terraform-snowflake-fullstory-warehouse-setup

This module creates all the proper roles, users, grants, and storage integrations so that Fullstory can connect to the database and load data. For more information checkout this KB article.

This module does not create a reader role that can be used to view the data. To query the data inside Snowflake, you should create a role capable of reading the proper tables and columns according to your policies.

Requirements

Name	Version
terraform	>= 0.13
snowflake	>= 0.83.1

Inputs

Name	Description	Type	Default	Required
database_name	The name of the Snowflake database to use	`string`	n/a	yes
fullstory_cidr_ipv4	The CIDR block that Fullstory will use to connect to the Redshift cluster.	`string`	`""`	no
fullstory_data_center	The data center where your Fullstory account is hosted. Either 'NA1' or 'EU1'. See https://help.fullstory.com/hc/en-us/articles/8901113940375-Fullstory-Data-Residency for more information.	`string`	`"NA1"`	no
fullstory_storage_allowed_locations	The list of allowed locations for the storage provider. This is an advanced option and should only be changed if instructed by Fullstory. Ex. :////	`list(string)`	[ "gcs://fullstoryapp-warehouse-sync-bundles" ]	no
fullstory_storage_provider	The storage provider to use. Either 'S3', 'GCS' or 'AZURE'. This is an advanced option and should only be changed if instructed by Fullstory.	`string`	`"GCS"`	no
suffix	The suffix to append to the names of the resources created by this module so that the module can be instantiated many times. Must only contain letters.	`string`	n/a	yes
warehouse_name	The name of the Snowflake warehouse to use.	`string`	n/a	yes

Outputs

Name	Description
gcs_storage_integration	The name of the GCS storage integration that can be used in the Fullstory app when configuring the Snowflake integration.
password	The Fullstory password that can be used in the Fullstory app when configuring the Snowflake integration.
role	The Fullstory role that can be used in the Fullstory app when configuring the Snowflake integration.
username	The Fullstory username that can be used in the Fullstory app when configuring the Snowflake integration.

Usage

resource "snowflake_database" "main" {
  name = "MY_DATABASE"
}

resource "snowflake_warehouse" "main" {
  name           = "MY_WAREHOUSE"
  warehouse_size = "small"
  auto_suspend   = 60
}

module "fullstory_warehouse_setup" {
  source = "fullstorydev/fullstory-warehouse-setup/snowflake"
  providers = {
    snowflake.account_admin  = snowflake.account_admin
    snowflake.security_admin = snowflake.security_admin
    snowflake.sys_admin      = snowflake.sys_admin
  }

  database_name         = snowflake_database.main.name
  warehouse_name        = snowflake_warehouse.main.name
  fullstory_data_center = "NA1"
  suffix                = "ACME" # This should represent this module's unique identifier
}

output "fullstory_warehouse_setup_role" {
  value = module.fullstory_warehouse_setup.role
}

output "fullstory_warehouse_setup_username" {
  value = module.fullstory_warehouse_setup.username
}

output "fullstory_warehouse_setup_password" {
  value = module.fullstory_warehouse_setup.password
}

output "fullstory_warehouse_setup_gcs_storage_integration" {
  value = module.fullstory_warehouse_setup.gcs_storage_integration
}

Creating a READER role

This module does not create a READER role. You can use the following example to create a READER role that will allow a user to use and read all objects and all future objects in the database.

