Terraform Provider: Snowflake

Please note: If you believe you have found a security issue, please responsibly disclose by contacting us at [email protected].

This is a terraform provider plugin for managing Snowflake accounts.

Getting Help

If you need help, try the discussions area of this repo.

Install

The easiest way is to run this command:

curl https://raw.githubusercontent.com/chanzuckerberg/terraform-provider-snowflake/main/download.sh | bash -s -- -b $HOME/.terraform.d/plugins

Note that this will only work with recent releases, for older releases, use the version of download.sh that corresponds to that release (replace main in that curl with the version).

It runs a script generated by godownloader which installs into the proper directory for terraform (~/.terraform.d/plugins).

You can also just download a binary from our releases and follow the Terraform directions for installing 3rd party plugins.

For Terraform v0.13+ users

We are now (7/29/2021) using Terraform 0.13 for testing purposes due to an issue for data sources for versions <0.13. Related PR for this change here.

You can use Explicit Provider Source Locations.

The following maybe work well.

terraform {
  required_providers {
    snowflake = {
      source = "chanzuckerberg/snowflake"
      version = "0.20.0"
    }
  }
}

Usage

An introductory tutorial is available from Snowflake.

In-depth docs are available on the Terraform registry.

Development

If you do not have Go installed:

1. Install Go

   brew install golang

2. Make a Go development directory wherever you like

   mkdir go_projects

3. Add the following config to your profile

   export GOPATH=$HOME/../go_projects # edit with your go_projects dir
   export PATH=$PATH:$GOPATH/bin

1. Fork this repo and clone it into

   go_projects

2. cd to

   terraform-provider-snowflake

   and install all the required packages with

   make setup

3. Finally install goimports with

   (cd && go get golang.org/x/tools/cmd/goimports)

   .
4. You should now be able to successfully run the tests with

   make test

It has not been tested on Windows, so if you find problems let us know.

If you want to build and test the provider locally there is a make target

make install-tf

Testing

Note: PRs for new resources will not be accepted without passing acceptance tests.

For the Terraform resources, there are 3 levels of testing - internal, unit and acceptance tests.

The 'internal' tests are run in the

github.com/chanzuckerberg/terraform-provider-snowflake/pkg/resources

The 'unit' tests are run in

github.com/chanzuckerberg/terraform-provider-snowflake/pkg/resources_test

resources

You can run these first two sets of tests with

make test

The 'acceptance' tests run the full stack, creating, modifying and destroying resources in a live snowflake account. To run them you need a snowflake account and the proper authentication set up. These tests are slower but have higher fidelity.

To run all tests, including the acceptance tests, run

make test-acceptance

Pull Request CI

Our CI jobs run the full acceptence test suite, which involves creating and destroying resources in a live snowflake account. Github Actions is configured with environment variables to authenticate to our test snowflake account. For security reasons, those variables are not available to forks of this repo.

If you are making a PR from a forked repo, you can create a new Snowflake trial account and set up Travis to build it by setting these environement variables:

• SNOWFLAKE_ACCOUNT

  - The account name

• SNOWFLAKE_USER

  - A snowflake user for running tests.

• SNOWFLAKE_PASSWORD

  - Password for that user.

• SNOWFLAKE_ROLE

  - Needs to be ACCOUNTADMIN or similar.

• SNOWFLAKE_REGION

  - Default is us-west-2, set this if your snowflake account is in a different region.

If you are using the Standard Snowflake plan, it's recommended you also set up the following environment variables to skip tests for features not enabled for it:

• SKIP_DATABASE_TESTS

  - to skip tests with retention time larger than 1 day

• SKIP_WAREHOUSE_TESTS

  - to skip tests with multi warehouses

Releasing

Running a release

Note: releases can only be done by those with keybase pgp keys allowed in the terraform registry.

Releases will be performed once a week on Monday around 11am PST. If your change is more urgent and you need to use it sooner, use the commit hash.

Releases are done by goreleaser and run by our make files. There two goreleaser configs,

.goreleaser.yml

.goreleaser.prerelease.yml

Releases are published to the terraform registry, which requires that releases by signed.

Adding a new releaser

To set up a new person for releasing, there are a few steps–

1. releaser: a keybase account and a workstation set up with their Keybase app.
2. releaser: a pgp key -

   keybase pgp gen

3. releaser: export public key.
   1. If you have a single key in keybase–

      1. keybase pgp export

   2. If you have more than one key–

      1. keybase pgp export

         to find id if key you want to export

      2. keybase pgp export -q KEY_ID

4. github admin for chanzuckerberg: take public key exported above and add it in the registry
5. releaser: set

   KEYBASE_KEY_ID

   environment variable. Note that this is different from the previous id. Get this one from

   keybase pgp list

   . It should be like ~70 characters long.
6. set

   GITHUB_TOKEN

   environment variable with a personal access token
7. releaser: run

   make release-prerelease

   to test that releases are working correctly
8. releaser: run

   make release

   to release for real