terraform-provider-snowflake icon indicating copy to clipboard operation
terraform-provider-snowflake copied to clipboard

Published 20 hours ago verified publisher icon Snowflake-Labs

[Feature]: For `notify_users` if an email address has not been verified, fail during `terraform plan`

Open mendhak opened this issue 8 months ago • 4 comments

Use Cases or Problem Statement

When setting up snowflake_resource_monitor, we can set up notify_users.

The notify_users' email addresses need to be verified, or the terraform apply fails.

For teams running pipelines (users submit PRs, goes through approvals, then deployments), finding out that a user has not verified their email during the apply phase is too late; and often leads to multiple iterations, more conversations, and speed bumps.

Feature request - it would be good to know that the email address has not been verified during the plan phase.

Category

category:resource

Object type(s)

No response

Proposal

Have terraform plan fail if any of the users listed in notify_users does not have a verified email address.

How much impact is this issue causing?

Low

Additional Information

No response

Would you like to implement a fix?

  • [ ] Yeah, I'll take it 😎

mendhak avatar Mar 11 '25 11:03 mendhak

Hey @mendhak. Thanks for reaching out to us.

The provider communicates with Snowflake through SQL statements. We do not copy the Snowflake logic inside the provider; we depend on Snowflake internal validations. This is why this error happens during apply. I am not familiar with any Snowflake SQL command capable of doing this validation for the given user (so that we could pre-validate it in this case). Do you happen to know one that we could leverage here? Otherwise, there's not much we can do.

sfc-gh-asawicki avatar Mar 11 '25 13:03 sfc-gh-asawicki

Hi I asked Snowflake support, and the closest I can see, to be able to tell if a user has validated their email or not is in two statements:

call SYSTEM$GET_USERS_FOR_COLLABORATION();
SELECT
  value:emailValidationState::STRING as emailValidationState
FROM
  TABLE(RESULT_SCAN(LAST_QUERY_ID())),
  TABLE(FLATTEN(input => PARSE_JSON($1)))
WHERE
  value:name::STRING = 'USERNAME_GOES_HERE';

That first call, call SYSTEM$GET_USERS_FOR_COLLABORATION(); returns a big JSON array of every user along with their validation status.

Could that be useful?

mendhak avatar Mar 12 '25 14:03 mendhak

Hey @mendhak. Yes, that's something we could proceed with, thank you.

I can't provide any timeline at this time, as we are invested hard in going GA (https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/ROADMAP.md#07022025-ga-scope-and-roadmap) now. We will consider it one of the topics when we set priorities after GA.

I will keep this issue open and provide updates when know more. Would it be okay?

sfc-gh-asawicki avatar Mar 12 '25 15:03 sfc-gh-asawicki

Thanks that's great, I appreciate your time.

mendhak avatar Mar 12 '25 15:03 mendhak