[Feature]: Add support for new Account parameters ADMIN_USER_TYPE etc

[sean-stage]

Use Cases or Problem Statement

Snowflake is introducing new parameters for account creation, specifically relevant for use cases where accounts are created programmatically.

As part of our continued effort to improve our customer security, we recently announced enforcement of MFA by default for new Snowflake accounts. This change will be introduced as part of BCR Bundle 2024_08 and your account will be impacted by this change. This bundle is expected to be deployed for testing during the week of October 7th, 2024 in release 8.38. Please note dates are subject to change.

Details of the changes are below:

What you need to do

We recommend following the steps in this whitepaper and this video. More specifically:

When creating new accounts programmatically, use the newly introduced ADMIN_USER_TYPE property for the admin as part of account creation

CREATE ACCOUNT [ ADMIN_USER_TYPE = PERSON | SERVICE | LEGACY_SERVICE | NULL ]

For human users, set ADMIN_USER_TYPE=PERSON. PERSON users will be subject to MFA policies. 

For service users, set ADMIN_USER_TYPE=SERVICE. SERVICE users will not be subject to MFA policies. 

Service users will not be allowed to use passwords by policy and the caller should specify ADMIN_RSA_PUBLIC_KEY instead of admin password as part of account creation. 

If your service users cannot use key pair authentication, set ADMIN_USER_TYPE=LEGACY_SERVICE during account creation and continue setting up passwords. LEGACY_SERVICE users will not be subject to MFA policies. 

LEGACY_SERVICE  users are not allowed to log in via UI and  cannot have a first name / last name. See this link for more details. 

LEGACY_SERVICE is a temporary solution and we highly recommend that you fix your tooling.

Read more about user types and their limitations in the create user documentation.

For users created after a new account is bootstrapped

Make sure to mark the TYPE for all users

For human users TYPE=PERSON, follow the DUO enrollment process and start using MFA

For service users TYPE=SERVICE, make sure to either: 1) use external OAuth (preferred), or 2) use key pair authentication combined with network policy. 

If a service user cannot leverage a key pair, mark them as TYPE= LEGACY_SERVICE. This is a temporary solution and we highly recommend that you fix your deployment based on the above.

This feature request would be to update the Account resource to support the newly introduced arguments/parameters, and also update the User resource to support the Snowflake TYPE setting (e.g. TYPE = "SERVICE" or TYPE = "PERSON".

Having had a look, I can see some sort of awareness of this as a //TODO comment in: https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/97fa9b4485cf26c5bf93dedfe3b88f688a71b3e6/pkg/resources/user.go#L206C1-L206C14

[SNOW-1645348]: revisit with service user work

Category

category:resource

Object type(s)

resource:account

Proposal

Update the Account resource

How much impact is this issue causing?

Low

Additional Information

No response

Would you like to implement a fix?

• Yeah, I'll take it 😎

[sfc-gh-asawicki]

Hey @sean-stage. Thanks for reaching out to us.

We have it on our radar. We will check if the new syntax breaks the current account resource implementation this or early next week and adjust it if needed. I will ;eave a comment in this issue after these tests.

The new parameters will be handled no sooner than with the account resource rework (https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/ESSENTIAL_GA_OBJECTS.MD) that is incoming. Before that you can use https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/unsafe_execute to change the type.

[sean-stage]

Thanks for the response Artur @sfc-gh-asawicki

[sean-stage]

Hi @sfc-gh-asawicki Artur, any progress on this front? Snowflake Trust Center is now flagging accounts without MFA around this, and it'll be nice to ensure programatically created service style accounts are set to the correct 'type' via Terraform.

[sfc-gh-asawicki]

Hey, yes: https://github.com/Snowflake-Labs/terraform-provider-snowflake/pull/3236/files#diff-cbd81edd0019b2c801bdab54fa0e2697ee800d9f381edbebe4899eb20fa83bedR52.

[sfc-gh-jcieslak]

Hello 👋
Recently, we released v0.100.0 and v1.0.0 that contains reworked account resource. The the admin_user_type is supported there, please migrate with the use of migration guide and let us know if the issue can be closed. Thank You :)