Adding Sentniel user creation to the module

Author: ram-kishore-odi

terraform/snowflake/environments/prd/main.tf

@@ -112,6 +112,10 @@ module "policies" {
   # inputs
   okta_integration_name  = var.okta_integration_name   # or null to skip Okta/SAML policies
   policies_database_name = "POLICIES"
+
+    # Pass the outputs from the elt module as inputs to the policies module
+  logging_warehouse_name = module.elt.logging_warehouse_name
+  logger_role_name       = module.elt.logger_role_name
 }
 
 ##############################################################

terraform/snowflake/modules/elt/outputs.tf

@@ -0,0 +1,9 @@
+output "logger_role_name" {
+  description = "The name of the logger role."
+  value       = snowflake_account_role.logger.name
+}
+
+output "logging_warehouse_name" {
+  description = "The name of the logging warehouse."
+  value       = module.logging.name
+}

terraform/snowflake/modules/elt/users.tf

@@ -50,18 +50,6 @@ resource "snowflake_service_user" "github_ci" {
   default_role      = snowflake_account_role.reader.name
 }
 
-resource "snowflake_legacy_service_user" "sentinel" {
-  provider = snowflake.useradmin
-  name     = "SENTINEL_SVC_USER_${var.environment}"
-  comment  = "Service user for Sentinel"
-  lifecycle {
-    ignore_changes = [rsa_public_key]
-  }
-
-  default_warehouse = module.logging.name
-  default_role      = snowflake_account_role.logger.name
-}
-
 ######################################
 #            Role Grants             #
 ######################################
@@ -89,9 +77,3 @@ resource "snowflake_grant_account_role" "reader_to_github_ci" {
   role_name = snowflake_account_role.reader.name
   user_name = snowflake_service_user.github_ci.name
 }
-
-resource "snowflake_grant_account_role" "logger_to_sentinel" {
-  provider  = snowflake.useradmin
-  role_name = snowflake_account_role.logger.name
-  user_name = snowflake_legacy_service_user.sentinel.name
-}

terraform/snowflake/modules/policies/main.tf

@@ -1,7 +1,10 @@
 ######################################
 #            Terraform               #
 ######################################
-
+# This module enforces Snowflake security by creating a POLICIES database,
+# defining strong default password/authentication policies for different user types,
+# setting Okta-only auth as the default (when enabled), and provisioning a Sentinel
+# legacy service user with the required role grants.
 ############################
 #         Providers        #
 ############################
@@ -118,3 +121,25 @@ resource "snowflake_account_authentication_policy_attachment" "default_policy" {
   provider                   = snowflake.accountadmin
   authentication_policy      = snowflake_authentication_policy.odi_okta_only[0].fully_qualified_name // using the first and only instance that gets created
 }
+
+# Create a sentinel service user with password authentication (legacy service user)
+resource "snowflake_legacy_service_user" "sentinel" {
+  provider = snowflake.useradmin
+  name     = "SENTINEL_SVC_USER"
+  comment  = "Service user for Sentinel"
+  lifecycle {
+    ignore_changes = [rsa_public_key]
+  }
+
+  # Use the input variable here
+  default_warehouse = var.logging_warehouse_name
+  # Use the input variable here
+  default_role      = var.logger_role_name
+}
+
+resource "snowflake_grant_account_role" "logger_to_sentinel" {
+  provider  = snowflake.useradmin
+  # Use the input variable here
+  role_name = var.logger_role_name
+  user_name = snowflake_legacy_service_user.sentinel.name
+}

terraform/snowflake/modules/policies/variables.tf

@@ -9,3 +9,13 @@ variable "policies_database_name" {
   type        = string
   default     = "POLICIES"
 }
+
+variable "logging_warehouse_name" {
+  description = "The name of the warehouse to be used by the Sentinel service user."
+  type        = string
+}
+
+variable "logger_role_name" {
+  description = "The name of the role to be granted to the Sentinel service user."
+  type        = string
+}