:11:40.527Z","repository":{"id":137896394,"uuid":"572093670","full_name":"getindata/terraform-snowflake-role","owner":"getindata","description":"Terraform module for managing Snowflake role and grants","archived":false,"fork":false,"pushed_at":"2025-01-07T11:36:29.000Z","size":131,"stargazers_count":10,"open_issues_count":2,"forks_count":2,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-09T20:11:34.946Z","etag":null,"topics":["module","snowflake","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/getindata.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-29T14:40:09.000Z","updated_at":"2025-01-17T17:46:24.000Z","dependencies_parsed_at":"2024-07-18T09:43:14.319Z","dependency_job_id":"33d3972c-c6d7-4e2d-a8b5-7a971a3491d4","html_url":"https://github.com/getindata/terraform-snowflake-role","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":"getindata/terraform-module-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getindata%2Fterraform-snowflake-role","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getindata%2Fterraform-snowflake-role/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getindata%2Fterraform-snowflake-role/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getindata%2Fterraform-snowflake-role/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/getindata","download_url":"https://codeload.github.com/getindata/terraform-snowflake-role/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248103872,"owners_count":21048245,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["module","snowflake","terraform"],"created_at":"2024-11-23T23:53:13.107Z","updated_at":"2025-04-09T20:11:40.499Z","avatar_url":"https://github.com/getindata.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Snowflake Role Terraform Module\n\n![Snowflake](https://img.shields.io/badge/-SNOWFLAKE-249edc?style=for-the-badge\u0026logo=snowflake\u0026logoColor=white)\n![Terraform](https://img.shields.io/badge/terraform-%235835CC.svg?style=for-the-badge\u0026logo=terraform\u0026logoColor=white)\n\n![License](https://badgen.net/github/license/getindata/terraform-snowflake-role/)\n![Release](https://badgen.net/github/release/getindata/terraform-snowflake-role/)\n\n\u003cp align=\"center\"\u003e\n  \u003cimg height=\"150\" src=\"https://getindata.com/img/logo.svg\"\u003e\n  \u003ch3 align=\"center\"\u003eWe help companies turn their data into assets\u003c/h3\u003e\n\u003c/p\u003e\n\n---\n\nTerraform module for managing Snowflake roles. \nAdditionally, this module allows creating multiple grants on different Snowflake resources, specifying other roles to be granted and grantees (other roles and users).\n\n## USAGE\n\n```terraform\nmodule \"snowflake_role\" {\n  source = \"github.com/getindata/terraform-snowflake-role\"\n  \n  name = \"LOGS_DATABASE_READER\"\n\n  granted_to_users = [\"JANE_SMITH\", \"JOHN_DOE\"]\n\n account_grants = [\n    {\n      privileges = [\"CREATE DATABASE\"]\n    }\n  ]\n\n  account_objects_grants = {\n    \"DATABASE\" = [\n      {\n        privileges    = [\"USAGE\"]\n        object_name    = \"LOGS_DB\"\n      }\n    ]\n  }\n\n  schema_grants = [\n    {\n      database_name = \"LOGS_DB\"\n      schema_name   = \"BRONZE\"\n      privileges    = [\"USAGE\"]\n    }\n  ]\n  \n  schema_objects_grants = {\n    TABLE = [\n      {\n        database_name = \"LOGS_DB\"\n        schema_name   = \"BRONZE\"\n        on_future     = true\n        privileges    = [\"SELECT\"]\n      }\n    ]\n\n    VIEW = [\n      {\n        database_name  = snowflake_database.this.name\n        on_future      = true\n        all_privileges = true\n      }\n    ]\n  }\n}\n```\n\n## EXAMPLES\n\n- [Simple](examples/simple) - creates a role\n- [Complete](examples/complete) - creates a role with example grants\n\n## Breaking changes in v2.x of the module\n\nDue to breaking changes in Snowflake provider and additional code optimizations, **breaking changes** were introduced in `v2.0.0` version of this module.