[Feature]: Support snowflake_user TYPE property #2951
Comments
mogren
added
the
feature-request
|
Hey, we will handle this as a part of user redesign (that is currently happening). Most probably, we will split the resource into three different ones (snowflake_user for people; snowflake_service_user and snowflake_legacy_service_user for the two others). Redesigned snowflake_user may be ready for the next release but snowflake_service_user and snowflake_legacy_service_user will most probably have to wait a version. |
|
Awesome, thanks for the update @sfc-gh-asawicki ! |
|
@sfc-gh-asawicki Hi Artur, any update on this? |
|
Hey @mogren 👋 |
|
Hi, Following the Snowflake security update email we received yesterday we now have a deadline to update users to 'service users' by 30th September. Is there any chance this is available in the TF by then? Thanks |
|
Hey 👋 |
|
Thanks @sfc-gh-jcieslak, yes, I was mainly wonderinga bout the service and legacy_service users. I'll continue to keep an eye on this ticket. |
|
@sfc-gh-jcieslak I noticed an unexpected behavior with 0.96.0 and user_type. snowflake_user gets created by default as NULL (PERSON), if we set it afterward to SERVICE, on next deploy the user is forced to be replaced:
On the other side, if we try to directly pass SERVICE at snowflake_user creation we receive:
So we have an egg-chicken problem, I think as soon as the new users types are not ready in Terraform provider the user_type property should be editable. Is there a way to make snowflake_user create user with type SERVICE directly in this particular phase? At the moment I am doing:
|
|
Hey @simonepm |
Hey any update on this? |
|
Hey all. I will focus on service and legacy service users this week, so they should be ready for next week's release. |
|
Any news regarding this issue? |
|
Hey @csp33, I was on sick leave, just got back to work, and this is my current priority. I expect to have it early next week. |
Introduce `snowflake_service_user` and `snowflake_legacy_service_user` resources: - Add new resources (almost the same schema and the same limitations as `snowflake_user` resource - read below) - Adjust datasource and add `type` to the `describe_output` - Adjust SDK: handling types - Add SDK integration tests to validate and document the Snowflake behavior of handling user types (create, alter set, alter unset, and parameters) - Fix `TestAcc_User_issue2970` test - Add migration guide - Generate models and assertions for the new resources - Fix sweepers References: #2951 ##### Implementation considerations Users of different types differ in Snowflake just slightly - a few fields are restricted from SERVICE and LEGACY_SERVICE type users. We decided to split Snowflake resources into multiple resources on our route to V1, to simplify the logic and usage (in this case, not to handle the type changes which are followed by attributes being hidden/revealed). That led to three choices for the implementation, to reuse the existing resource: - copy-paste `snowflake_user` resource - parameterized handling methods of `snowflake_user` resource with the user type - enrich the helper methods with the knowledge of the schema (i.e. to change the logic of setting a field to always check first if the attribute exists in the given schema) Ultimately, the second option was picked for the current implementation. More details of pros and cons of each solution are presented in points below. ###### copy-paste Pros: - Fastest implementation - We plan to ultimately generate the resources, so at the end the implementation would be close to duplicated resources Cons: - Need to alter the logic in three different places - Separate implementation of resources would require separate complete set of tests ###### parameterized handling methods Pros: - user object handled in "one" place - implementation reused, so only smoke acceptance tests are justified Cons: - more complex logic in user resource, spread over multiple handling methods ###### enrich the helper methods Pros: - user resource implementation could stay the same in helper methods (because the checks would be delegated to helper methods) - solution that can be reused in more resources - only smoke tests would be justified Cons: - SDKv2 does not allow to fetch the schema in context of helper methods without exposing unexported fields - "unsafe" solution potentially used in the majority of resources (because helper methods should be reused more and more)
|
Hey, we have just released v0.97.0 version of the provider (release notes, migration guide) containing the new user types in new separate resources snowflake_service_user and snowflake_legacy_service_user. |
|
Thanks, I tested and 0.97.0 new users resources suffers of this bug as well the old snowflake_user resource: |
|
Hey @simonepm, this is expected. |
|
I think the new snowflake_service_user resource is not setting the user type. And here's the resulting created user: Shouldn't the user have type="SERVICE"? Sorry if I am missing something obvious here. |
|
Hey @nidal123.
|
|
Closing as completed. Please create a new issue if you encounter problems with the new user resources. |
Use Cases or Problem Statement
The existing snowflake_user resource does not have the TYPE property. This is a big limitation for us, since it prevents us from creating SERVICE users, which is a great security feature.
We are currently getting a number of Critical security warnings in Trust Center because of this issue.
Category
category:resource
Object type(s)
resource:user
Proposal
Add a
typeproperty that acceptsPERSON | SERVICE | LEGACY_SERVICE | NULLHow much impact is this issue causing?
Medium
Additional Information
Commented on a related PR here:
#2947 (comment)
Would you like to implement a fix?
The text was updated successfully, but these errors were encountered: