From 6d574f8d09572fd5e1f3fe773cb7add55d020bc1 Mon Sep 17 00:00:00 2001
From: Cam Phillips <cam.phillips22@gmail.com>
Date: Wed, 25 Sep 2024 13:27:20 -0400
Subject: [PATCH] feat: RSA key configuration and more (#2)

Adds the ability to configure an RSA key for the snowflake user. Also adds the ability to configure the names for the resources in case the user wants to use a specific naming scheme.
---
 README.md    | 12 +++++++++---
 config.tf    |  2 +-
 main.tf      |  9 ++++++---
 outputs.tf   |  2 +-
 variables.tf | 39 ++++++++++++++++++++++++++++++++++++++-
 5 files changed, 55 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index f61b6b4..1f2fab9 100644
--- a/README.md
+++ b/README.md
@@ -14,17 +14,23 @@ This module **does not** create a reader role that can be used to view the data.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_snowflake"></a> [snowflake](#requirement\_snowflake) | >= 0.83.1 |
+| <a name="requirement_snowflake"></a> [snowflake](#requirement\_snowflake) | ~> 0.83.1 |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_database_name"></a> [database\_name](#input\_database\_name) | The name of the Snowflake database to use | `string` | n/a | yes |
-| <a name="input_fullstory_cidr_ipv4"></a> [fullstory\_cidr\_ipv4](#input\_fullstory\_cidr\_ipv4) | The CIDR block that Fullstory will use to connect to the Redshift cluster. | `string` | `""` | no |
+| <a name="input_disable_password"></a> [disable\_password](#input\_disable\_password) | Whether to disable the password for the Snowflake user. If true, the user will only be able to authenticate using the RSA public key. | `bool` | `false` | no |
+| <a name="input_fullstory_cidr_ipv4"></a> [fullstory\_cidr\_ipv4](#input\_fullstory\_cidr\_ipv4) | The CIDR block that Fullstory will use to connect to Snowflake. | `string` | `""` | no |
 | <a name="input_fullstory_data_center"></a> [fullstory\_data\_center](#input\_fullstory\_data\_center) | The data center where your Fullstory account is hosted. Either 'NA1' or 'EU1'. See https://help.fullstory.com/hc/en-us/articles/8901113940375-Fullstory-Data-Residency for more information. | `string` | `"NA1"` | no |
 | <a name="input_fullstory_storage_allowed_locations"></a> [fullstory\_storage\_allowed\_locations](#input\_fullstory\_storage\_allowed\_locations) | The list of allowed locations for the storage provider. This is an advanced option and should only be changed if instructed by Fullstory. Ex. <cloud>://<bucket>/<path>/ | `list(string)` | <pre>[<br>  "gcs://fullstoryapp-warehouse-sync-bundles"<br>]</pre> | no |
 | <a name="input_fullstory_storage_provider"></a> [fullstory\_storage\_provider](#input\_fullstory\_storage\_provider) | The storage provider to use. Either 'S3', 'GCS' or 'AZURE'. This is an advanced option and should only be changed if instructed by Fullstory. | `string` | `"GCS"` | no |
+| <a name="input_password"></a> [password](#input\_password) | The password to use for the Snowflake user. | `string` | `null` | no |
+| <a name="input_role_name"></a> [role\_name](#input\_role\_name) | The name of the Snowflake role to create. | `string` | `null` | no |
+| <a name="input_rsa_public_key"></a> [rsa\_public\_key](#input\_rsa\_public\_key) | The RSA public key to use for the Snowflake user. Must be on 1 line without header and trailer. | `string` | `null` | no |
+| <a name="input_rsa_public_key_2"></a> [rsa\_public\_key\_2](#input\_rsa\_public\_key\_2) | The second RSA public key to use for the Snowflake user. Used when rotating keys. Must be on 1 line without header and trailer. | `string` | `null` | no |
+| <a name="input_stage_name"></a> [stage\_name](#input\_stage\_name) | The name of the Snowflake stage to create. | `string` | `null` | no |
 | <a name="input_suffix"></a> [suffix](#input\_suffix) | The suffix to append to the names of the resources created by this module so that the module can be instantiated many times. Must only contain letters. | `string` | n/a | yes |
 | <a name="input_warehouse_name"></a> [warehouse\_name](#input\_warehouse\_name) | The name of the Snowflake warehouse to use. | `string` | n/a | yes |
 