\n\nList of code and variable (API) changes:\n\n- Switched to `snowflake_account_role` resource instead of provider-deprecated `snowflake_role`\n- Switched to `snowflake_grant_privileges_to_account_role` resource instead of provider-removed `snowflake_*_grant`\n- Switched to `snowflake_grant_account_role` resource instead of provider-removed `snowflake_role_grants`\n- Switched to `snowflake_grant_ownership` resource instead of provider-removed `snowflake_role_ownership_grant`\n- Variable `account_grants` type changed from `list(string)` to `list(object({..}))`\n- Variable `schema_grants` type changed\n- Below variables were removed and replaced with aggregated / complex `account_object_grants` and `schema_object_grants`:\n  - `database_grants`\n  - `table_grants`\n  - `external_table_grants`\n  - `view_grants`\n  - `dynamic_table_grants`\n\nWhen upgrading from `v1.x`, expect most of the resources to be recreated - if recreation is impossible, then it is possible to import some existing resources.\n\nFor more information, refer to [variables.tf](variables.tf), list of inputs below and Snowflake provider documentation\n\n## Breaking changes in v3.x of the module\n\nDue to replacement of nulllabel (`context.tf`) with context provider, some **breaking changes** were introduced in `v3.0.0` version of this module.\n\nList od code and variable (API) changes:\n\n- Removed `context.tf` file (a single-file module with additonal variables), which implied a removal of all its variables (except `name`):\n  - `descriptor_formats`\n  - `label_value_case`\n  - `label_key_case`\n  - `id_length_limit`\n  - `regex_replace_chars`\n  - `label_order`\n  - `additional_tag_map`\n  - `tags`\n  - `labels_as_tags`\n  - `attributes`\n  - `delimiter`\n  - `stage`\n  - `environment`\n  - `tenant`\n  - `namespace`\n  - `enabled`\n  - `context`\n- Remove support `enabled` flag - that might cause some backward compatibility issues with terraform state (please take into account that proper `move` clauses were added to minimize the impact), but proceed with caution\n- Additional `context` provider configuration\n- New variables were added, to allow naming configuration via `context` provider:\n  - `context_templates`\n  - `name_schema`\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n\n\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_account_grants\"\u003e\u003c/a\u003e [account\\_grants](#input\\_account\\_grants) | Grants on a account level | \u003cpre\u003elist(object({\u003cbr/\u003e    all_privileges    = optional(bool)\u003cbr/\u003e    with_grant_option = optional(bool, false)\u003cbr/\u003e    privileges        = optional(list(string), null)\u003cbr/\u003e  }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_account_objects_grants\"\u003e\u003c/a\u003e [account\\_objects\\_grants](#input\\_account\\_objects\\_grants) | Grants on account object level.\u003cbr/\u003e  Account objects list: USER \\| RESOURCE MONITOR \\| WAREHOUSE \\| COMPUTE POOL \\| DATABASE \\| INTEGRATION \\| FAILOVER GROUP \\| REPLICATION GROUP \\| EXTERNAL VOLUME\u003cbr/\u003e  Object type is used as a key in the map.\u003cbr/\u003e\u003cbr/\u003e  Exmpale usage:\u003cpre\u003eaccount_object_grants = {\u003cbr/\u003e    \"WAREHOUSE\" = [\u003cbr/\u003e      {\u003cbr/\u003e        all_privileges = true\u003cbr/\u003e        with_grant_option = true\u003cbr/\u003e        object_name = \"TEST_USER\"\u003cbr/\u003e      }\u003cbr/\u003e    ]\u003cbr/\u003e    \"DATABASE\" = [\u003cbr/\u003e      {\u003cbr/\u003e        privileges = [\"CREATE SCHEMA\", \"CREATE DATABASE ROLE\"]\u003cbr/\u003e        object_name = \"TEST_DATABASE\"\u003cbr/\u003e      },\u003cbr/\u003e      {\u003cbr/\u003e        privileges = [\"CREATE SCHEMA\"]\u003cbr/\u003e        object_name = \"OTHER_DATABASE\"\u003cbr/\u003e      }\u003cbr/\u003e    ]\u003cbr/\u003e  }\u003c/pre\u003eNote: You can find a list of all object types [here](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_account_role#nested-schema-for-on_account_object) | \u003cpre\u003emap(list(object({\u003cbr/\u003e    all_privileges    = optional(bool)\u003cbr/\u003e    with_grant_option = optional(bool, false)\u003cbr/\u003e    privileges        = optional(list(string), null)\u003cbr/\u003e    object_name       = string\u003cbr/\u003e  })))\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_comment\"\u003e\u003c/a\u003e [comment](#input\\_comment) | Role description | `string` | `null` | no |\n| \u003ca name=\"input_context_templates\"\u003e\u003c/a\u003e [context\\_templates](#input\\_context\\_templates) | Map of context templates used for naming conventions - this variable supersedes `naming_scheme.properties` and `naming_scheme.delimiter` configuration | `map(string)` | `{}` | no |\n| \u003ca name=\"input_granted_database_roles\"\u003e\u003c/a\u003e [granted\\_database\\_roles](#input\\_granted\\_database\\_roles) | Database Roles granted to this role | `list(string)` | `[]` | no |\n| \u003ca name=\"input_granted_roles\"\u003e\u003c/a\u003e [granted\\_roles](#input\\_granted\\_roles) | Roles granted to this role | `list(string)` | `[]` | no |\n| \u003ca name=\"input_granted_to_roles\"\u003e\u003c/a\u003e [granted\\_to\\_roles](#input\\_granted\\_to\\_roles) | Roles which this role is granted to | `list(string)` | `[]` | no |\n| \u003ca name=\"input_granted_to_users\"\u003e\u003c/a\u003e [granted\\_to\\_users](#input\\_granted\\_to\\_users) | Users which this role is granted to | `list(string)` | `[]` | no |\n| \u003ca name=\"input_name\"\u003e\u003c/a\u003e [name](#input\\_name) | Name of the resource | `string` | n/a | yes |\n| \u003ca name=\"input_name_scheme\"\u003e\u003c/a\u003e [name\\_scheme](#input\\_name\\_scheme) | Naming scheme configuration for the resource. This configuration is used to generate names using context provider:\u003cbr/\u003e    - `properties` - list of properties to use when creating the name - is superseded by `var.context_templates`\u003cbr/\u003e    - `delimiter` - delimited used to create the name from `properties` - is superseded by `var.context_templates`\u003cbr/\u003e    - `context_template_name` - name of the context template used to create the name\u003cbr/\u003e    - `replace_chars_regex` - regex to use for replacing characters in property-values created by the provider - any characters that match the regex will be removed from the name\u003cbr/\u003e    - `extra_values` - map of extra label-value pairs, used to create a name\u003cbr/\u003e    - `uppercase` - convert name to uppercase | \u003cpre\u003eobject({\u003cbr/\u003e    properties            = optional(list(string), [\"environment\", \"name\"])\u003cbr/\u003e    delimiter             = optional(string, \"_\")\u003cbr/\u003e    context_template_name = optional(string, \"snowflake-role\")\u003cbr/\u003e    replace_chars_regex   = optional(string, \"[^a-zA-Z0-9_]\")\u003cbr/\u003e    extra_values          = optional(map(string))\u003cbr/\u003e    uppercase             = optional(bool, true)\u003cbr/\u003e  })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_role_ownership_grant\"\u003e\u003c/a\u003e [role\\_ownership\\_grant](#input\\_role\\_ownership\\_grant) | The name of the role to grant ownership | `string` | `null` | no |\n| \u003ca name=\"input_schema_grants\"\u003e\u003c/a\u003e [schema\\_grants](#input\\_schema\\_grants) | Grants on a schema level | \u003cpre\u003elist(object({\u003cbr/\u003e    all_privileges             = optional(bool)\u003cbr/\u003e    with_grant_option          = optional(bool, false)\u003cbr/\u003e    privileges                 = optional(list(string), null)\u003cbr/\u003e    all_schemas_in_database    = optional(bool, false)\u003cbr/\u003e    future_schemas_in_database = optional(bool, false)\u003cbr/\u003e    database_name              = string\u003cbr/\u003e    schema_name                = optional(string, null)\u003cbr/\u003e  }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_schema_objects_grants\"\u003e\u003c/a\u003e [schema\\_objects\\_grants](#input\\_schema\\_objects\\_grants) | Grants on a schema object level\u003cbr/\u003e\u003cbr/\u003e  Example usage:\u003cpre\u003eschema_objects_grants = {\u003cbr/\u003e    \"TABLE\" = [\u003cbr/\u003e      {\u003cbr/\u003e        privileges  = [\"SELECT\"]\u003cbr/\u003e        object_name = snowflake_table.table_1.name\u003cbr/\u003e        schema_name = snowflake_schema.this.name\u003cbr/\u003e      },\u003cbr/\u003e      {\u003cbr/\u003e        all_privileges = true\u003cbr/\u003e        object_name    = snowflake_table.table_2.name\u003cbr/\u003e        schema_name    = snowflake_schema.this.name\u003cbr/\u003e      }\u003cbr/\u003e    ]\u003cbr/\u003e    \"ALERT\" = [\u003cbr/\u003e      {\u003cbr/\u003e        all_privileges = true\u003cbr/\u003e        on_future      = true\u003cbr/\u003e        on_all         = true\u003cbr/\u003e      }\u003cbr/\u003e    ]\u003cbr/\u003e  }\u003c/pre\u003eNote: If you don't provide a schema\\_name, the grants will be created for all objects of that type in the database.