{"id":21514849,"url":"https://github.com/getindata/terraform-snowflake-user","last_synced_at":"2026-02-26T06:07:14.763Z","repository":{"id":137896405,"uuid":"587647507","full_name":"getindata/terraform-snowflake-user","owner":"getindata","description":"Terraform module for creating snowflake users","archived":false,"fork":false,"pushed_at":"2025-08-20T12:01:34.000Z","size":143,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-02-12T07:12:21.348Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/getindata.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-01-11T08:48:53.000Z","updated_at":"2025-08-20T12:01:13.000Z","dependencies_parsed_at":"2024-10-28T09:52:49.487Z","dependency_job_id":"57bad389-a674-426e-a283-6544c78c7c77","html_url":"https://github.com/getindata/terraform-snowflake-user","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":"getindata/terraform-module-template","purl":"pkg:github/getindata/terraform-snowflake-user","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getindata%2Fterraform-snowflake-user","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getindata%2Fterraform-snowflake-user/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getindata%2Fterraform-snowflake-user/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getindata%2Fterraform-snowflake-user/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/getindata","download_url":"https://codeload.github.com/getindata/terraform-snowflake-user/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/getindata%2Fterraform-snowflake-user/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29849833,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-25T22:37:40.667Z","status":"online","status_checked_at":"2026-02-26T02:00:06.774Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-23T23:53:13.318Z","updated_at":"2026-02-26T06:07:14.746Z","avatar_url":"https://github.com/getindata.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Snowflake User Terraform Module\n\n![Snowflake](https://img.shields.io/badge/-SNOWFLAKE-249edc?style=for-the-badge\u0026logo=snowflake\u0026logoColor=white)\n![Terraform](https://img.shields.io/badge/terraform-%235835CC.svg?style=for-the-badge\u0026logo=terraform\u0026logoColor=white)\n\n![License](https://badgen.net/github/license/getindata/terraform-snowflake-user)\n![Release](https://badgen.net/github/release/getindata/terraform-snowflake-user)\n\n\u003cp align=\"center\"\u003e\n  \u003cimg height=\"150\" src=\"https://getindata.com/img/logo.svg\"\u003e\n  \u003ch3 align=\"center\"\u003eWe help companies turn their data into assets\u003c/h3\u003e\n\u003c/p\u003e\n\nTerraform module for creating Snowflake user.\n\nThis module can:\n\n- Create and manage Snowflake Users\n- Automatically generate RSA private and public keys for the User\n- Automatically grant `default_role` and `default_secondary_roles` to the User\n\n## Usage\n\n```terraform\nmodule \"terraform_snowflake_user\" {\n  source = \"getindata/terraform-snowflake/user\"\n  name = \"snowflake-user\"\n}\n```\n\n## EXAMPLES\n\n- [Simple](examples/simple) - Basic usage of the module\n- [Complete](examples/complete) - Advanced usage of the module\n\n## Breaking changes in v2.x of the module\n\nDue to breaking changes in Snowflake provider and additional code optimizations, **breaking changes** were introduced in `v2.0.0` version of this module.\n\nList of code and variable (API) changes:\n\n- Support for Snowflake user types, managed by `type` variable\n- Clear differentiation of `PERSON`, `SERVICE` and `LEGACY_SERVICE` users\n- `snowflake_default_secondary_roles` changed to `snowflake_default_secondary_roles_option` (string)\n- Added `middle_name`, `query_tag`, `timezone`, `network_policy`, `trace_level`, `log_level` and `enable_unredacted_query_syntax_error` variables\n- Added `disable_mfa` flag (`false` by default), that handles MFA enforcement for `PERSON` users\n\nWhen upgrading from `v1.x`, expect most of the resources to be recreated - if recreation is impossible, then it is possible to import some existing resources.