@@ -33,7 +39,7 @@ This module **does not** create a reader role that can be used to view the data.
 | Name | Description |
 |------|-------------|
 | <a name="output_gcs_storage_integration"></a> [gcs\_storage\_integration](#output\_gcs\_storage\_integration) | The name of the GCS storage integration that can be used in the Fullstory app when configuring the Snowflake integration. |
-| <a name="output_password"></a> [password](#output\_password) | The Fullstory password that can be used in the Fullstory app when configuring the Snowflake integration. |
+| <a name="output_password"></a> [password](#output\_password) | The password for the configured user that can be used in the Fullstory app when configuring the Snowflake integration. Will be empty if `disable_password` is true. |
 | <a name="output_role"></a> [role](#output\_role) | The Fullstory role that can be used in the Fullstory app when configuring the Snowflake integration. |
 | <a name="output_username"></a> [username](#output\_username) | The Fullstory username that can be used in the Fullstory app when configuring the Snowflake integration. |
 
diff --git a/config.tf b/config.tf
index fb72b5f..1592762 100644
--- a/config.tf
+++ b/config.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     snowflake = {
       source  = "Snowflake-Labs/snowflake"
-      version = ">= 0.83.1"
+      version = "~> 0.83.1"
       configuration_aliases = [
         snowflake.account_admin,
         snowflake.security_admin,
diff --git a/main.tf b/main.tf
index a9902a0..93d4d3b 100644
--- a/main.tf
+++ b/main.tf
@@ -17,7 +17,7 @@ provider "snowflake" {
 
 resource "snowflake_role" "main" {
   provider = snowflake.security_admin
-  name     = "FULLSTORY_WAREHOUSE_SETUP_${local.suffix}"
+  name     = coalesce(var.role_name, "FULLSTORY_WAREHOUSE_SETUP_${local.suffix}")
 }
 
 resource "snowflake_grant_privileges_to_role" "database" {
@@ -41,6 +41,7 @@ resource "snowflake_grant_privileges_to_role" "warehouse" {
 }
 
 resource "random_password" "main" {
+  count = (var.disable_password || var.password != null) ? 0 : 1
   length           = 16
   special          = true
   override_special = "!#$%&*()-_=+[]{}<>:?"
@@ -51,7 +52,9 @@ resource "snowflake_user" "main" {
   name              = "FULLSTORY_WAREHOUSE_SETUP_${local.suffix}"
   default_warehouse = var.warehouse_name
   default_role      = snowflake_role.main.name
-  password          = random_password.main.result
+  password          = var.disable_password ? "" : (var.password != null ? var.password : random_password.main[0].result)
+  rsa_public_key = var.rsa_public_key
+  rsa_public_key_2 = var.rsa_public_key_2
 }
 
 resource "snowflake_grant_privileges_to_role" "user" {
@@ -74,7 +77,7 @@ resource "snowflake_role_grants" "main" {
 
 resource "snowflake_storage_integration" "main" {
   provider = snowflake.account_admin
-  name     = "FULLSTORY_STAGE_${local.suffix}"
+  name     = coalesce(var.stage_name, "FULLSTORY_STAGE_${local.suffix}")
   comment  = "Stage for FullStory data"
   type     = "EXTERNAL_STAGE"
   enabled  = true
diff --git a/outputs.tf b/outputs.tf
index 4205d94..1410dcd 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -9,7 +9,7 @@ output "username" {
 }
 
 output "password" {
-  description = "The Fullstory password that can be used in the Fullstory app when configuring the Snowflake integration."
+  description = "The password for the configured user that can be used in the Fullstory app when configuring the Snowflake integration. Will be empty if `disable_password` is true."
   value       = snowflake_user.main.password
   sensitive   = true
 }
diff --git a/variables.tf b/variables.tf
index 21704cd..bcd019b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -3,9 +3,28 @@ variable "database_name" {
   description = "The name of the Snowflake database to use"
 }
 
+variable "role_name" {
+  type = string
+  description = "The name of the Snowflake role to create."
+  default = null
+}
+
+variable "stage_name" {
+  type = string
+  description = "The name of the Snowflake stage to create."
+  default = null
+}
+
+variable "password" {
+  type = string
+  description = "The password to use for the Snowflake user."
+  default = null
+  sensitive = true
+}
+
 variable "fullstory_cidr_ipv4" {
   type        = string
-  description = "The CIDR block that Fullstory will use to connect to the Redshift cluster."
+  description = "The CIDR block that Fullstory will use to connect to Snowflake."
   default     = ""
 }
 
@@ -48,3 +67,21 @@ variable "warehouse_name" {
   type        = string
   description = "The name of the Snowflake warehouse to use."
 }
+
+variable "disable_password" {
+  type = bool
+  default = false
+  description = "Whether to disable the password for the Snowflake user. If true, the user will only be able to authenticate using the RSA public key."
+}
+
+variable "rsa_public_key" {
+  type = string
+  description = "The RSA public key to use for the Snowflake user. Must be on 1 line without header and trailer."
+  default = null
+}
+
+variable "rsa_public_key_2" {
+  type = string
+  description = "The second RSA public key to use for the Snowflake user. Used when rotating keys. Must be on 1 line without header and trailer."
+  default = null
+}