Skip to content

Commit 8f328cd

Browse files
ram-kishore-odiram-kishore-odi
committed
Formatting changes and addressed review comments
1 parent c38ab2d commit 8f328cd

File tree

8 files changed

+130
-140
lines changed

8 files changed

+130
-140
lines changed

terraform/snowflake/environments/dev/main.tf

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -41,37 +41,37 @@ terraform {
4141
provider "snowflake" {
4242
account_name = var.account_name
4343
organization_name = var.organization_name
44-
role = "PUBLIC"
44+
role = "PUBLIC"
4545
}
4646

4747
# Snowflake provider for account administration (to be used only when necessary).
4848
provider "snowflake" {
49-
alias = "accountadmin"
50-
role = "ACCOUNTADMIN"
49+
alias = "accountadmin"
50+
role = "ACCOUNTADMIN"
5151
account_name = var.account_name
5252
organization_name = var.organization_name
5353
}
5454

5555
# Snowflake provider for creating databases, warehouses, etc.
5656
provider "snowflake" {
57-
alias = "sysadmin"
58-
role = "SYSADMIN"
57+
alias = "sysadmin"
58+
role = "SYSADMIN"
5959
account_name = var.account_name
6060
organization_name = var.organization_name
6161
}
6262

6363
# Snowflake provider for managing grants to roles.
6464
provider "snowflake" {
65-
alias = "securityadmin"
66-
role = "SECURITYADMIN"
65+
alias = "securityadmin"
66+
role = "SECURITYADMIN"
6767
account_name = var.account_name
6868
organization_name = var.organization_name
6969
}
7070

7171
# Snowflake provider for managing user accounts and roles.
7272
provider "snowflake" {
73-
alias = "useradmin"
74-
role = "USERADMIN"
73+
alias = "useradmin"
74+
role = "USERADMIN"
7575
account_name = var.account_name
7676
organization_name = var.organization_name
7777
}

terraform/snowflake/environments/dev/terraform.tfvars

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
1-
account_name = "HJB86910"
2-
environment = "DEV"
3-
organization_name= "VSB79059"
1+
account_name = "HJB86910"
2+
environment = "DEV"
3+
organization_name = "VSB79059"

terraform/snowflake/environments/prd/main.tf

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -47,39 +47,39 @@ terraform {
4747
provider "snowflake" {
4848
account_name = var.account_name
4949
organization_name = var.organization_name
50-
role = "PUBLIC"
50+
role = "PUBLIC"
5151
}
5252

5353
# Snowflake provider for account administration (to be used only when necessary).
5454
provider "snowflake" {
55-
alias = "accountadmin"
56-
role = "ACCOUNTADMIN"
57-
account_name = var.account_name
58-
organization_name = var.organization_name
55+
alias = "accountadmin"
56+
role = "ACCOUNTADMIN"
57+
account_name = var.account_name
58+
organization_name = var.organization_name
5959
preview_features_enabled = ["snowflake_authentication_policy_resource", "snowflake_password_policy_resource", "snowflake_account_password_policy_attachment_resource", "snowflake_account_authentication_policy_attachment_resource"]
6060
}
6161

6262
# Snowflake provider for creating databases, warehouses, etc.
6363
provider "snowflake" {
64-
alias = "sysadmin"
65-
role = "SYSADMIN"
64+
alias = "sysadmin"
65+
role = "SYSADMIN"
6666
account_name = var.account_name
6767
organization_name = var.organization_name
6868
}
6969

7070
# Snowflake provider for managing grants to roles.
7171
provider "snowflake" {
72-
alias = "securityadmin"
73-
role = "SECURITYADMIN"
74-
account_name = var.account_name
75-
organization_name = var.organization_name
76-
preview_features_enabled = ["snowflake_authentication_policy_resource", "snowflake_password_policy_resource", "snowflake_account_password_policy_attachment_resource","snowflake_account_authentication_policy_attachment_resource"]
72+
alias = "securityadmin"
73+
role = "SECURITYADMIN"
74+
account_name = var.account_name
75+
organization_name = var.organization_name
76+
preview_features_enabled = ["snowflake_authentication_policy_resource", "snowflake_password_policy_resource", "snowflake_account_password_policy_attachment_resource", "snowflake_account_authentication_policy_attachment_resource"]
7777
}
7878