resource "snowflake_role" "data_user_role" {
  provider = snowflake.security_admin
  name     = "READER"
}

resource "snowflake_grant_privileges_to_role" "data_user_database" {
  provider  = snowflake.security_admin
  role_name = snowflake_role.data_user_role.name

  privileges = ["USAGE", "MONITOR"]
  on_account_object {
    object_name = "MY_DATABASE"
    object_type = "DATABASE"
  }
}

resource "snowflake_grant_privileges_to_role" "data_user_schema" {
  provider  = snowflake.security_admin
  role_name = snowflake_role.data_user_role.name

  privileges = [
    "USAGE",
    "MONITOR",
  ]
  on_schema {
    all_schemas_in_database = "MY_DATABASE"
  }
}

resource "snowflake_grant_privileges_to_role" "data_user_future_schema" {
  provider  = snowflake.security_admin
  role_name = snowflake_role.data_user_role.name

  privileges = [
    "USAGE",
    "MONITOR",
  ]
  on_schema {
    future_schemas_in_database = "MY_DATABASE"
  }
}

resource "snowflake_grant_privileges_to_role" "data_user_tables" {
  provider  = snowflake.security_admin
  role_name = snowflake_role.data_user_role.name

  privileges = ["SELECT"]
  on_schema_object {
    all {
      object_type_plural = "TABLES"
      in_database        = "MY_DATABASE"
    }
  }
}

resource "snowflake_grant_privileges_to_role" "data_user_future_tables" {
  provider  = snowflake.security_admin
  role_name = snowflake_role.data_user_role.name

  privileges = ["SELECT"]
  on_schema_object {
    future {
      object_type_plural = "TABLES"
      in_database        = "MY_DATABASE"
    }
  }
}

resource "snowflake_grant_privileges_to_role" "data_user_views" {
  provider  = snowflake.security_admin
  role_name = snowflake_role.data_user_role.name

  privileges = ["SELECT"]
  on_schema_object {
    all {
      object_type_plural = "VIEWS"
      in_database        = snowflake_database.db.name
    }
  }
}

resource "snowflake_grant_privileges_to_role" "data_user_future_views" {
  provider  = snowflake.security_admin
  role_name = snowflake_role.data_user_role.name

  privileges = ["SELECT"]
  on_schema_object {
    future {
      object_type_plural = "VIEWS"
      in_database        = snowflake_database.db.name
    }
  }
}

resource "snowflake_grant_privileges_to_role" "data_user_mat_views" {
  provider  = snowflake.security_admin
  role_name = snowflake_role.data_user_role.name

  privileges = ["SELECT"]
  on_schema_object {
    all {
      object_type_plural = "MATERIALIZED VIEWS"
      in_database        = snowflake_database.db.name
    }
  }
}


resource "snowflake_grant_privileges_to_role" "data_user_future_mat_views" {
  provider  = snowflake.security_admin
  role_name = snowflake_role.data_user_role.name

  privileges = ["SELECT"]
  on_schema_object {
    future {
      object_type_plural = "MATERIALIZED VIEWS"
      in_database        = snowflake_database.db.name
    }
  }
}

Obtaining the output

This module outputs the role, username, password and storage integration that can be pasted into Fullstory in order for Fullstory to connect to your database. After using this module, you must output the value of these variables in your root module (see above example). Once that is done, you should be able to access outputs with

terraform output <name of your output varible> | pbcopy

The password output is a sensitive value. You need to use a slighly different command in order to see it.

terraform output -raw <name of your output varible> | pbcopy

Alternatively, you can find all of the inputs in your Snowflake account.

Contributing

See CONTRIBUTING.md for best practices and instructions on setting up your dev environment.

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
.circleci		.circleci
.github		.github
assets		assets
examples		examples
hooks		hooks
.gitignore		.gitignore
.releaserc		.releaserc
.terraform-docs.yaml		.terraform-docs.yaml
LICENSE		LICENSE
README.md		README.md
config.tf		config.tf
init-repo.sh		init-repo.sh
main.tf		main.tf
outputs.tf		outputs.tf
variables.tf		variables.tf

License

fullstorydev/terraform-snowflake-fullstory-warehouse-setup

Folders and files

Latest commit

History

Repository files navigation

terraform-snowflake-fullstory-warehouse-setup

Requirements

Inputs

Outputs

Usage

Creating a READER role

Obtaining the output

Contributing

About

Resources

License

Stars

Watchers

Forks

Languages