\n\nFor more information, refer to [variables.tf](variables.tf), list of inputs below and Snowflake provider documentation\n\n## Breaking changes in v3.x of the module\n\nDue to replacement of nulllabel (`context.tf`) with context provider, some **breaking changes** were introduced in `v3.0.0` version of this module.\n\nList od code and variable (API) changes:\n\n- Removed `context.tf` file (a single-file module with additonal variables), which implied a removal of all its variables (except `name`):\n  - `descriptor_formats`\n  - `label_value_case`\n  - `label_key_case`\n  - `id_length_limit`\n  - `regex_replace_chars`\n  - `label_order`\n  - `additional_tag_map`\n  - `tags`\n  - `labels_as_tags`\n  - `attributes`\n  - `delimiter`\n  - `stage`\n  - `environment`\n  - `tenant`\n  - `namespace`\n  - `enabled`\n  - `context`\n- Remove support `enabled` flag - that might cause some backward compatibility issues with terraform state (please take into account that proper `move` clauses were added to minimize the impact), but proceed with caution\n- Additional `context` provider configuration\n- New variables were added, to allow naming configuration via `context` provider:\n  - `context_templates`\n  - `name_schema`\n\n## Breaking changes in v4.x of the module\n\n- Due to rename of Snowflake terraform provider source, all `versions.tf` files were updated accordingly.\n\n  Please keep in mind to mirror this change in your own repos also.\n\n  For more information about provider rename, refer to [Snowflake documentation](https://github.com/snowflakedb/terraform-provider-snowflake/blob/main/SNOWFLAKEDB_MIGRATION.md).\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n\n\n\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_comment\"\u003e\u003c/a\u003e [comment](#input\\_comment) | Comment / description of Snowflake user | `string` | `null` | no |\n| \u003ca name=\"input_context_templates\"\u003e\u003c/a\u003e [context\\_templates](#input\\_context\\_templates) | Map of context templates used for naming conventions - this variable supersedes `naming_scheme.properties` and `naming_scheme.delimiter` configuration | `map(string)` | `{}` | no |\n| \u003ca name=\"input_default_namespace\"\u003e\u003c/a\u003e [default\\_namespace](#input\\_default\\_namespace) | Specifies the namespace (database only or database and schema) that is active by default for the user's session upon login. | `string` | `null` | no |\n| \u003ca name=\"input_default_role\"\u003e\u003c/a\u003e [default\\_role](#input\\_default\\_role) | Specifies the role that is active by default for the user's session upon login. | `string` | `null` | no |\n| \u003ca name=\"input_default_secondary_roles_option\"\u003e\u003c/a\u003e [default\\_secondary\\_roles\\_option](#input\\_default\\_secondary\\_roles\\_option) | Specifies the secondary roles that are active for the user’s session upon login. \u003cbr/\u003e    Valid values are (case-insensitive): DEFAULT \\| NONE \\| ALL | `string` | `\"DEFAULT\"` | no |\n| \u003ca name=\"input_default_warehouse\"\u003e\u003c/a\u003e [default\\_warehouse](#input\\_default\\_warehouse) | Specifies the virtual warehouse that is active by default for the user's session upon login. | `string` | `null` | no |\n| \u003ca name=\"input_disable_mfa\"\u003e\u003c/a\u003e [disable\\_mfa](#input\\_disable\\_mfa) | Disable Multi-Factor Authentication for the user (works only with `type = PERSON`) | `bool` | `false` | no |\n| \u003ca name=\"input_disabled\"\u003e\u003c/a\u003e [disabled](#input\\_disabled) | Specifies whether the user is disabled, which prevents logging in and aborts all the currently-running queries for the user. | `bool` | `false` | no |\n| \u003ca name=\"input_display_name\"\u003e\u003c/a\u003e [display\\_name](#input\\_display\\_name) | Name displayed for the user in the Snowflake web interface. | `string` | `null` | no |\n| \u003ca name=\"input_email\"\u003e\u003c/a\u003e [email](#input\\_email) | Email address for the user | `string` | `null` | no |\n| \u003ca name=\"input_enable_unredacted_query_syntax_error\"\u003e\u003c/a\u003e [enable\\_unredacted\\_query\\_syntax\\_error](#input\\_enable\\_unredacted\\_query\\_syntax\\_error) | Controls whether query text is redacted if a SQL query fails due to a syntax or parsing error. If FALSE, the content of a failed query is redacted in the views, pages, and