Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature]: Add support for Authentication Policies #2880

Open
1 task
bschwedler opened this issue Jun 20, 2024 · 19 comments
Open
1 task

[Feature]: Add support for Authentication Policies #2880

bschwedler opened this issue Jun 20, 2024 · 19 comments
Labels
feature-request Used to mark issues with provider's missing functionalities resource:authentication_policy

Comments

@bschwedler
Copy link

Use Cases or Problem Statement

We would like to manage Authentication Policies within our IaC.

This is important so that we can limit/control the auth methods that must be used by different classes of users.

As far as I can tell, Authentication Policies are not part of the GA Objects for V1

Category

category:resource

Object type(s)

No response

Proposal

Add an AuthenticationPolicy resource type that can be managed with IaC.

https://docs.snowflake.com/en/sql-reference/sql/create-authentication-policy

How much impact is this issue causing?

Low

Additional Information

No response

Would you like to implement a fix?

  • Yeah, I'll take it 😎
@bschwedler bschwedler added the feature-request Used to mark issues with provider's missing functionalities label Jun 20, 2024
@sfc-gh-asawicki
Copy link
Collaborator

Hey @bschwedler. Thanks for reaching out to us.

Authentication policies were PuPr just recently, so they are not part of the V1 scope. For now, you can use https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/unsafe_execute, which can run any SQL statement. We will also welcome a contribution (check https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/CONTRIBUTING.md).

cc: @sfc-gh-sthyagaraj

@Relativity74205
Copy link
Contributor

@sfc-gh-asawicki I would like to add the authentication policies to the provider similar to the network_rules, if this is fine for you. If yes, could you please add the authentication policies to the SDK and update the user and account SDK (authentication policies can be set for a user or an account)? https://docs.snowflake.com/en/user-guide/authentication-policies

Then I would look into the implementation, when I come back from my vacation in three weeks.

@sfc-gh-asawicki
Copy link
Collaborator

Hey @Relativity74205. We will accept the contribution, thanks for proposing this! :)

Authentication policies syntax looks relatively easy, we may be able to add it to the SDK at the start of August.

@Relativity74205
Copy link
Contributor

@sfc-gh-asawicki Great, please let me know when it is finished. And please don't forget the update of the user and account SDK.

@cmonty-paypal
Copy link
Contributor

I didn't see these comments but I started the work to add to the authentication policies this week: https://github.com/cmonty-paypal/terraform-provider-snowflake/tree/add_authentication_policies

@sfc-gh-asawicki
Copy link
Collaborator

@cmonty-paypal it's great, we have not started the SDK part, so we will gladly accept your contribution :)

@jasonjoneszywave
Copy link

Looking forward to seeing this implemented soon since authentication policies are the mechanism to enforce MFA enrollment based on the below blog post from earlier this week.

https://www.snowflake.com/blog/snowflake-admins-enforce-mandatory-mfa/

@georgeb-accelins
Copy link

georgeb-accelins commented Jul 12, 2024

I didn't see these comments but I started the work to add to the authentication policies this week: https://github.com/cmonty-paypal/terraform-provider-snowflake/tree/add_authentication_policies

I too did not see the recent comments and had started working on it :) It was a good learning experience for me. @cmonty-paypal - looks like you are well on your way. Let me know if there is anything I can do to help.

@cmonty-paypal
Copy link
Contributor

I didn't see these comments but I started the work to add to the authentication policies this week: https://github.com/cmonty-paypal/terraform-provider-snowflake/tree/add_authentication_policies

I too did not see the recent comments and had started working on it :) It was a good learning experience for me. @cmonty-paypal - looks like you are well on your way. Let me know if there is anything I can do to help.

If you have any feedback in the PR, please let me know!

@denzhel
Copy link

denzhel commented Jul 18, 2024

Releasing this will help us a lot ! At the moment this blocks us.
Even with unsafe_execute I get the following error:

This session does not have a current database. Call 'USE DATABASE',

I created a database and called the use database command with unsafe_execute and yet I get this error

@sfc-gh-asawicki
Copy link
Collaborator

Hey @denzhel. Can you share the config you try to run? Setting a database in session should work (and works for other resources too).

@denzhel
Copy link

denzhel commented Jul 22, 2024

I've deleted the resources already since I did not manage to run it.

Can you please share an example on how do I set a database session ?

@sfc-gh-asawicki
Copy link
Collaborator

Hey @denzhel, I do not have a running example, I may be able to set it up later this week.

sfc-gh-jcieslak added a commit that referenced this issue Sep 10, 2024
Adds Authentication Policy methods to the SDK.

## Test Plan
* [x] unit tests
* [x] integration tests

## References

*
#2880

---------

Co-authored-by: Jan Cieślak <[email protected]>
sfc-gh-jcieslak added a commit that referenced this issue Sep 17, 2024
## Changes
* Addressed comments from
#2937
* Fixed failing tests caused by this change
* Changed and added multiple tests connected to auth policies
* Adjusted a few parts of the SDK implementation (using enums where
possible, added a few missing parts, etc.)

