[Feature]: Add support for Authentication Policies #2880
Comments
bschwedler
added
the
feature-request
|
Hey @bschwedler. Thanks for reaching out to us. Authentication policies were PuPr just recently, so they are not part of the V1 scope. For now, you can use https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/unsafe_execute, which can run any SQL statement. We will also welcome a contribution (check https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/CONTRIBUTING.md). |
|
@sfc-gh-asawicki I would like to add the authentication policies to the provider similar to the network_rules, if this is fine for you. If yes, could you please add the authentication policies to the SDK and update the user and account SDK (authentication policies can be set for a user or an account)? https://docs.snowflake.com/en/user-guide/authentication-policies Then I would look into the implementation, when I come back from my vacation in three weeks. |
|
Hey @Relativity74205. We will accept the contribution, thanks for proposing this! :) Authentication policies syntax looks relatively easy, we may be able to add it to the SDK at the start of August. |
|
@sfc-gh-asawicki Great, please let me know when it is finished. And please don't forget the update of the user and account SDK. |
|
I didn't see these comments but I started the work to add to the authentication policies this week: https://github.com/cmonty-paypal/terraform-provider-snowflake/tree/add_authentication_policies |
|
@cmonty-paypal it's great, we have not started the SDK part, so we will gladly accept your contribution :) |
|
Looking forward to seeing this implemented soon since authentication policies are the mechanism to enforce MFA enrollment based on the below blog post from earlier this week. https://www.snowflake.com/blog/snowflake-admins-enforce-mandatory-mfa/ |
I too did not see the recent comments and had started working on it :) It was a good learning experience for me. @cmonty-paypal - looks like you are well on your way. Let me know if there is anything I can do to help. |
If you have any feedback in the PR, please let me know! |
|
Releasing this will help us a lot ! At the moment this blocks us. I created a database and called the use database command with |
|
Hey @denzhel. Can you share the config you try to run? Setting a database in session should work (and works for other resources too). |
|
I've deleted the resources already since I did not manage to run it. Can you please share an example on how do I set a database session ? |
|
Hey @denzhel, I do not have a running example, I may be able to set it up later this week. |
Adds Authentication Policy methods to the SDK. ## Test Plan * [x] unit tests * [x] integration tests ## References * #2880 --------- Co-authored-by: Jan Cieślak <jan.cieslak@snowflake.com>
## Changes * Addressed comments from #2937 * Fixed failing tests caused by this change * Changed and added multiple tests connected to auth policies * Adjusted a few parts of the SDK implementation (using enums where possible, added a few missing parts, etc.) ## TODO * Mention in #2880 that the SDK for Auth Policies is ready
|
Hey @Relativity74205 👋 |
|
+1 to this feature |
|
+1 to the feature! |
|
@sfc-gh-jcieslak I think I can do it until next week. I will let you know, when I will have a PR ready |
## Changes * Addressed comments from #2937 * Fixed failing tests caused by this change * Changed and added multiple tests connected to auth policies * Adjusted a few parts of the SDK implementation (using enums where possible, added a few missing parts, etc.) ## TODO * Mention in #2880 that the SDK for Auth Policies is ready
|
@sfc-gh-jcieslak I have added the authentication policy resource incl. the user/account attachments in the following PR: #3098 I have tested the code manually quite thorough and have written some acceptance tests, however, I had some unusual problems in setting up the acceptance tests. At least, I cannot remember, that I had such problems in the past with it. I have added some details in the PR. |
Thank you for getting it merged! |
Added the following resources: - authentication_policy - account_authentication_policy_attachment - user_authentication_policy_attachment ## Test Plan <!-- detail ways in which this PR has been tested or needs to be tested --> * [ ] acceptance tests (have been mostly added; could not be tested locally due to difficulties with acceptance test setup <!-- add more below if you think they are relevant --> * [x] manual tests ## References <!-- issues documentation links, etc --> * #2880 --------- Co-authored-by: Arkadius Schuchhardt <schuchhardt@auxmoney.com>
## [0.98.0](v0.97.0...v0.98.0) (2024-11-08) Feature scope readiness for V1: [link](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/ESSENTIAL_GA_OBJECTS.MD) ([Roadmap reference](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/ROADMAP.md#wrap-up-the-functional-scope)). :exclamation: Migration guide: [v0.97.0 -> v0.98.0](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0970--v0980) ### 🎉 What's new - New resources: - authentication_policy ([#3098](#3098)), references [#2880](#2880) - external_volume ([#3106](#3106)), partially references [#2980](#2980) - stream_on_directory_table ([#3129](#3129)) - stream_on_view ([#3150](#3150)) - primary_connection, secondary_connection ([#3162](#3162)) - secret_with_basic_authentication, secret_with_generic_string, secret_with_oauth_authorization_code_grant, secret_with_oauth_client_credentials ([#3110](#3110)), ([#3141](#3141)) - New data sources: - connections ([#3155](#3155)), ([#3173](#3173)) - secrets ([#3131](#3131)) - Reworked: - provider configuration hierarchy ([#3166](#3166)), references [#1881](#1881), [#2145](#2145), [#2925](#2925), [#2983](#2983), [#3104](#3104) - provider configuration fields ([#3152](#3152)) streams data source ([#3151](#3151)) - SDK upgrades: - Upgrade tag SDK ([#3126](#3126)) - Recreate streams when they are stale ([#3129](#3129)) ### 🔧 Misc - Add object renaming research summary ([#3172](#3172)) - Test support for object renaming ([#3130](#3130)), ([#3147](#3147)), ([#3154](#3154)) - Add tests to issue [#3117](#3117) ([#3133](#3133)) - New roadmap entry ([#3158](#3158)) - Test more authentication methods ([#3178](#3178)) - Minor fixes ([#3174](#3174)) ### 🐛 Bug fixes - Apply various fixes ([#3176](#3176)), this addresses BCR 2024_08, references [#2717](#2717), [#3005](#3005), [#3125](#3125), [#3127](#3127), [#3153](#3153) - Connection and secret data sources tests ([#3177](#3177)) - Fix grant import docs ([#3183](#3183)), resolves [#3179](https://github.com/Snowflake-Labs/terraform-provider-snowflake/discussions/3179) - Fix user resource import ([#3181](#3181)) - Handle external type changes in stream resources ([#3164](#3164)) - Do not use OR REPLACE on initial creation in resources with copy_grants ([#3129](#3129)) - Address issue [#2201](#2201) by introducing new stream resources Co-authored-by: snowflake-release-please[bot] <105954990+snowflake-release-please[bot]@users.noreply.github.com>
Use Cases or Problem Statement
We would like to manage Authentication Policies within our IaC.
This is important so that we can limit/control the auth methods that must be used by different classes of users.
As far as I can tell, Authentication Policies are not part of the GA Objects for V1
Category
category:resource
Object type(s)
No response
Proposal
Add an
AuthenticationPolicyresource type that can be managed with IaC.https://docs.snowflake.com/en/sql-reference/sql/create-authentication-policy
How much impact is this issue causing?
Low
Additional Information
No response
Would you like to implement a fix?
The text was updated successfully, but these errors were encountered: