This is a repository that makes a saml+scim integration based on the ms_azure or okta integrations for Snowflake. The following resources are made depended on what you choose:

• snowflake_account_grant.provisioner_create_role
• snowflake_account_grant.provisioner_create_user
• snowflake_role.provisioner
• snowflake_role_grants.provisioner_grants
• snowflake_saml_integration.saml_integration
• snowflake_scim_integration.scim_integration

Example CICD with BitBucket and Codefresh:

For further documentation on how this works, please read the following:

• Azure SCIM Integration with Snowflake
• Okta SCIM Integration with Snowflake

Essentially this module simplifies the ability to onboard new accounts and enables the IDP of choice to:

• Manage the user lifecycle (i.e. create, update, and delete) in Snowflake.
• Manage the role lifecycle (i.e. create, update, and delete) in Snowflake.
• Manage user to role assignments in Snowflake.

NOTES:

• THIS MODULE ASSUMES YOU HAVE AN IDP OF OKTA OR MS_AZURE
• THIS MODULE ASSUMES THAT YOU HAVE SET UP YOUR IDP AND THAT IT IS CONFIGURED
• THIS MODULE ASSUMES YOU HAVE SNOWFLAKE

WARNINGS:

• DO NOT HARDCODE THE saml2_x509_cert THIS IS A SENSITIVE VALUE, YOU SHOULD USE SOME OTHER METHOD TO GRAB THIS DATA, I SIMPLY SHOW WHAT THE DATA MUST LOOK LIKE. IT IS A SECURITY RISK TO HARDCODE YOUR saml2_x509_cert AND IS MARKED SENSITIVE BY DEFAULT
• THE scim_token IS DIRECTED TORWARDS SYSTEM OUTPUT ON INITAL CREATION AND WILL LOG TO YOUR TERMINAL ON CREATION FOR YOU TO USE. THIS WILL ONLY HAPPEN ONCE AND IT WILL NOT APPEAR IN SYSTEM LOGS AS IT IS MARKED SENSITIVE BY DEFAULT

To use the module you will need to use the following:

module "snowflake_samlscim_usdevelopment" {
  source  = "https://github.com/Richard-Barrett/terraform-snowflake-scim-integration"
  version = "0.0.1"

  idp                        = "okta"
  saml2_issuer               = "http://www.okta.com/<OKTA_ENTITY_ID>"
  saml2_sso_url              = "https://<YOURDOMAIN>.okta.com/app/snowflake/<OKTA_ENTITY_ID>/sso/saml"
  saml2_provider             = "OKTA"
  saml2_x509_cert            = "MIIDnjCCAoa...IGA..."
  saml2_snowflake_issuer_url = "https://<URI>.<AWS_REGION>.aws.snowflakecomputing.com"
  saml2_snowflake_acs_url    = "https://<FQDN>.snowflakecomputing.com/fed/login"
}

Required Values:

Once you run the following:

terraform init
terraform validate
terraform plan
terraform apply

You should see something similar to the following:

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Outputs:

scim_token = <sensitive>

Take the scim_token and update your IDP with the API integration, afterwards, make sure you check what you want controlled by the provisioner:

• NOTE: ORDER MATTERS, CREATE THE API TOKEN AND TEST PROVISIONING FIRST BEFORE YOU SELECT WHAT THE PROVISIONING DOES IN THE IDP.

What if you want to manage the SCIM Access for ms_azure?

module "snowflake_samlscim_usdevelopment" {
  source  = "https://github.com/Richard-Barrett/terraform-snowflake-scim-integration"
  version = "0.0.1"

  idp                        = "aad"
  saml2_issuer               = "http://www.okta.com/<OKTA_ENTITY_ID>"
  saml2_sso_url              = "https://<YOURDOMAIN>.okta.com/app/snowflake/<OKTA_ENTITY_ID>/sso/saml"
  saml2_provider             = "AAD"
  saml2_x509_cert            = "MIIDnjCCAoa...IGA..."
  saml2_snowflake_issuer_url = "https://<URI>.<AWS_REGION>.aws.snowflakecomputing.com"
  saml2_snowflake_acs_url    = "https://<FQDN>.snowflakecomputing.com/fed/login"
}

If you want to keep the saml2_x509_cert secret pull it in as a data value from a secure datastore using your backend.

In overview, this repository acts as a digestible module that allows you to create a warehouse, the warehouse role, and the warehouse grant.

No modules.