## TODO
* Mention in
#2880
that the SDK for Auth Policies is ready
@sfc-gh-jcieslak
Copy link
Collaborator

Hey @Relativity74205 👋
Some time passed, but we finally had some time to finish the SDK (Big Thanks to @cmonty-paypal 🙏 for doing most of the work). If you still are willing to contribute, you can proceed with extending the provider to add support for authentication policies.

@JohnCalhoun
Copy link

+1 to this feature

@csp33
Copy link

csp33 commented Sep 17, 2024

+1 to the feature!

@Relativity74205
Copy link
Contributor

@sfc-gh-jcieslak I think I can do it until next week. I will let you know, when I will have a PR ready

sfc-gh-fbudzynski pushed a commit that referenced this issue Sep 19, 2024
## Changes
* Addressed comments from
#2937
* Fixed failing tests caused by this change
* Changed and added multiple tests connected to auth policies
* Adjusted a few parts of the SDK implementation (using enums where
possible, added a few missing parts, etc.)

## TODO
* Mention in
#2880
that the SDK for Auth Policies is ready
@Relativity74205
Copy link
Contributor

Relativity74205 commented Sep 21, 2024

@sfc-gh-jcieslak I have added the authentication policy resource incl. the user/account attachments in the following PR: #3098

I have tested the code manually quite thorough and have written some acceptance tests, however, I had some unusual problems in setting up the acceptance tests. At least, I cannot remember, that I had such problems in the past with it. I have added some details in the PR.

@cmonty-paypal
Copy link
Contributor

Hey @Relativity74205 👋

Some time passed, but we finally had some time to finish the SDK (Big Thanks to @cmonty-paypal 🙏 for doing most of the work). If you still are willing to contribute, you can proceed with extending the provider to add support for authentication policies.

Thank you for getting it merged!

sfc-gh-jmichalak pushed a commit that referenced this issue Oct 25, 2024
Added the following resources:
- authentication_policy
- account_authentication_policy_attachment
- user_authentication_policy_attachment

## Test Plan
<!-- detail ways in which this PR has been tested or needs to be tested
-->
* [ ] acceptance tests (have been mostly added; could not be tested
locally due to difficulties with acceptance test setup
<!-- add more below if you think they are relevant -->
* [x] manual tests

## References
<!-- issues documentation links, etc  -->

*
#2880

---------

Co-authored-by: Arkadius Schuchhardt <[email protected]>
sfc-gh-jmichalak pushed a commit that referenced this issue Nov 8, 2024
##
[0.98.0](v0.97.0...v0.98.0)
(2024-11-08)

Feature scope readiness for V1:
[link](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/ESSENTIAL_GA_OBJECTS.MD)
([Roadmap
reference](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/ROADMAP.md#wrap-up-the-functional-scope)).
:exclamation: Migration guide: [v0.97.0 ->
v0.98.0](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0970--v0980)

### 🎉 What's new
- New resources:
- authentication_policy
([#3098](#3098)),
references
[#2880](#2880)
- external_volume
([#3106](#3106)),
partially references
[#2980](#2980)
- stream_on_directory_table
([#3129](#3129))
- stream_on_view
([#3150](#3150))
- primary_connection, secondary_connection
([#3162](#3162))
- secret_with_basic_authentication, secret_with_generic_string,
secret_with_oauth_authorization_code_grant,
secret_with_oauth_client_credentials
([#3110](#3110)),
([#3141](#3141))
- New data sources:
- connections
([#3155](#3155)),
([#3173](#3173))
- secrets
([#3131](#3131))
- Reworked:
- provider configuration hierarchy
([#3166](#3166)),
references
[#1881](#1881),
[#2145](#2145),
[#2925](#2925),
[#2983](#2983),
[#3104](#3104)
- provider configuration fields
([#3152](#3152))
streams data source
([#3151](#3151))
- SDK upgrades:
- Upgrade tag SDK
([#3126](#3126))
- Recreate streams when they are stale
([#3129](#3129))
### 🔧  Misc
- Add object renaming research summary
([#3172](#3172))
- Test support for object renaming
([#3130](#3130)),
([#3147](#3147)),
([#3154](#3154))
- Add tests to issue
[#3117](#3117)
([#3133](#3133))
- New roadmap entry
([#3158](#3158))
- Test more authentication methods
([#3178](#3178))
- Minor fixes
([#3174](#3174))
### 🐛  Bug fixes
- Apply various fixes
([#3176](#3176)),
this addresses BCR 2024_08, references
[#2717](#2717),
[#3005](#3005),
[#3125](#3125),
[#3127](#3127),
[#3153](#3153)
- Connection and secret data sources tests
([#3177](#3177))
- Fix grant import docs
([#3183](#3183)),
resolves
[#3179](https://github.com/Snowflake-Labs/terraform-provider-snowflake/discussions/3179)
- Fix user resource import
([#3181](#3181))
- Handle external type changes in stream resources
([#3164](#3164))
- Do not use OR REPLACE on initial creation in resources with
copy_grants
([#3129](#3129))
- Address issue
[#2201](#2201)
by introducing new stream resources

Co-authored-by: snowflake-release-please[bot] <105954990+snowflake-release-please[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request Used to mark issues with provider's missing functionalities resource:authentication_policy
Projects
None yet
Development

No branches or pull requests

10 participants