[Feature]: Add support for Authentication Policies

[bschwedler]

Use Cases or Problem Statement

We would like to manage Authentication Policies within our IaC.

This is important so that we can limit/control the auth methods that must be used by different classes of users.

As far as I can tell, Authentication Policies are not part of the GA Objects for V1

Category

category:resource

Object type(s)

No response

Proposal

Add an AuthenticationPolicy resource type that can be managed with IaC.

https://docs.snowflake.com/en/sql-reference/sql/create-authentication-policy

How much impact is this issue causing?

Low

Additional Information

No response

Would you like to implement a fix?

• [ ] Yeah, I'll take it 😎

[sfc-gh-asawicki]

Hey @bschwedler. Thanks for reaching out to us.

Authentication policies were PuPr just recently, so they are not part of the V1 scope. For now, you can use https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/unsafe_execute, which can run any SQL statement. We will also welcome a contribution (check https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/CONTRIBUTING.md).

cc: @sfc-gh-sthyagaraj

[Relativity74205]

@sfc-gh-asawicki I would like to add the authentication policies to the provider similar to the network_rules, if this is fine for you. If yes, could you please add the authentication policies to the SDK and update the user and account SDK (authentication policies can be set for a user or an account)? https://docs.snowflake.com/en/user-guide/authentication-policies

Then I would look into the implementation, when I come back from my vacation in three weeks.

[sfc-gh-asawicki]

Hey @Relativity74205. We will accept the contribution, thanks for proposing this! :)

Authentication policies syntax looks relatively easy, we may be able to add it to the SDK at the start of August.

[Relativity74205]

@sfc-gh-asawicki Great, please let me know when it is finished. And please don't forget the update of the user and account SDK.

[cmonty-paypal]

I didn't see these comments but I started the work to add to the authentication policies this week: https://github.com/cmonty-paypal/terraform-provider-snowflake/tree/add_authentication_policies

[sfc-gh-asawicki]

@cmonty-paypal it's great, we have not started the SDK part, so we will gladly accept your contribution :)

[jasonjoneszywave]

Looking forward to seeing this implemented soon since authentication policies are the mechanism to enforce MFA enrollment based on the below blog post from earlier this week.

https://www.snowflake.com/blog/snowflake-admins-enforce-mandatory-mfa/

[georgeb-accelins]

I didn't see these comments but I started the work to add to the authentication policies this week: https://github.com/cmonty-paypal/terraform-provider-snowflake/tree/add_authentication_policies

I too did not see the recent comments and had started working on it :) It was a good learning experience for me. @cmonty-paypal - looks like you are well on your way. Let me know if there is anything I can do to help.

[cmonty-paypal]

I didn't see these comments but I started the work to add to the authentication policies this week: https://github.com/cmonty-paypal/terraform-provider-snowflake/tree/add_authentication_policies

I too did not see the recent comments and had started working on it :) It was a good learning experience for me. @cmonty-paypal - looks like you are well on your way. Let me know if there is anything I can do to help.

If you have any feedback in the PR, please let me know!

[denzhel]

Releasing this will help us a lot ! At the moment this blocks us. Even with unsafe_execute I get the following error:

This session does not have a current database. Call 'USE DATABASE',

I created a database and called the use database command with unsafe_execute and yet I get this error

[sfc-gh-asawicki]

Hey @denzhel. Can you share the config you try to run? Setting a database in session should work (and works for other resources too).

[denzhel]

I've deleted the resources already since I did not manage to run it.

Can you please share an example on how do I set a database session ?

[sfc-gh-asawicki]

Hey @denzhel, I do not have a running example, I may be able to set it up later this week.

[sfc-gh-jcieslak]

Hey @Relativity74205 👋 Some time passed, but we finally had some time to finish the SDK (Big Thanks to @cmonty-paypal 🙏 for doing most of the work). If you still are willing to contribute, you can proceed with extending the provider to add support for authentication policies.

[JohnCalhoun]

+1 to this feature

[csp33]

+1 to the feature!

[Relativity74205]

@sfc-gh-jcieslak I think I can do it until next week. I will let you know, when I will have a PR ready

[Relativity74205]

@sfc-gh-jcieslak I have added the authentication policy resource incl. the user/account attachments in the following PR: https://github.com/Snowflake-Labs/terraform-provider-snowflake/pull/3098

I have tested the code manually quite thorough and have written some acceptance tests, however, I had some unusual problems in setting up the acceptance tests. At least, I cannot remember, that I had such problems in the past with it. I have added some details in the PR.

[cmonty-paypal]

Hey @Relativity74205 👋

Some time passed, but we finally had some time to finish the SDK (Big Thanks to @cmonty-paypal 🙏 for doing most of the work). If you still are willing to contribute, you can proceed with extending the provider to add support for authentication policies.

Thank you for getting it merged!