7979
# Snowflake provider for managing user accounts and roles.
8080
provider "snowflake" {
81-
alias = "useradmin"
82-
role = "USERADMIN"
81+
alias = "useradmin"
82+
role = "USERADMIN"
8383
account_name = var.account_name
8484
organization_name = var.organization_name
8585
}
@@ -110,7 +110,7 @@ module "policies" {
110110
snowflake.useradmin = snowflake.useradmin,
111111
}
112112
# inputs
113-
okta_integration_name = var.okta_integration_name # or null to skip Okta/SAML policies
113+
okta_integration_name = var.okta_integration_name
114114
policies_database_name = "POLICIES"
115115
}
116116

terraform/snowflake/environments/prd/terraform.tfvars

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
account_name = "HJB86910"
2-
environment = "PRD"
3-
organization_name= "VSB79059"
4-
okta_integration_name= "OKTAINTEGRATION"
1+
account_name = "HJB86910"
2+
environment = "PRD"
3+
organization_name = "VSB79059"
4+
okta_integration_name = "OKTAINTEGRATION"

terraform/snowflake/modules/elt/roles.tf

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -220,9 +220,9 @@ resource "snowflake_grant_account_role" "transform_read_to_analytics_rwc" {
220220

221221
# Grant the Streamlit access role to the REPORTER role
222222
resource "snowflake_grant_account_role" "streamlit_to_reporter" {
223-
provider = snowflake.useradmin
224-
role_name = snowflake_account_role.streamlit_access_role.name
225-
parent_role_name = snowflake_account_role.reporter.name # reporter role
223+
provider = snowflake.useradmin
224+
role_name = snowflake_account_role.streamlit_access_role.name
225+
parent_role_name = snowflake_account_role.reporter.name # reporter role
226226
}
227227

228228
# Grant CREATE STREAMLIT & CREATE STAGE privileges on future schemas in the database to the Streamlit access role

terraform/snowflake/modules/policies/main.tf

Lines changed: 77 additions & 81 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@
1010
############################
1111

1212
terraform {
13+
required_version = ">= 1.0"
14+
1315
required_providers {
1416
snowflake = {
1517
source = "Snowflake-Labs/snowflake"
@@ -24,38 +26,55 @@ terraform {
2426
}
2527
}
2628

27-
# Create the POLICIES database to store password/authentication policies
29+
# POLICIES database (import if it already exists)
2830
resource "snowflake_database" "policies" {
2931
provider = snowflake.accountadmin
3032
name = var.policies_database_name
31-
32-
# If POLICIES already exists (e.g., created manually from docs),
33-
# import it before first apply:
34-
# terraform import module.policies.snowflake_database.policies POLICIES
33+
# import hint:
34+
# terraform import module.policies.snowflake_database.policies POLICIES
3535
}
36-
# Account-level logging role
36+
37+
# account-level role & warehouse (no env vars)
3738
resource "snowflake_account_role" "logger" {
3839
provider = snowflake.securityadmin
39-
name = "LOGGER_${var.environment}"
40+
name = "LOGGER_PRD"
4041
comment = "Account-level role for logging tasks"
4142
}
4243

43-
# Account-level logging warehouse
4444
resource "snowflake_warehouse" "logging" {
45-
provider = snowflake.sysadmin
46-
name = "LOGGING_${var.environment}_WH"
47-
warehouse_size = "XSMALL"
48-
auto_suspend = 60
49-
auto_resume = true
45+
provider = snowflake.sysadmin
46+
name = "LOGGING_PRD_WH"
47+
warehouse_size = "XSMALL"
48+
auto_suspend = 60
49+
auto_resume = true
5050
initially_suspended = true
51-
comment = "Warehouse used by Sentinel/logging tasks"
51+
comment = "Warehouse used by Sentinel/logging tasks (PRD)"
52+
}
53+
54+
# ßSentinel service user
55+
resource "snowflake_legacy_service_user" "sentinel" {
56+
provider = snowflake.useradmin
57+
name = "SENTINEL_SVC_USER"
58+
comment = "Service user for Sentinel"
59+
60+
lifecycle { ignore_changes = [rsa_public_key] }
61+
62+
default_warehouse = snowflake_warehouse.logging.name
63+
default_role = snowflake_account_role.logger.name
64+
}
65+
66+
# Grant LOGGER_PRD to Sentinel
67+
resource "snowflake_grant_account_role" "logger_to_sentinel" {
68+
provider = snowflake.useradmin
69+
role_name = snowflake_account_role.logger.name
70+
user_name = snowflake_legacy_service_user.sentinel.name
5271
}
5372

