Snowflake-Labs · sfc-gh-asawicki · Oct 10, 2024 · Oct 7, 2024 · Oct 7, 2024 · Oct 7, 2024
diff --git a/MIGRATION_GUIDE.md b/MIGRATION_GUIDE.md
@@ -47,6 +47,67 @@ resource "snowflake_stream_on_table" "stream" {
 
 Then, follow our [Resource migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/resource_migration.md).
 
+### *(new feature)* new snowflake_service_user and snowflake_legacy_service_user resources
+
+Release v0.95.0 introduced reworked `snowflake_user` resource. As [noted](#note-user-types), the new `SERVICE` and `LEGACY_SERVICE` user types were not supported.
+
+This release introduces two new resources to handle these new user types: `snowflake_service_user` and `snowflake_legacy_service_user`.
+
+Both resources have schemas almost identical to the `snowflake_user` resource with the following exceptions:
+- `snowflake_service_user` does not contain the following fields (because they are not supported for the user of type `SERVICE` in Snowflake):
+  - `password`
+  - `first_name`
+  - `middle_name`
+  - `last_name`
+  - `must_change_password`
+  - `mins_to_bypass_mfa`
+  - `disable_mfa`
+- `snowflake_legacy_service_user` does not contain the following fields (because they are not supported for the user of type `LEGACY_SERVICE` in Snowflake):
+  - `first_name`
+  - `middle_name`
+  - `last_name`
+  - `mins_to_bypass_mfa`
+  - `disable_mfa`
+
+`snowflake_users` datasource was adjusted to handle different user types and `type` field was added to the `describe_output`.
+
+If you used to manage service or legacy service users through `snowflake_user` resource (e.g. using `lifecycle.ignore_changes`) or `snowflake_unsafe_execute`, please migrate to the new resources following [our guidelines on resource migration](docs/technical-documentation/resource_migration.md).
+
+E.g. change the old config from:
+
+```terraform
+resource "snowflake_user" "service_user" {
+  lifecycle {
+    ignore_changes = [user_type]
+  }
+
+  name         = "Snowflake Service User"
+  login_name   = "service_user"
+  email        = "service_user@snowflake.example"
+
+  rsa_public_key   = "..."
+  rsa_public_key_2 = "..."
+}
+```
+
+to
+
+```
+resource "snowflake_service_user" "service_user" {
+  name         = "Snowflake Service User"
+  login_name   = "service_user"
+  email        = "service_user@snowflake.example"
+
+  rsa_public_key   = "..."
+  rsa_public_key_2 = "..."
+}
+
+```
+
+Then, follow our [resource migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/resource_migration.md).
+
+Connected issues: [#2951](https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/2951)
+
 ## v0.95.0 ➞ v0.96.0
 
 ### snowflake_masking_policies data source changes

diff --git a/docs/data-sources/users.md b/docs/data-sources/users.md
@@ -162,6 +162,7 @@ Read-Only:
 - `rsa_public_key_fp` (String)
 - `snowflake_lock` (Boolean)
 - `snowflake_support` (Boolean)
+- `type` (String)
 
 
 <a id="nestedobjatt--users--parameters"></a>

diff --git a/docs/resources/legacy_service_user.md b/docs/resources/legacy_service_user.md
diff --git a/docs/resources/service_user.md b/docs/resources/service_user.md
diff --git a/docs/resources/user.md b/docs/resources/user.md
@@ -2,7 +2,7 @@
 page_title: "snowflake_user Resource - terraform-provider-snowflake"
 subcategory: ""
 description: |-
-  Resource used to manage user objects. For more information, check user documentation https://docs.snowflake.com/en/sql-reference/commands-user-role.
+  Resource used to manage user objects. For more information, check user documentation https://docs.snowflake.com/en/sql-reference/commands-user-role#user-management.
 ---
 
 !> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v094x--v0950) to use it.
@@ -11,36 +11,113 @@ description: |-
 
 -> **Note** Attaching user policies will be handled in the following versions of the provider which may still affect this resource.
 
--> **Note** `service` and `legacy_service` user types are currently not supported. They will be supported in the following versions as separate resources (namely `snowflake_service_user` and `snowflake_legacy_service_user`).
+-> **Note** Other two user types are handled in separate resources: `snowflake_service_user` for user type `service` and `snowflake_legacy_service_user` for user type `legacy_service`.
 
 -> **Note** External changes to `days_to_expiry`, `mins_to_unlock`, and `mins_to_bypass_mfa` are not currently handled by the provider (because the value changes continuously on Snowflake side after setting it).
 
 # snowflake_user (Resource)
 
-Resource used to manage user objects. For more information, check [user documentation](https://docs.snowflake.com/en/sql-reference/commands-user-role).
+Resource used to manage user objects. For more information, check [user documentation](https://docs.snowflake.com/en/sql-reference/commands-user-role#user-management).
 
