sfc-gh-asawicki
commented
2 weeks ago Hey @sean-stage. Thanks for reaching out to us.
We have it on our radar. We will check if the new syntax breaks the current account resource implementation this or early next week and adjust it if needed. I will ;eave a comment in this issue after these tests.
The new parameters will be handled no sooner than with the account resource rework (https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/ESSENTIAL_GA_OBJECTS.MD) that is incoming. Before that you can use https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/unsafe_execute to change the type.
sean-stage
Use Cases or Problem Statement
Snowflake is introducing new parameters for account creation, specifically relevant for use cases where accounts are created programmatically.
As part of our continued effort to improve our customer security, we recently announced enforcement of MFA by default for new Snowflake accounts. This change will be introduced as part of BCR Bundle 2024_08 and your account will be impacted by this change. This bundle is expected to be deployed for testing during the week of October 7th, 2024 in release 8.38. Please note dates are subject to change.
Details of the changes are below:
What you need to do
We recommend following the steps in this whitepaper and this video. More specifically:
When creating new accounts programmatically, use the newly introduced ADMIN_USER_TYPE property for the admin as part of account creation
CREATE ACCOUNT [ ADMIN_USER_TYPE = PERSON | SERVICE | LEGACY_SERVICE | NULL ]
For human users, set ADMIN_USER_TYPE=PERSON. PERSON users will be subject to MFA policies.
For service users, set ADMIN_USER_TYPE=SERVICE. SERVICE users will not be subject to MFA policies.
Service users will not be allowed to use passwords by policy and the caller should specify ADMIN_RSA_PUBLIC_KEY instead of admin password as part of account creation.
If your service users cannot use key pair authentication, set ADMIN_USER_TYPE=LEGACY_SERVICE during account creation and continue setting up passwords. LEGACY_SERVICE users will not be subject to MFA policies.
LEGACY_SERVICE users are not allowed to log in via UI and cannot have a first name / last name. See this link for more details.
LEGACY_SERVICE is a temporary solution and we highly recommend that you fix your tooling.
Read more about user types and their limitations in the create user documentation.
For users created after a new account is bootstrapped
Make sure to mark the TYPE for all users
For human users TYPE=PERSON, follow the DUO enrollment process and start using MFA
For service users TYPE=SERVICE, make sure to either: 1) use external OAuth (preferred), or 2) use key pair authentication combined with network policy.
If a service user cannot leverage a key pair, mark them as TYPE= LEGACY_SERVICE. This is a temporary solution and we highly recommend that you fix your deployment based on the above.
This feature request would be to update the
Accountresource to support the newly introduced arguments/parameters, and also update theUserresource to support the SnowflakeTYPEsetting (e.g.TYPE = "SERVICE"orTYPE = "PERSON".Having had a look, I can see some sort of awareness of this as a //TODO comment in: https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/97fa9b4485cf26c5bf93dedfe3b88f688a71b3e6/pkg/resources/user.go#L206C1-L206C14
[SNOW-1645348]: revisit with service user work
Category
category:resource
Object type(s)
resource:account
Proposal
Update the Account resource
How much impact is this issue causing?
Low
Additional Information
No response
Would you like to implement a fix?