5473
# Default user password policy
5574
resource "snowflake_password_policy" "user_password_policy" {
5675
provider = snowflake.accountadmin
57-
database = snowflake_database.policies.name # Database name
58-
schema = "PUBLIC" # Schema name
76+
database = snowflake_database.policies.name
77+
schema = "PUBLIC"
5978
name = "user_password_policy"
6079
min_length = 14
6180
min_upper_case_chars = 1
@@ -65,100 +84,77 @@ resource "snowflake_password_policy" "user_password_policy" {
6584
max_retries = 5
6685
lockout_time_mins = 30
6786
history = 5
68-
or_replace = true # Ensures the policy can be updated without errors
87+
or_replace = true
6988
}
7089

71-
# Set the default password policy for the account
90+
# Attach password policy at account level
7291
resource "snowflake_account_password_policy_attachment" "attachment" {
7392
provider = snowflake.accountadmin
7493
password_policy = snowflake_password_policy.user_password_policy.fully_qualified_name
7594
}
7695

77-
// Defines an authentication policy for ODI human users that enforces Okta-only authentication via SAML.
96+
# Auth policies (Okta-only for human users, etc.)
7897
resource "snowflake_authentication_policy" "odi_okta_only" {
79-
count = var.okta_integration_name == null ? 0 : 1 // meta-argument to conditionally create the resource
80-
provider = snowflake.accountadmin
81-
database = snowflake_database.policies.name # Database name
82-
schema = "PUBLIC" # Schema name
83-
name = "odi_okta_only"
84-
authentication_methods = ["SAML"]
85-
security_integrations = [var.okta_integration_name] # Okta security integration name
86-
comment = "Okta-only authentication policy for ODI human users"
98+
count = var.okta_integration_name == null ? 0 : 1
99+
provider = snowflake.accountadmin
100+
database = snowflake_database.policies.name
101+
schema = "PUBLIC"
102+
name = "odi_okta_only"
103+
authentication_methods = ["SAML"]
104+
security_integrations = [var.okta_integration_name]
105+
comment = "Okta-only authentication policy for ODI human users (PRD)"
87106
}
88107

89-
// Defines an authentication policy for external human users that enforces password-based authentication with Duo MFA.
90-
resource "snowflake_authentication_policy" "external_duo_mfa" {
108+
resource "snowflake_authentication_policy" "admin_okta_duo" {
109+
count = var.okta_integration_name == null ? 0 : 1
91110
provider = snowflake.accountadmin
92-
database = snowflake_database.policies.name # Database name
93-
schema = "PUBLIC" # Schema name
94-
name = "external_duo_mfa"
95-
authentication_methods = ["PASSWORD"]
111+
database = snowflake_database.policies.name
112+
schema = "PUBLIC"
113+
name = "admin_okta_duo"
114+
authentication_methods = ["SAML", "PASSWORD"]
96115
mfa_authentication_methods = ["PASSWORD"]
97116
mfa_enrollment = "REQUIRED"
98-
client_types = ["SNOWFLAKE_UI", "DRIVERS", "SNOWSQL"] # MFA enrollment requires SNOWFLAKE_UI
99-
comment = "Duo-MFA-only authentication policy for external human users"
117+
client_types = ["SNOWFLAKE_UI", "DRIVERS", "SNOWSQL"]
118+
security_integrations = [var.okta_integration_name]
119+
comment = "Okta and Duo-MFA policy for admin users (PRD)"
100120
}
101121

