⭐️ snowflake provider

[chris-rock]

Snowflake Provider

cnquery shell snowflake

Required arguments:

• --account - The Snowflake account name.
• --region - The Snowflake region.
• --user - The Snowflake username.
• --role - The Snowflake role.

The easiest way to get the account name and region is to look at the URL when you log in to the Snowflake web interface. When clicking on the account icon you can copy the account URL that included the account name and region.

Password Authentication

Arguments:

• --password - The Snowflake password.
• --ask-pass - Prompt for the Snowflake password.

shell snowflake --account zi12345 --region us-central1.gcp --user CHRIS  --role ACCOUNTADMIN --ask-pass

To create a username and password, use Snowsight or using SQL.

Certificate Authentication

Arguments:

• --private-key - The path to the private key file.

shell snowflake --account zi12345 --region us-central1.gcp --user CHRIS  --role ACCOUNTADMIN --private-key ~/.ssh/id_rsa

You need to generate a RSA key pair and assign the public key to your user via Snowsight.

Examples

Retrieve all users

cnquery> snowflake.account.users
snowflake.account.users: [
  0: snowflake.user name="CHRIS"
  1: snowflake.user name="DATAUSER"
  2: snowflake.user name="SNOWFLAKE"
]

Retrieve all users that have no MFA

cnquery> snowflake.account.users.where(extAuthnDuo == false)
snowflake.account.users.where: [
  0: snowflake.user name="CHRIS"
  1: snowflake.user name="DATAUSER"
  2: snowflake.user name="SNOWFLAKE"
]

Retrieve all users that have password authentication

cnquery> snowflake.account.users.where(hasPassword)
snowflake.account.users.where: [
  0: snowflake.user name="CHRIS"
  1: snowflake.user name="DATAUSER"
  2: snowflake.user name="SNOWFLAKE"
]

Retrieve all users that have certificate authentication

cnquery> snowflake.account.users.where(hasRsaPublicKey)
snowflake.account.users.where: [
  0: snowflake.user name="CHRIS"
]

Retrieve users that have not logged in for 30 days

cnquery> snowflake.account.users.where(time.now - lastSuccessLogin > time.day * 30) { lastSuccessLogin }
snowflake.account.users.where: [
  0: {
    lastSuccessLogin: 366 days 
  }
]

Check that SCIM is enabled

cnquery> snowflake.account.securityIntegrations.where(type == /SCIM/).any(enabled == true)
[failed] [].any()
  actual:   []

Check the retention time is greater 90 days

cnquery> snowflake.account.parameters.one(key == "DATA_RETENTION_TIME_IN_DAYS" && value >= 90)

Retrieve all databases

cnquery> snowflake.account.databases
snowflake.account.databases: [
  0: snowflake.database name="CNQUERY"
  1: snowflake.database name="SNOWFLAKE"
  2: snowflake.database name="SNOWFLAKE_SAMPLE_DATA"
]

[github-actions]

Test Results

3 058 tests  ±0   3 057 ✅ ±0   1m 35s ⏱️ +3s
  361 suites +6       1 💤 ±0 
   27 files   +1       0 ❌ ±0 

Results for commit 1e1e3f2. ± Comparison against base commit 465329a.

♻️ This comment has been updated with latest results.

[imilchev]

We should look into disabling the debug logs from the snowflake terraform provider. Not sure what is a good way of doing this. It seems like the use log.Printf which means we cannot just change the verbosity of the logger... https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/5df6d3d035d680c9d2a383c7835e90b9b93c56b9/pkg/sdk/client.go#L180C6-L180C12