diff --git a/README.md b/README.md index f61b6b4..1f2fab9 100644 --- a/README.md +++ b/README.md @@ -14,17 +14,23 @@ This module **does not** create a reader role that can be used to view the data. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | -| [snowflake](#requirement\_snowflake) | >= 0.83.1 | +| [snowflake](#requirement\_snowflake) | ~> 0.83.1 | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [database\_name](#input\_database\_name) | The name of the Snowflake database to use | `string` | n/a | yes | -| [fullstory\_cidr\_ipv4](#input\_fullstory\_cidr\_ipv4) | The CIDR block that Fullstory will use to connect to the Redshift cluster. | `string` | `""` | no | +| [disable\_password](#input\_disable\_password) | Whether to disable the password for the Snowflake user. If true, the user will only be able to authenticate using the RSA public key. | `bool` | `false` | no | +| [fullstory\_cidr\_ipv4](#input\_fullstory\_cidr\_ipv4) | The CIDR block that Fullstory will use to connect to Snowflake. | `string` | `""` | no | | [fullstory\_data\_center](#input\_fullstory\_data\_center) | The data center where your Fullstory account is hosted. Either 'NA1' or 'EU1'. See https://help.fullstory.com/hc/en-us/articles/8901113940375-Fullstory-Data-Residency for more information. | `string` | `"NA1"` | no | | [fullstory\_storage\_allowed\_locations](#input\_fullstory\_storage\_allowed\_locations) | The list of allowed locations for the storage provider. This is an advanced option and should only be changed if instructed by Fullstory. Ex. ://// | `list(string)` | 
[
  "gcs://fullstoryapp-warehouse-sync-bundles"
]
| no | | [fullstory\_storage\_provider](#input\_fullstory\_storage\_provider) | The storage provider to use. Either 'S3', 'GCS' or 'AZURE'. This is an advanced option and should only be changed if instructed by Fullstory. | `string` | `"GCS"` | no | +| [password](#input\_password) | The password to use for the Snowflake user. | `string` | `null` | no | +| [role\_name](#input\_role\_name) | The name of the Snowflake role to create. | `string` | `null` | no | +| [rsa\_public\_key](#input\_rsa\_public\_key) | The RSA public key to use for the Snowflake user. Must be on 1 line without header and trailer. | `string` | `null` | no | +| [rsa\_public\_key\_2](#input\_rsa\_public\_key\_2) | The second RSA public key to use for the Snowflake user. Used when rotating keys. Must be on 1 line without header and trailer. | `string` | `null` | no | +| [stage\_name](#input\_stage\_name) | The name of the Snowflake stage to create. | `string` | `null` | no | | [suffix](#input\_suffix) | The suffix to append to the names of the resources created by this module so that the module can be instantiated many times. Must only contain letters. | `string` | n/a | yes | | [warehouse\_name](#input\_warehouse\_name) | The name of the Snowflake warehouse to use. | `string` | n/a | yes | @@ -33,7 +39,7 @@ This module **does not** create a reader role that can be used to view the data. | Name | Description | |------|-------------| | [gcs\_storage\_integration](#output\_gcs\_storage\_integration) | The name of the GCS storage integration that can be used in the Fullstory app when configuring the Snowflake integration. | -| [password](#output\_password) | The Fullstory password that can be used in the Fullstory app when configuring the Snowflake integration. | +| [password](#output\_password) | The password for the configured user that can be used in the Fullstory app when configuring the Snowflake integration. Will be empty if `disable_password` is true. | | [role](#output\_role) | The Fullstory role that can be used in the Fullstory app when configuring the Snowflake integration. | | [username](#output\_username) | The Fullstory username that can be used in the Fullstory app when configuring the Snowflake integration. | diff --git a/config.tf b/config.tf index fb72b5f..1592762 100644 --- a/config.tf +++ b/config.tf @@ -4,7 +4,7 @@ terraform { required_providers { snowflake = { source = "Snowflake-Labs/snowflake" - version = ">= 0.83.1" + version = "~> 0.83.1" configuration_aliases = [ snowflake.account_admin, snowflake.security_admin, diff --git a/main.tf b/main.tf index a9902a0..93d4d3b 100644 --- a/main.tf +++ b/main.tf @@ -17,7 +17,7 @@ provider "snowflake" { resource "snowflake_role" "main" { provider = snowflake.security_admin - name = "FULLSTORY_WAREHOUSE_SETUP_${local.suffix}" + name = coalesce(var.role_name, "FULLSTORY_WAREHOUSE_SETUP_${local.suffix}") } resource "snowflake_grant_privileges_to_role" "database" { @@ -41,6 +41,7 @@ resource "snowflake_grant_privileges_to_role" "warehouse" { } resource "random_password" "main" { + count = (var.disable_password || var.password != null) ? 0 : 1 length = 16 special = true override_special = "!#$%&*()-_=+[]{}<>:?" @@ -51,7 +52,9 @@ resource "snowflake_user" "main" { name = "FULLSTORY_WAREHOUSE_SETUP_${local.suffix}" default_warehouse = var.warehouse_name default_role = snowflake_role.main.name - password = random_password.main.result + password = var.disable_password ? "" : (var.password != null ? var.password : random_password.main[0].result) + rsa_public_key = var.rsa_public_key + rsa_public_key_2 = var.rsa_public_key_2 } resource "snowflake_grant_privileges_to_role" "user" { @@ -74,7 +77,7 @@ resource "snowflake_role_grants" "main" { resource "snowflake_storage_integration" "main" { provider = snowflake.account_admin - name = "FULLSTORY_STAGE_${local.suffix}" + name = coalesce(var.stage_name, "FULLSTORY_STAGE_${local.suffix}") comment = "Stage for FullStory data" type = "EXTERNAL_STAGE" enabled = true diff --git a/outputs.tf b/outputs.tf index 4205d94..1410dcd 100644 --- a/outputs.tf +++ b/outputs.tf @@ -9,7 +9,7 @@ output "username" { } output "password" { - description = "The Fullstory password that can be used in the Fullstory app when configuring the Snowflake integration." + description = "The password for the configured user that can be used in the Fullstory app when configuring the Snowflake integration. Will be empty if `disable_password` is true." value = snowflake_user.main.password sensitive = true } diff --git a/variables.tf b/variables.tf index 21704cd..bcd019b 100644 --- a/variables.tf +++ b/variables.tf @@ -3,9 +3,28 @@ variable "database_name" { description = "The name of the Snowflake database to use" } +variable "role_name" { + type = string + description = "The name of the Snowflake role to create." + default = null +} + +variable "stage_name" { + type = string + description = "The name of the Snowflake stage to create." + default = null +} + +variable "password" { + type = string + description = "The password to use for the Snowflake user." + default = null + sensitive = true +} + variable "fullstory_cidr_ipv4" { type = string - description = "The CIDR block that Fullstory will use to connect to the Redshift cluster." + description = "The CIDR block that Fullstory will use to connect to Snowflake." default = "" } @@ -48,3 +67,21 @@ variable "warehouse_name" { type = string description = "The name of the Snowflake warehouse to use." } + +variable "disable_password" { + type = bool + default = false + description = "Whether to disable the password for the Snowflake user. If true, the user will only be able to authenticate using the RSA public key." +} + +variable "rsa_public_key" { + type = string + description = "The RSA public key to use for the Snowflake user. Must be on 1 line without header and trailer." + default = null +} + +variable "rsa_public_key_2" { + type = string + description = "The second RSA public key to use for the Snowflake user. Used when rotating keys. Must be on 1 line without header and trailer." + default = null +}