 ## Example Usage
 
 ```terraform
+# minimal
+resource "snowflake_user" "minimal" {
+  name = "Snowflake User - minimal"
+}
+
+# with all attributes set
 resource "snowflake_user" "user" {
   name         = "Snowflake User"
   login_name   = "snowflake_user"
-  comment      = "A user of snowflake."
-  password     = "secret"
-  disabled     = false
-  display_name = "Snowflake User"
-  email        = "user@snowflake.example"
   first_name   = "Snowflake"
+  middle_name  = "Middle"
   last_name    = "User"
+  comment      = "User of snowflake."
+  password     = "secret"
+  disabled     = "false"
+  display_name = "Snowflake User display name"
+  email        = "user@snowflake.example"
+
+  default_warehouse              = "warehouse"
+  default_secondary_roles_option = "ALL"
+  default_role                   = "role1"
+  default_namespace              = "some.namespace"
 
-  default_warehouse       = "warehouse"
-  default_secondary_roles = "ALL"
-  default_role            = "role1"
+  mins_to_unlock     = 9
+  days_to_expiry     = 8
+  mins_to_bypass_mfa = 10
 
   rsa_public_key   = "..."
   rsa_public_key_2 = "..."
 
-  must_change_password = false
+  must_change_password = "true"
+  disable_mfa          = "false"
+}
+
+# all parameters set on the resource level
+resource "snowflake_user" "u" {
+  name = "Snowflake User with all parameters"
+
+  abort_detached_query                          = true
+  autocommit                                    = false
+  binary_input_format                           = "UTF8"
+  binary_output_format                          = "BASE64"
+  client_memory_limit                           = 1024
+  client_metadata_request_use_connection_ctx    = true
+  client_prefetch_threads                       = 2
+  client_result_chunk_size                      = 48
+  client_result_column_case_insensitive         = true
+  client_session_keep_alive                     = true
+  client_session_keep_alive_heartbeat_frequency = 2400
+  client_timestamp_type_mapping                 = "TIMESTAMP_NTZ"
+  date_input_format                             = "YYYY-MM-DD"
+  date_output_format                            = "YY-MM-DD"
+  enable_unload_physical_type_optimization      = false
+  enable_unredacted_query_syntax_error          = true
+  error_on_nondeterministic_merge               = false
+  error_on_nondeterministic_update              = true
+  geography_output_format                       = "WKB"
+  geometry_output_format                        = "WKB"
+  jdbc_treat_decimal_as_int                     = false
+  jdbc_treat_timestamp_ntz_as_utc               = true
+  jdbc_use_session_timezone                     = false
+  json_indent                                   = 4
+  lock_timeout                                  = 21222
+  log_level                                     = "ERROR"
+  multi_statement_count                         = 0
+  network_policy                                = "BVYDGRAT_0D5E3DD1_F644_03DE_318A_1179886518A7"
+  noorder_sequence_as_default                   = false
+  odbc_treat_decimal_as_int                     = true
+  prevent_unload_to_internal_stages             = true
+  query_tag                                     = "some_tag"
+  quoted_identifiers_ignore_case                = true
+  rows_per_resultset                            = 2
+  search_path                                   = "$public, $current"
+  simulated_data_sharing_consumer               = "some_consumer"
+  statement_queued_timeout_in_seconds           = 10
+  statement_timeout_in_seconds                  = 10
+  strict_json_output                            = true
+  s3_stage_vpce_dns_name                        = "vpce-id.s3.region.vpce.amazonaws.com"
+  time_input_format                             = "HH24:MI"
+  time_output_format                            = "HH24:MI"
+  timestamp_day_is_always_24h                   = true
+  timestamp_input_format                        = "YYYY-MM-DD"
+  timestamp_ltz_output_format                   = "YYYY-MM-DD HH24:MI:SS"
+  timestamp_ntz_output_format                   = "YYYY-MM-DD HH24:MI:SS"
+  timestamp_output_format                       = "YYYY-MM-DD HH24:MI:SS"
+  timestamp_type_mapping                        = "TIMESTAMP_LTZ"
+  timestamp_tz_output_format                    = "YYYY-MM-DD HH24:MI:SS"
+  timezone                                      = "Europe/Warsaw"
+  trace_level                                   = "ON_EVENT"
+  transaction_abort_on_error                    = true
+  transaction_default_isolation_level           = "READ COMMITTED"
+  two_digit_century_start                       = 1980
+  unsupported_ddl_action                        = "FAIL"
+  use_cached_result                             = false
+  week_of_year_policy                           = 1
+  week_start                                    = 1
 }
 ```
 -> **Note** Instead of using fully_qualified_name, you can reference objects managed outside Terraform by constructing a correct ID, consult [identifiers guide](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/guides/identifiers#new-computed-fully-qualified-name-field-in-resources).
@@ -942,5 +1019,5 @@ Read-Only:
 Import is supported using the following syntax:
 
