terraform-provider-snowflake
terraform-provider-snowflake copied to clipboard
Snowflake-Labs
[Feature]: Support snowflake_user TYPE property
Use Cases or Problem Statement
The existing snowflake_user resource does not have the TYPE property. This is a big limitation for us, since it prevents us from creating SERVICE users, which is a great security feature.
We are currently getting a number of Critical security warnings in Trust Center because of this issue.
Category
category:resource
Object type(s)
resource:user
Proposal
Add a type property that accepts PERSON | SERVICE | LEGACY_SERVICE | NULL
How much impact is this issue causing?
Medium
Additional Information
Commented on a related PR here:
https://github.com/Snowflake-Labs/terraform-provider-snowflake/pull/2947#issuecomment-2239850099
Would you like to implement a fix?
- [ ] Yeah, I'll take it 😎
Hey, we will handle this as a part of user redesign (that is currently happening).
Most probably, we will split the resource into three different ones (snowflake_user for people; snowflake_service_user and snowflake_legacy_service_user for the two others).
Redesigned snowflake_user may be ready for the next release but snowflake_service_user and snowflake_legacy_service_user will most probably have to wait a version.
Hey @mogren 👋 What exactly would you like to know? If you're asking about the user rework, it was released as part of v0.95.0. The rest of the user resources (service and legacy_service) have to still wait a little (after today's release, a version or two). Artur is on vacation right now, but I'm guessing that will be one of his priorities after he comes back next week.
Hi,
Following the Snowflake security update email we received yesterday we now have a deadline to update users to 'service users' by 30th September.
Is there any chance this is available in the TF by then?
Thanks
Hey 👋 As far as I know, starting in October, the only thing that will be enforced is multi-factor authentication (MFA), not service users. Nevertheless, the timeline of missing user types will be discussed on Monday. I'll let you know the outcome of those discussions.
Thanks @sfc-gh-jcieslak, yes, I was mainly wonderinga bout the service and legacy_service users. I'll continue to keep an eye on this ticket.
@sfc-gh-jcieslak I noticed an unexpected behavior with 0.96.0 and user_type.
snowflake_user gets created by default as NULL (PERSON), if we set it afterward to SERVICE, on next deploy the user is forced to be replaced:
user_type = "SERVICE" # forces replacement -> (known after apply) # forces replacement
On the other side, if we try to directly pass SERVICE at snowflake_user creation we receive:
Can't configure a value for "user_type": its value will be decided automatically based on the result of applying this configuration.
So we have an egg-chicken problem, I think as soon as the new users types are not ready in Terraform provider the user_type property should be editable.
Is there a way to make snowflake_user create user with type SERVICE directly in this particular phase?
At the moment I am doing:
lifecycle {{ ignore_changes = [user_type] }}
Hey @simonepm
As @sfc-gh-asawicki mentioned above, additional user types will be separate resources. snowflake_user represents the regular (PERSON) user type. Additional resources that will give you ability to manage other user types will be added in next versions of the provider (right now only PERSON is available). The user_type field in the snowflake_user resource is a computed value, meaning it is only settable by the provider (it gets its value from Snowflake). Currently, this field will apply ForceNew logic (drop and create) whenever user_type is equal to anything else than PERSON. If you changed the user type to SERVICE or LEGACY_SERVICE in the worksheet and want to manage this user with snowflake_user, it may work, but we don't guarantee it will because different types of users may act differently in some cases. Setting lifecycle {{ ignore_changes = [user_type] }} is only a workaround to manage "non-person" users with snowflake_user.
Hey 👋 As far as I know, starting in October, the only thing that will be enforced is multi-factor authentication (MFA), not service users. Nevertheless, the timeline of missing user types will be discussed on Monday. I'll let you know the outcome of those discussions.
Hey any update on this?
Hey all.
I will focus on service and legacy service users this week, so they should be ready for next week's release.
Hey @csp33, I was on sick leave, just got back to work, and this is my current priority. I expect to have it early next week.
Hey, we have just released v0.97.0 version of the provider (release notes, migration guide) containing the new user types in new separate resources snowflake_service_user and snowflake_legacy_service_user.
Thanks, I tested and 0.97.0 new users resources suffers of this bug as well the old snowflake_user resource:
https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/3125
I think the new snowflake_service_user resource is not setting the user type. For example here's my code: resource "snowflake_service_user" "nidal_testing_service_user" { provider = snowflake.useradmin name = "nidal_testing_service_user" }
And here's the resulting created user:
Shouldn't the user have type="SERVICE"? Sorry if I am missing something obvious here.
Hey @nidal123.
- What role do you use to run the SHOW command you have pasted? According to the Snowflake docs you need to have OWNERSHIP on the given user or the MANAGE GRANTS privilege on the account. Without them, it's possible you don't see the type.
- Please run your config with TF_LOG=DEBUG environment variable; you should see a statement similar to
CREATE USER "nidal_testing_service_user" TYPE = SERVICE(this is the output I get running a similar config now) which should confirm that the service user with proper type is being created.
Closing as completed. Please create a new issue if you encounter problems with the new user resources.