\u003cbr/\u003e        You can find a list of all object types [here](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_database_role#object_type) | \u003cpre\u003emap(list(object({\u003cbr/\u003e    all_privileges    = optional(bool)\u003cbr/\u003e    with_grant_option = optional(bool)\u003cbr/\u003e    privileges        = optional(list(string))\u003cbr/\u003e    object_name       = optional(string)\u003cbr/\u003e    on_all            = optional(bool, false)\u003cbr/\u003e    schema_name       = optional(string)\u003cbr/\u003e    database_name     = string\u003cbr/\u003e    on_future         = optional(bool, false)\u003cbr/\u003e  })))\u003c/pre\u003e | `{}` | no |\n\n## Modules\n\nNo modules.\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_name\"\u003e\u003c/a\u003e [name](#output\\_name) | Name of the role |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_context\"\u003e\u003c/a\u003e [context](#provider\\_context) | \u003e=0.4.0 |\n| \u003ca name=\"provider_snowflake\"\u003e\u003c/a\u003e [snowflake](#provider\\_snowflake) | \u003e= 0.94 |\n\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.3 |\n| \u003ca name=\"requirement_context\"\u003e\u003c/a\u003e [context](#requirement\\_context) | \u003e=0.4.0 |\n| \u003ca name=\"requirement_snowflake\"\u003e\u003c/a\u003e [snowflake](#requirement\\_snowflake) | \u003e= 0.94 |\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [snowflake_account_role.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/account_role) | resource |\n| [snowflake_grant_account_role.granted_roles](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |\n| [snowflake_grant_account_role.granted_to_roles](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |\n| [snowflake_grant_account_role.granted_to_users](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_account_role) | resource |\n| [snowflake_grant_database_role.granted_db_roles](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_database_role) | resource |\n| [snowflake_grant_ownership.this](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_ownership) | resource |\n| [snowflake_grant_privileges_to_account_role.account_grants](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_account_role) | resource |\n| [snowflake_grant_privileges_to_account_role.account_object_grants](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_account_role) | resource |\n| [snowflake_grant_privileges_to_account_role.schema_grants](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_account_role) | resource |\n| [snowflake_grant_privileges_to_account_role.schema_objects_grants](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/grant_privileges_to_account_role) | resource |\n| [context_label.this](https://registry.terraform.io/providers/cloudposse/context/latest/docs/data-sources/label) | data source |\n\u003c!-- END_TF_DOCS --\u003e\n\n## CONTRIBUTING\n\nContributions are very welcomed!\n\nStart by reviewing [contribution guide](CONTRIBUTING.md) and our [code of conduct](CODE_OF_CONDUCT.md). After that, start coding and ship your changes by creating a new PR.\n\n## LICENSE\n\nApache 2 Licensed. See [LICENSE](LICENSE) for full details.\n\n## AUTHORS\n\n\u003c!--- Replace repository name --\u003e\n\u003ca href=\"https://github.com/getindata/terraform-snowflake-role/graphs/contributors\"\u003e\n  \u003cimg src=\"https://contrib.rocks/image?repo=getindata/terraform-snowflake-role\" /\u003e\n\u003c/a\u003e\n\nMade with [contrib.rocks](https://contrib.rocks).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgetindata%2Fterraform-snowflake-role","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgetindata%2Fterraform-snowflake-role","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgetindata%2Fterraform-snowflake-role/lists"}