 ```shell
-terraform import snowflake_user.example userName
+terraform import snowflake_user.example '"<user_name>"'
 ```
diff --git a/examples/resources/snowflake_legacy_service_user/import.sh b/examples/resources/snowflake_legacy_service_user/import.sh
@@ -0,0 +1 @@
+terraform import snowflake_legacy_service_user.example '"<user_name>"'
diff --git a/examples/resources/snowflake_legacy_service_user/resource.tf b/examples/resources/snowflake_legacy_service_user/resource.tf
@@ -0,0 +1,92 @@
+# minimal
+resource "snowflake_legacy_service_user" "minimal" {
+  name = "Snowflake Legacy Service User - minimal"
+}
+
+# with all attributes set
+resource "snowflake_legacy_service_user" "user" {
+  name         = "Snowflake Legacy Service User"
+  login_name   = "legacy_service_user"
+  comment      = "A legacy service user of snowflake."
+  password     = "secret"
+  disabled     = "false"
+  display_name = "Snowflake Legacy Service User display name"
+  email        = "legacy.service.user@snowflake.example"
+
+  default_warehouse              = "warehouse"
+  default_secondary_roles_option = "ALL"
+  default_role                   = "role1"
+  default_namespace              = "some.namespace"
+
+  mins_to_unlock = 9
+  days_to_expiry = 8
+
+  rsa_public_key   = "..."
+  rsa_public_key_2 = "..."
+
+  must_change_password = "true"
+}
+
+# all parameters set on the resource level
+resource "snowflake_legacy_service_user" "u" {
+  name = "Snowflake Legacy Service User with all parameters"
+
+  abort_detached_query                          = true
+  autocommit                                    = false
+  binary_input_format                           = "UTF8"
+  binary_output_format                          = "BASE64"
+  client_memory_limit                           = 1024
+  client_metadata_request_use_connection_ctx    = true
+  client_prefetch_threads                       = 2
+  client_result_chunk_size                      = 48
+  client_result_column_case_insensitive         = true
+  client_session_keep_alive                     = true
+  client_session_keep_alive_heartbeat_frequency = 2400
+  client_timestamp_type_mapping                 = "TIMESTAMP_NTZ"
+  date_input_format                             = "YYYY-MM-DD"
+  date_output_format                            = "YY-MM-DD"
+  enable_unload_physical_type_optimization      = false
+  enable_unredacted_query_syntax_error          = true
+  error_on_nondeterministic_merge               = false
+  error_on_nondeterministic_update              = true
+  geography_output_format                       = "WKB"
+  geometry_output_format                        = "WKB"
+  jdbc_treat_decimal_as_int                     = false
+  jdbc_treat_timestamp_ntz_as_utc               = true
+  jdbc_use_session_timezone                     = false
+  json_indent                                   = 4
+  lock_timeout                                  = 21222
+  log_level                                     = "ERROR"
+  multi_statement_count                         = 0
+  network_policy                                = "BVYDGRAT_0D5E3DD1_F644_03DE_318A_1179886518A7"
+  noorder_sequence_as_default                   = false
+  odbc_treat_decimal_as_int                     = true
+  prevent_unload_to_internal_stages             = true
+  query_tag                                     = "some_tag"
+  quoted_identifiers_ignore_case                = true
+  rows_per_resultset                            = 2
+  search_path                                   = "$public, $current"
+  simulated_data_sharing_consumer               = "some_consumer"
+  statement_queued_timeout_in_seconds           = 10
+  statement_timeout_in_seconds                  = 10
+  strict_json_output                            = true
+  s3_stage_vpce_dns_name                        = "vpce-id.s3.region.vpce.amazonaws.com"
+  time_input_format                             = "HH24:MI"
+  time_output_format                            = "HH24:MI"
+  timestamp_day_is_always_24h                   = true
+  timestamp_input_format                        = "YYYY-MM-DD"
+  timestamp_ltz_output_format                   = "YYYY-MM-DD HH24:MI:SS"
+  timestamp_ntz_output_format                   = "YYYY-MM-DD HH24:MI:SS"
+  timestamp_output_format                       = "YYYY-MM-DD HH24:MI:SS"
+  timestamp_type_mapping                        = "TIMESTAMP_LTZ"
+  timestamp_tz_output_format                    = "YYYY-MM-DD HH24:MI:SS"
+  timezone                                      = "Europe/Warsaw"
+  trace_level                                   = "ON_EVENT"
+  transaction_abort_on_error                    = true
+  transaction_default_isolation_level           = "READ COMMITTED"
+  two_digit_century_start                       = 1980
+  unsupported_ddl_action                        = "FAIL"
+  use_cached_result                             = false
+  week_of_year_policy                           = 1
+  week_start                                    = 1
+}
diff --git a/examples/resources/snowflake_service_user/import.sh b/examples/resources/snowflake_service_user/import.sh
@@ -0,0 +1 @@
+terraform import snowflake_service_user.example '"<user_name>"'