⭐️ snowflake provider (#4210)

* ⭐️ snowflake provider

* disable debug messages from snowflake provider

Signed-off-by: Ivan Milchev <ivan@mondoo.com>

---------

Signed-off-by: Ivan Milchev <ivan@mondoo.com>
Co-authored-by: Ivan Milchev <ivan@mondoo.com>

.github/actions/spelling/expect.txt

@@ -2,6 +2,7 @@ atlassian
 Auths
 autoaccept
 autoscaler
+ACCOUNTADMIN
 backupconfiguration
 backupsetting
 bigquery
@@ -20,6 +21,7 @@ datapath
 Ddos
 deliverychannel
 dfw
+DATAUSER
 DIRECTORYID
 dlq
 dlv
@@ -82,6 +84,7 @@ shodan
 singlequeryargument
 sizeconstraintstatement
 Snat
+Snowsight
 spdx
 sph
 spo

Makefile

@@ -206,7 +206,8 @@ providers/build: \
 	providers/build/atlassian \
 	providers/build/cloudformation \
 	providers/build/shodan \
-	providers/build/ansible
+	providers/build/ansible \
+	providers/build/snowflake
 
 .PHONY: providers/install
 # Note we need \ to escape the target line into multiple lines
@@ -234,7 +235,8 @@ providers/install: \
 	providers/install/aws \
 	providers/install/cloudformation \
 	providers/install/shodan \
-	providers/install/ansible
+	providers/install/ansible \
+	providers/install/snowflake
 
 providers/build/mock: providers/lr
 	./lr go providers-sdk/v1/testutils/mockprovider/resources/mockprovider.lr
@@ -362,6 +364,11 @@ providers/build/ansible: providers/lr
 providers/install/ansible:
 	@$(call installProvider, providers/ansible)
 
+providers/build/snowflake: providers/lr
+	@$(call buildProvider, providers/snowflake)
+providers/install/snowflake:
+	@$(call installProvider, providers/snowflake)
+
 providers/dist:
 	@$(call buildProviderDist, providers/network)
 	@$(call buildProviderDist, providers/os)
@@ -387,6 +394,7 @@ providers/dist:
 	@$(call buildProviderDist, providers/cloudformation)
 	@$(call buildProviderDist, providers/shodan)
 	@$(call buildProviderDist, providers/ansible)
+	@$(call buildProviderDist, providers/snowflake)
 
 providers/bundle:
 	@$(call bundleProvider, providers/network)
@@ -413,6 +421,7 @@ providers/bundle:
 	@$(call bundleProvider, providers/cloudformation)
 	@$(call bundleProvider, providers/shodan)
 	@$(call bundleProvider, providers/ansible)
+	@$(call bundleProvider, providers/snowflake)
 
 providers/test:
 	@$(call testProvider, providers/core)
@@ -440,6 +449,7 @@ providers/test:
 	@$(call testGoModProvider, providers/cloudformation)
 	@$(call testGoModProvider, providers/shodan)
 	@$(call testGoModProvider, providers/ansible)
+	@$(call testGoModProvider, providers/snowflake)
 
 lr/test:
 	go test ./resources/lr/...
@@ -563,6 +573,11 @@ lr/docs/markdown: providers/lr
 		--description "The Slack resource pack lets you use MQL to query and assess the security of your Slack identities and configuration." \
 		--docs-file providers/slack/resources/slack.lr.manifest.yaml \
 		--output ../docs/docs/mql/resources/slack-pack
+	./lr markdown providers/slack/resources/snowflake.lr \
+		--pack-name "Snowflake" \
+		--description "The Snowflake resource pack lets you use MQL to query and assess the security of your Snowflake identities and configuration." \
+		--docs-file providers/snowflake/resources/snowflake.lr.manifest.yaml \
+		--output ../docs/docs/mql/resources/snowflake-pack
 	./lr markdown providers/terraform/resources/terraform.lr \
 		--pack-name "Terraform IaC" \
 		--description "The Terraform IaC resource pack lets you use MQL to query and assess the security of your Terraform HCL, plan, and state resources." \

docs/development.md

@@ -206,6 +206,7 @@ use (
    ./cnquery/providers/okta
    ./cnquery/providers/opcua
    ./cnquery/providers/shodan
+   ./cnquery/providers/snowflake
    ./cnquery/providers/slack
    ./cnquery/providers/terraform
    ./cnquery/providers/vcd

providers/defaults.go

@@ -371,6 +371,21 @@ var DefaultProviders Providers = map[string]*Provider{
 		},
 	},
 
+	"snowflake": {
+		Provider: &plugin.Provider{
+			Name:            "snowflake",
+			ID:              "go.mondoo.com/cnquery/v9/providers/snowflake",
+			ConnectionTypes: []string{"snowflake"},
+			Connectors: []plugin.Connector{
+				{
+					Name:  "snowflake",
+					Use:   "snowflake",
+					Short: "a Snowflake account",
+				},
+			},
+		},
+	},
+
 	"terraform": {
 		Provider: &plugin.Provider{
 			Name:            "terraform",

