IaC Snowflake Resources Terraform Configuration

Terraform, an open-source Infrastructure as Code (IaC) tool developed by HashiCorp, uses a declarative approach for managing infrastructure resources. Unlike imperative programming languages like Java, which require explicit, sequential commands to achieve a specific outcome, Terraform enables users to define their desired infrastructure state through configuration files using a YAML-like syntax. This approach abstracts the complexity of manual infrastructure management by allowing users to focus on "what" the final state should be rather than "how" to achieve it.

With Terraform, users can efficiently manage a wide range of Snowflake resources—including Warehouses, Databases, Schemas, Tables, and Roles/Grants—by defining their desired state in configuration files. Terraform maintains a detailed record of the current state of these resources and compares it against the desired state specified by the user. Based on this comparison, Terraform automatically generates a reconciliation plan to bring the existing infrastructure into alignment with the desired configuration. This process involves creating, updating, or deleting resources as needed, enabling consistent, repeatable, and predictable management of infrastructure components.

The configuration leverages the IaC Snowflake User RSA key pairs Rotation Terraform module to automate the creation and rotation of RSA key pairs for a Snowflake service account user. This module ensures that each RSA key pair is securely rotated based on a defined schedule, reducing the risk of credential compromise and improving the overall security of the data streaming environment.

To protect sensitive credentials, the configuration securely stores the generated RSA key pairs for both resources in AWS Secrets Manager, ensuring that only authorized users and services have access to these credentials. This secure storage method prevents unauthorized access and minimizes the risk of key exposure.

Table of Contents

• 1.0 Let's get started!
• 2.0 Resources

1.0 Let's get started!

These are the steps

1. Take care of the cloud and local environment prequisities listed below:

   You need to have the following cloud accounts:

   • GitHub Account with OIDC configured for AWS
   • Snowflake Account
   • Terraform Cloud Account

   You need to have the following installed on your local machine:

   • Terraform CLI version 1.85 or higher

2. Clone the repo:

   git clone https://github.com/j3-signalroom/create-snowflake_admin_user-with_rsa_key_pair_authentication.git

   Then refer to create-snowflake_admin_user-with_rsa_key_pair_authentication README to set it up.

3. Clone the repo:

   git clone https://github.com/j3-signalroom/iac-snowflake-user-rsa_key_pairs_generator-lambda.git

   Then refer to iac-snowflake-user-rsa_key_pairs_generator-lambda README to set it up.

4. Clone the repo:

   git clone https://github.com/j3-signalroom/iac-snowflake-resources-tf.git

5. Update the cloned Terraform module's main.tf by following these steps:

   a. Locate the terraform.cloud block and replace signalroom with your Terraform Cloud Organization Name.

   b. In the terraform.cloud.workspaces block, replace iac-snowflake-resources-workspace with your Terraform Cloud Organization's Workspaces Name.

6. To run repo's Terraform configuration locally, follow these steps:

   a. Navigate to the root folder of the iac-snowflake-resources-tf/ repository that you cloned.

   b. Open a terminal in this directory.

   c. Execute the following script:

   scripts/run-terraform-locally.sh <create | delete> --profile=<SSO_PROFILE_NAME> \
                                                      --snowflake_warehouse=<SNOWFLAKE_WAREHOUSE> \
                                                      --service_account_user=<SERVICE_ACCOUNT_USER> \
                                                      --day_count=<DAY_COUNT>

   Argument placeholder	Replace with
   <SSO_PROFILE_NAME>	your AWS SSO profile name for your AWS infrastructue that host your AWS Secrets Manager.
   <SNOWFLAKE_WAREHOUSE>	the Snowflake warehouse (or "virtual warehouse") you choose to run the resources in Snowflake.
   <SERVICE_ACCOUNT_USER>	the Snowflake service account user who is to be assigned the RSA key pairs for its authentication.
   <DAY_COUNT>	how many day(s) should the RSA key pairs be rotated for.

7. Or, to run the repository's Terraform configuration from GitHub, follow these steps:

   a. Deploy the Repository: Ensure that you have cloned or forked the repository to your GitHub account.

   b. Set Required Secrets and Variables: Before running any of the GitHub workflows provided in the repository, you must define at least the AWS_DEV_ACCOUNT_ID variable (which should contain your AWS Account ID for your development environment). To do this:

   • Go to the Settings of your cloned or forked repository in GitHub.

   • Navigate to Secrets and Variables > Actions.

   • Add the AWS_DEV_ACCOUNT_ID and any other required variables or secrets.

   c. Navigate to the Actions Page:

   • From the cloned or forked repository on GitHub, click on the Actions tab.

   d. Select and Run the Deploy Workflow:

   • Find the Deploy workflow link on the left side of the Actions page and click on it.

     

   • On the Deploy workflow page, click the Run workflow button.

   • A workflow dialog box will appear. Fill in the necessary details and click Run workflow to initiate the Terraform deployment process.

     

   By following these steps, you will run the Terraform configuration directly from GitHub, leveraging GitHub Actions for automation and deployment.

2.0 Resources

Snowflake's Terraforming Quickstart

Terraform Snowflake Provider Beta 0.97.0

Roadmap