102-
// Defines an authentication policy for admin human users that allows both Okta SAML and password-based authentication with Duo MFA.
103-
resource "snowflake_authentication_policy" "admin_okta_duo" {
104-
count = var.okta_integration_name == null ? 0 : 1 // meta-argument to conditionally create the resource
122+
resource "snowflake_authentication_policy" "external_duo_mfa" {
105123
provider = snowflake.accountadmin
106-
database = snowflake_database.policies.name # Database name
107-
schema = "PUBLIC" # Schema name
108-
name = "admin_okta_duo"
109-
authentication_methods = ["SAML", "PASSWORD"]
124+
database = snowflake_database.policies.name
125+
schema = "PUBLIC"
126+
name = "external_duo_mfa"
127+
authentication_methods = ["PASSWORD"]
110128
mfa_authentication_methods = ["PASSWORD"]
111129
mfa_enrollment = "REQUIRED"
112130
client_types = ["SNOWFLAKE_UI", "DRIVERS", "SNOWSQL"]
113-
security_integrations = [var.okta_integration_name] # Okta security integration name
114-
comment = "Okta and Duo-MFA authentication policy for admin human users"
131+
comment = "Duo-MFA-only authentication policy for external human users (PRD)"
115132
}
116133

117-
// Defines an authentication policy for most service accounts that enforces key-pair authentication.
118134
resource "snowflake_authentication_policy" "service_account_keypair" {
119-
provider = snowflake.accountadmin
120-
database = snowflake_database.policies.name # Database name
121-
schema = "PUBLIC" # Schema name
122-
name = "service_account_keypair"
123-
authentication_methods = ["KEYPAIR"]
124-
client_types = ["DRIVERS", "SNOWSQL"]
125-
comment = "Key-pair only authentication policy for most service accounts"
135+
provider = snowflake.accountadmin
136+
database = snowflake_database.policies.name
137+
schema = "PUBLIC"
138+
name = "service_account_keypair"
139+
authentication_methods = ["KEYPAIR"]
140+
client_types = ["DRIVERS", "SNOWSQL"]
141+
comment = "Key-pair only authentication policy for most service accounts (PRD)"
126142
}
127143

128-
// Defines an authentication policy for legacy service accounts that enforces password-based authentication.
129144
resource "snowflake_authentication_policy" "legacy_service_password" {
130-
provider = snowflake.accountadmin
131-
database = snowflake_database.policies.name # Database name
132-
schema = "PUBLIC" # Schema name
133-
name = "legacy_service_password"
134-
authentication_methods = ["PASSWORD"]
135-
client_types = ["DRIVERS", "SNOWSQL"]
136-
comment = "Password-only authentication policy for legacy service accounts"
145+
provider = snowflake.accountadmin
146+
database = snowflake_database.policies.name
147+
schema = "PUBLIC"
148+
name = "legacy_service_password"
149+
authentication_methods = ["PASSWORD"]
150+
client_types = ["DRIVERS", "SNOWSQL"]
151+
comment = "Password-only authentication policy for legacy service accounts (PRD)"
137152
}
138153

139-
# Set odi_okta_only as the default authentication policy for the account
154+
# Set odi_okta_only as the default account auth policy (fmt-clean)
140155
resource "snowflake_account_authentication_policy_attachment" "default_policy" {
141156
count = var.okta_integration_name == null ? 0 : 1
157+
142158
provider = snowflake.accountadmin
143159
authentication_policy = snowflake_authentication_policy.odi_okta_only[0].fully_qualified_name
144160
}
145-
146-
# Create a sentinel service user with password authentication (legacy service user)
147-
resource "snowflake_legacy_service_user" "sentinel" {
148-
provider = snowflake.useradmin
149-
name = "SENTINEL_SVC_USER"
150-
comment = "Service user for Sentinel"
151-
lifecycle {
152-
ignore_changes = [rsa_public_key]
153-
}
154-
# no cross-module references; use resources created here
155-
default_warehouse = snowflake_warehouse.logging.name
156-
default_role = snowflake_account_role.logger.name
157-
}
158-
159-
# Grant LOGGER to Sentinel
160-
resource "snowflake_grant_account_role" "logger_to_sentinel" {
161-
provider = snowflake.useradmin
162-
role_name = snowflake_account_role.logger.name
163-
user_name = snowflake_legacy_service_user.sentinel.name
164-
}

0 commit comments

Comments
 (0)