providers/snowflake/README.md

@@ -0,0 +1,122 @@
+# Snowflake Provider
+
+```shell
+cnquery shell snowflake
+```
+
+Required arguments:
+
+- `--account` - The Snowflake account name.
+- `--region` - The Snowflake region.
+- `--user` - The Snowflake username.
+- `--role` - The Snowflake role.
+
+> The easiest way to get the account name and region is to look at the URL when you log in to the Snowflake web interface. When clicking on the account icon you can copy the account URL that included the account name and region.
+
+**Password Authentication**
+
+Arguments:
+
+- `--password` - The Snowflake password.
+- `--ask-pass` - Prompt for the Snowflake password.
+
+```shell
+shell snowflake --account zi12345 --region us-central1.gcp --user CHRIS  --role ACCOUNTADMIN --ask-pass
+```
+
+> To create a username and password, use [Snowsight](https://docs.snowflake.com/en/user-guide/admin-user-management#using-snowsight) or using [SQL](https://docs.snowflake.com/en/user-guide/admin-user-management#using-sql).
+
+**Certificate Authentication**
+
+Arguments:
+
+- `--private-key` - The path to the private key file.
+
+```shell
+shell snowflake --account zi12345 --region us-central1.gcp --user CHRIS  --role ACCOUNTADMIN --private-key ~/.ssh/id_rsa
+```
+
+> You need to generate a RSA key pair and assign the public key to your user via [Snowsight](https://docs.snowflake.com/en/user-guide/key-pair-auth).
+
+## Examples
+
+**Retrieve all users**
+
+```shell
+cnquery> snowflake.account.users
+snowflake.account.users: [
+  0: snowflake.user name="CHRIS"
+  1: snowflake.user name="DATAUSER"
+  2: snowflake.user name="SNOWFLAKE"
+]
+```
+
+**Retrieve all users that have no MFA**
+
+```shell
+cnquery> snowflake.account.users.where(extAuthnDuo == false)
+snowflake.account.users.where: [
+  0: snowflake.user name="CHRIS"
+  1: snowflake.user name="DATAUSER"
+  2: snowflake.user name="SNOWFLAKE"
+]
+```
+
+**Retrieve all users that have password authentication**
+
+```shell
+cnquery> snowflake.account.users.where(hasPassword)
+snowflake.account.users.where: [
+  0: snowflake.user name="CHRIS"
+  1: snowflake.user name="DATAUSER"
+  2: snowflake.user name="SNOWFLAKE"
+]
+
+```
+
+**Retrieve all users that have certificate authentication**
+
+```shell
+cnquery> snowflake.account.users.where(hasRsaPublicKey)
+snowflake.account.users.where: [
+  0: snowflake.user name="CHRIS"
+]
+```
+
+**Retrieve users that have not logged in for 30 days**
+
+```shell
+cnquery> snowflake.account.users.where(time.now - lastSuccessLogin > time.day * 30) { lastSuccessLogin }
+snowflake.account.users.where: [
+  0: {
+    lastSuccessLogin: 366 days 
+  }
+]
+```
+
+**Check that SCIM is enabled**
+
+```shell
+cnquery> snowflake.account.securityIntegrations.where(type == /SCIM/).any(enabled == true)
+[failed] [].any()
+  actual:   []
+```
+
+**Check the retention time is greater 90 days**
+
+```shell
+cnquery> snowflake.account.parameters.one(key == "DATA_RETENTION_TIME_IN_DAYS" && value >= 90)
+```
+
+**Retrieve all databases**
+
+```shell
+cnquery> snowflake.account.databases
+snowflake.account.databases: [
+  0: snowflake.database name="CNQUERY"
+  1: snowflake.database name="SNOWFLAKE"
+  2: snowflake.database name="SNOWFLAKE_SAMPLE_DATA"
+]
+```
+
+

providers/snowflake/config/config.go

@@ -0,0 +1,73 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package config
+
+import (
+	"go.mondoo.com/cnquery/v11/providers-sdk/v1/plugin"
+	"go.mondoo.com/cnquery/v11/providers/snowflake/provider"
+)
+
+var Config = plugin.Provider{
+	Name:            "snowflake",
+	ID:              "go.mondoo.com/cnquery/v11/providers/snowflake",
+	Version:         "11.0.0",
+	ConnectionTypes: []string{provider.DefaultConnectionType},
+	Connectors: []plugin.Connector{
+		{
+			Name:      "snowflake",
+			Use:       "snowflake",
+			Short:     "a Snowflake account",
+			Discovery: []string{},
+			Flags: []plugin.Flag{
+				{
+					Long:    "user",
+					Type:    plugin.FlagType_String,
+					Default: "",
+					Desc:    "Snowflake user name",
+				},
+				{
+					Long:        "ask-pass",
+					Type:        plugin.FlagType_Bool,
+					Default:     "false",
+					Desc:        "Prompt for connection password",
+					ConfigEntry: "-",
+				},
+				{
+					Long:        "password",
+					Short:       "p",
+					Type:        plugin.FlagType_String,
+					Default:     "",
+					Desc:        "Set the connection password",
+					Option:      plugin.FlagOption_Password,
+					ConfigEntry: "-",
+				},
+				{
+					Long:    "identity-file",
+					Short:   "i",
+					Type:    plugin.FlagType_String,
+					Default: "",
+					Desc:    "Select a file from which to read the identity (private key) for public key authentication",
+				},
+				{
+					Long:    "account",
+					Type:    plugin.FlagType_String,
+					Default: "",
+					Desc:    "Snowflake account",
+				},
+				{
+					Long:    "region",
+					Type:    plugin.FlagType_String,
+					Default: "",
+					Desc:    "Snowflake region",
+				},
+				{
+					Long:    "role",
+					Type:    plugin.FlagType_String,
+					Default: "",
+					Desc:    "Snowflake role",
+				},
+			},
+		},
+	},
+}