functions that provide a query history. \u003cbr/\u003e    Only users with a role that is granted or inherits the AUDIT privilege can set the ENABLE\\_UNREDACTED\\_QUERY\\_SYNTAX\\_ERROR parameter. \u003cbr/\u003e    When using the ALTER USER command to set the parameter to TRUE for a particular user, modify the user that you want to see the query text, not the user who executed the query (if those are different users). | `bool` | `null` | no |\n| \u003ca name=\"input_first_name\"\u003e\u003c/a\u003e [first\\_name](#input\\_first\\_name) | First name of the user (works only with `type = PERSON`) | `string` | `null` | no |\n| \u003ca name=\"input_generate_password\"\u003e\u003c/a\u003e [generate\\_password](#input\\_generate\\_password) | Generate a random password using Terraform | `bool` | `false` | no |\n| \u003ca name=\"input_generate_rsa_key\"\u003e\u003c/a\u003e [generate\\_rsa\\_key](#input\\_generate\\_rsa\\_key) | Whether automatically generate an RSA key - IMPORTANT \u003cbr/\u003e    The private key generated by this resource will be stored \u003cbr/\u003e    unencrypted in your Terraform state file. \u003cbr/\u003e    Use of this resource for production deployments is not recommended. | `bool` | `false` | no |\n| \u003ca name=\"input_grant_default_roles\"\u003e\u003c/a\u003e [grant\\_default\\_roles](#input\\_grant\\_default\\_roles) | Whether to grant default\\_role to Snowflake User | `bool` | `true` | no |\n| \u003ca name=\"input_ignore_changes_on_defaults\"\u003e\u003c/a\u003e [ignore\\_changes\\_on\\_defaults](#input\\_ignore\\_changes\\_on\\_defaults) | Whether to ignore configuration of `default_warehouse`, `default_role` and `default_namespace` (works only with `type = PERSON`) | `bool` | `false` | no |\n| \u003ca name=\"input_last_name\"\u003e\u003c/a\u003e [last\\_name](#input\\_last\\_name) | Last name of the user (works only with `type = PERSON`) | `string` | `null` | no |\n| \u003ca name=\"input_log_level\"\u003e\u003c/a\u003e [log\\_level](#input\\_log\\_level) | Specifies the severity level of messages that should be ingested and made available in the active event table. Messages at the specified level (and at more severe levels) are ingested. | `string` | `null` | no |\n| \u003ca name=\"input_login_name\"\u003e\u003c/a\u003e [login\\_name](#input\\_login\\_name) | The name users use to log in. If not supplied, snowflake will use name instead. | `string` | `null` | no |\n| \u003ca name=\"input_middle_name\"\u003e\u003c/a\u003e [middle\\_name](#input\\_middle\\_name) | Middle name of the user (works only with `type = PERSON`) | `string` | `null` | no |\n| \u003ca name=\"input_must_change_password\"\u003e\u003c/a\u003e [must\\_change\\_password](#input\\_must\\_change\\_password) | Should the user change the password on login. Should be set to true for non service account users | `bool` | `true` | no |\n| \u003ca name=\"input_name\"\u003e\u003c/a\u003e [name](#input\\_name) | Name of the resource | `string` | n/a | yes |\n| \u003ca name=\"input_name_scheme\"\u003e\u003c/a\u003e [name\\_scheme](#input\\_name\\_scheme) | Naming scheme configuration for the resource. This configuration is used to generate names using context provider:\u003cbr/\u003e    - `properties` - list of properties to use when creating the name - is superseded by `var.context_templates`\u003cbr/\u003e    - `delimiter` - delimited used to create the name from `properties` - is superseded by `var.context_templates`\u003cbr/\u003e    - `context_template_name` - name of the context template used to create the name\u003cbr/\u003e    - `replace_chars_regex` - regex to use for replacing characters in property-values created by the provider - any characters that match the regex will be removed from the name\u003cbr/\u003e    - `extra_values` - map of extra label-value pairs, used to create a name\u003cbr/\u003e    - `uppercase` - convert name to uppercase | \u003cpre\u003eobject({\u003cbr/\u003e    properties            = optional(list(string), [\"environment\", \"name\"])\u003cbr/\u003e    delimiter             = optional(string, \"_\")\u003cbr/\u003e    context_template_name = optional(string, \"snowflake-user\")\u003cbr/\u003e    replace_chars_regex   = optional(string, \"[^a-zA-Z0-9_]\")\u003cbr/\u003e    extra_values          = optional(map(string))\u003cbr/\u003e    uppercase             = optional(bool, true)\u003cbr/\u003e  })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_network_policy\"\u003e\u003c/a\u003e [network\\_policy](#input\\_network\\_policy) | Specifies the network policy to enforce for your account. Network policies enable restricting access to your account based on users’ IP address. | `string` | `null` | no |\n| \u003ca name=\"input_query_tag\"\u003e\u003c/a\u003e [query\\_tag](#input\\_query\\_tag) | Optional string that can be used to tag queries and other SQL statements executed within a session. | `string` | `null` | no |\n| \u003ca name=\"input_rsa_public_key\"\u003e\u003c/a\u003e [rsa\\_public\\_key](#input\\_rsa\\_public\\_key) | Specifies the user's RSA public key; used for key-pair authentication. Must be on 1 line without header and trailer. | `string` | `null` | no |\n| \u003ca name=\"input_rsa_public_key_2\"\u003e\u003c/a\u003e [rsa\\_public\\_key\\_2](#input\\_rsa\\_public\\_key\\_2) | Specifies the user's second RSA public key; used to rotate the public and private keys \u003cbr/\u003e    for key-pair authentication based on an expiration schedule set by your organization. \u003cbr/\u003e    Must be on 1 line without header and trailer.\" | `string` | `null` | no |\n| \u003ca name=\"input_timezone\"\u003e\u003c/a\u003e [timezone](#input\\_timezone) | Specifies the time zone for the session. You can specify a time zone name or a link name from release 2021a of the IANA Time Zone Database (e.g. America/Los\\_Angeles, Europe/London, UTC, Etc/GMT, etc.). | `string` | `null` | no |\n| \u003ca name=\"input_trace_level\"\u003e\u003c/a\u003e [trace\\_level](#input\\_trace\\_level) | Controls how trace events are ingested into the event table. | `string` | `null` | no |\n| \u003ca name=\"input_type\"\u003e\u003c/a\u003e [type](#input\\_type) | Type of the user. Valid values are PERSON, SERVICE, LEGACY\\_SERVICE | `string` | `\"PERSON\"` | no |\n\n## Modules\n\nNo modules.\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_default_namespace\"\u003e\u003c/a\u003e [default\\_namespace](#output\\_default\\_namespace) | Specifies the namespace (database only or database and schema) that is active by default for the user's session upon login |\n| \u003ca name=\"output_default_role\"\u003e\u003c/a\u003e [default\\_role](#output\\_default\\_role) | Specifies the role that is active by default for the user's session upon login |\n| \u003ca name=\"output_default_secondary_roles_option\"\u003e\u003c/a\u003e [default\\_secondary\\_roles\\_option](#output\\_default\\_secondary\\_roles\\_option) | Specifies the secondary roles that are active for the user’s session upon login |\n| \u003ca name=\"output_default_warehouse\"\u003e\u003c/a\u003e [default\\_warehouse](#output\\_default\\_warehouse) | Specifies the virtual warehouse that is active by default for the user's session upon login |\n| \u003ca name=\"output_disable_mfa\"\u003e\u003c/a\u003e [disable\\_mfa](#output\\_disable\\_mfa) | Whether multi-factor authentication is disabled for the user |\n| \u003ca name=\"output_disabled\"\u003e\u003c/a\u003e [disabled](#output\\_disabled) | Whether user account is disabled |\n| \u003ca name=\"output_display_name\"\u003e\u003c/a\u003e [display\\_name](#output\\_display\\_name) | Name displayed for the user in the Snowflake web interface |\n| \u003ca name=\"output_email\"\u003e\u003c/a\u003e [email](#output\\_email) | Email address for the user |\n| \u003ca name=\"output_enable_unredacted_query_syntax_error\"\u003e\u003c/a\u003e [enable\\_unredacted\\_query\\_syntax\\_error](#output\\_enable\\_unredacted\\_query\\_syntax\\_error) | Enable access to unredacted query syntax error for the user |\n| \u003ca name=\"output_first_name\"\u003e\u003c/a\u003e [first\\_name](#output\\_first\\_name) | First name of the user (only if `type == PERSON`) |\n| \u003ca name=\"output_last_name\"\u003e\u003c/a\u003e [last\\_name](#output\\_last\\_name) | Last name of the user (only if `type == PERSON`) |\n| \u003ca name=\"output_log_level\"\u003e\u003c/a\u003e [log\\_level](#output\\_log\\_level) | Log level |\n| \u003ca name=\"output_login_name\"\u003e\u003c/a\u003e [login\\_name](#output\\_login\\_name) | The name users use to log in |\n| \u003ca name=\"output_middle_name\"\u003e\u003c/a\u003e [middle\\_name](#output\\_middle\\_name) | Middle name of the user (only if `type == PERSON`) |\n| \u003ca name=\"output_name\"\u003e\u003c/a\u003e [name](#output\\_name) | Name of the user |\n| \u003ca name=\"output_network_policy\"\u003e\u003c/a\u003e [network\\_policy](#output\\_network\\_policy) | Network policy associated with the user |\n| \u003ca name=\"output_password\"\u003e\u003c/a\u003e [password](#output\\_password) | Password set for the user (only if `type == PERSON` or `type == LEGACY_SERVICE`) |\n| \u003ca name=\"output_query_tag\"\u003e\u003c/a\u003e [query\\_tag](#output\\_query\\_tag) | Query tag |\n| \u003ca name=\"output_rsa_private_key\"\u003e\u003c/a\u003e [rsa\\_private\\_key](#output\\_rsa\\_private\\_key) | RSA Private key used for authentication |\n| \u003ca name=\"output_timezone\"\u003e\u003c/a\u003e [timezone](#output\\_timezone) | Timezone |\n| \u003ca name=\"output_trace_level\"\u003e\u003c/a\u003e [trace\\_level](#output\\_trace\\_level) | Trace level |\n| \u003ca name=\"output_type\"\u003e\u003c/a\u003e [type](#output\\_type) | User type |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_context\"\u003e\u003c/a\u003e [context](#provider\\_context) | \u003e=0.4.0 |\n| \u003ca name=\"provider_random\"\u003e\u003c/a\u003e [random](#provider\\_random) | \u003e= 3.0.0 |\n| \u003ca name=\"provider_snowflake\"\u003e\u003c/a\u003e [snowflake](#provider\\_snowflake) | \u003e= 0.96 |\n| \u003ca name=\"provider_tls\"\u003e\u003c/a\u003e [tls](#provider\\_tls) | ~\u003e 4.0 |\n\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.3.0 |\n| \u003ca name=\"requirement_context\"\u003e\u003c/a\u003e [context](#requirement\\_context) | \u003e=0.4.0 |\n| \u003ca name=\"requirement_random\"\u003e\u003c/a\u003e [random](#requirement\\_random) | \u003e= 3.0.0 |\n| \u003ca name=\"requirement_snowflake\"\u003e\u003c/a\u003e [snowflake](#requirement\\_snowflake) | \u003e= 0.96 |\n| \u003ca name=\"requirement_tls\"\u003e\u003c/a\u003e [tls](#requirement\\_tls) | ~\u003e 4.0 |\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [random_password.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |\n| [snowflake_grant_account_role.default_role](https://registry.terraform.io/providers/snowflakedb/snowflake/latest/docs/resources/grant_account_role) | resource |\n| [snowflake_legacy_service_user.this](https://registry.terraform.io/providers/snowflakedb/snowflake/latest/docs/resources/legacy_service_user) | resource |\n| [snowflake_service_user.this](https://registry.terraform.io/providers/snowflakedb/snowflake/latest/docs/resources/service_user) | resource |\n| [snowflake_user.defaults_not_enforced](https://registry.terraform.io/providers/snowflakedb/snowflake/latest/docs/resources/user) | resource |\n| [snowflake_user.this](https://registry.terraform.io/providers/snowflakedb/snowflake/latest/docs/resources/user) | resource |\n| [tls_private_key.this](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |\n| [context_label.this](https://registry.terraform.io/providers/cloudposse/context/latest/docs/data-sources/label) | data source |\n\u003c!-- END_TF_DOCS --\u003e\n## CONTRIBUTING\n\nContributions are very welcomed!\n\nStart by reviewing [contribution guide](CONTRIBUTING.md) and our [code of conduct](CODE_OF_CONDUCT.md). After that, start coding and ship your changes by creating a new PR.\n\n## LICENSE\n\nApache 2 Licensed. See [LICENSE](LICENSE) for full details.\n\n## AUTHORS\n\n\u003c!--- Replace repository name --\u003e\n\u003ca href=\"https://github.com/getindata/terraform-snowflake-user/graphs/contributors\"\u003e\n  \u003cimg src=\"https://contrib.rocks/image?repo=getindata/terraform-snowflake-user\" /\u003e\n\u003c/a\u003e\n\nMade with [contrib.rocks](https://contrib.rocks).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgetindata%2Fterraform-snowflake-user","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgetindata%2Fterraform-snowflake-user","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgetindata%2Fterraform-snowflake-user/lists"}