Skip to content


Repository files navigation

Snowflake Database Role Terraform Module

Snowflake Terraform

License Release

We help companies turn their data into assets

Terraform module for managing Snowflake Database roles.

  • Creates Snowflake database role with specific privileges on database and schemas.
  • Allows granting of privileges on future schemas in a database.
  • Allows granting of privileges on all existing schemas in a database.
  • Allows granting of privileges on specific schema objects like tables.
  • Supports granting of all privileges or specific ones based on the configuration.
  • Can be used to create a hierarchy of roles by assigning parent roles.
  • Can be used to grant roles to other roles.


resource "snowflake_database" "this" {
  name = "TEST_DB"

resource "snowflake_schema" "this" {
  database =
  name     = "BRONZE"

module "snowflake_database_role" {
  source = "../../"

  database_name =
  name          = "TEST_DB_ROLE"

  schema_grants = [
      future_schemas_in_database = true
      all_schemas_in_database    = true
      all_privileges             = true

  schema_objects_grants = {
    "TABLE" = [
        all_privileges = true
        on_future      = true
        on_all         = true
        schema_name    =


  • Simple - Basic usage of the module
  • Complete - Advanced usage of the module

Breaking changes in v2.x of the module

Due to replacement of nulllabel ( with context provider, some breaking changes were introduced in v2.0.0 version of this module.

List od code and variable (API) changes:

  • Removed file (a single-file module with additonal variables), which implied a removal of all its variables (except name):
    • descriptor_formats
    • label_value_case
    • label_key_case
    • id_length_limit
    • regex_replace_chars
    • label_order
    • additional_tag_map
    • tags
    • labels_as_tags
    • attributes
    • delimiter
    • stage
    • environment
    • tenant
    • namespace
    • enabled
    • context
  • Remove support enabled flag - that might cause some backward compatibility issues with terraform state (please take into account that proper move clauses were added to minimize the impact), but proceed with caution
  • Additional context provider configuration
  • New variables were added, to allow naming configuration via context provider:
    • context_templates
    • name_schema


Name Description Type Default Required
comment Database Role description string null no
context_templates Map of context templates used for naming conventions - this variable supersedes and naming_scheme.delimiter configuration map(string) {} no
database_grants Grants on a database level
all_privileges = optional(bool)
with_grant_option = optional(bool, false)
privileges = optional(list(string), null)
{} no
database_name The name of the database to create the role in string n/a yes
granted_database_roles Database Roles granted to this role list(string) [] no
granted_to_database_roles Fully qualified Parent Database Role name (DB_NAME.ROLE_NAME), to create parent-child relationship list(string) [] no
granted_to_roles List of Snowflake Account Roles to grant this role to list(string) [] no
granted_to_shares List of Snowflake Shares to grant this role to list(string) [] no
name Name of the resource string n/a yes
name_scheme Naming scheme configuration for the resource. This configuration is used to generate names using context provider:
- properties - list of properties to use when creating the name - is superseded by var.context_templates
- delimiter - delimited used to create the name from properties - is superseded by var.context_templates
- context_template_name - name of the context template used to create the name
- replace_chars_regex - regex to use for replacing characters in property-values created by the provider - any characters that match the regex will be removed from the name
- extra_values - map of extra label-value pairs, used to create a name
- uppercase - convert name to uppercase
properties = optional(list(string), ["environment", "name"])
delimiter = optional(string, "_")
context_template_name = optional(string, "snowflake-database-role")
replace_chars_regex = optional(string, "[^a-zA-Z0-9_]")
extra_values = optional(map(string))
uppercase = optional(bool, true)
{} no
parent_database_role DEPRECATED variable - please use granted_to_database_roles instead string null no
schema_grants Grants on a schema level
all_privileges = optional(bool)
with_grant_option = optional(bool, false)
privileges = optional(list(string), null)
all_schemas_in_database = optional(bool, false)
future_schemas_in_database = optional(bool, false)
schema_name = optional(string, null)
[] no
schema_objects_grants Grants on a schema object level

Example usage:

schema_objects_grants = {
"TABLE" = [
privileges = ["SELECT"]
object_name =
schema_name =
all_privileges = true
object_name =
schema_name =
"ALERT" = [
all_privileges = true
on_future = true
on_all = true

Note: If you don't provide a schema_name, the grants will be created for all objects of that type in the database.
You can find a list of all object types here
all_privileges = optional(bool)
with_grant_option = optional(bool)
privileges = optional(list(string))
object_name = optional(string)
on_all = optional(bool, false)
schema_name = optional(string)
on_future = optional(bool, false)
{} no


No modules.


Name Description
fully_qualified_name Name of the database role in fully qualified format ("DB_NAME"."ROLE_NAME")
name Name of the database role


Name Version
context >=0.4.0
snowflake >= 0.97


Name Version
terraform >= 1.3
context >=0.4.0
snowflake >= 0.97


Name Type
snowflake_database_role.this resource
snowflake_grant_database_role.granted_database_roles resource
snowflake_grant_database_role.granted_to_database_roles resource
snowflake_grant_database_role.granted_to_role resource
snowflake_grant_database_role.granted_to_share resource
snowflake_grant_database_role.parent_database_role resource
snowflake_grant_privileges_to_database_role.database_grants resource
snowflake_grant_privileges_to_database_role.schema_grants resource
snowflake_grant_privileges_to_database_role.schema_objects_grants resource
context_label.this data source


Contributions are very welcomed!

Start by reviewing contribution guide and our code of conduct. After that, start coding and ship your changes by creating a new PR.


Apache 2 Licensed. See LICENSE for full details.


Made with


Terraform Database role module for Snowflake



Code of conduct





No packages published

Contributors 3

