Merge pull request #126 from cagov/dont-track-keys-in-tf

Prep for open sourcing

docs/snowflake.md

@@ -155,10 +155,12 @@ The following are steps for creating a new service account with key pair authent
   Most of the time, you should create a key pair with encryption enabled for the private key.
 1. Add the private key to the CalData 1Password vault, along with the intended service account user name and passphrase (if applicable)
 1. Create a new user in the Snowflake Terraform configuration (`users.tf`) and assign it the appropriate functional role.
-  The public key of the key pair should be attached to the user using the property `rsa_public_key`.
+  Once the user is created, add its public key in the Snowflake UI:
+  ```sql
+  ALTER USER <USERNAME> SET RSA_PUBLIC_KEY='MII...'
+  ```
   Note that we need to remove the header and trailer (i.e. `-- BEGIN PUBLIC KEY --`) as well as any line breaks
   in order for Snowflake to accept the public key as valid.
-  It is okay for this public key to be in version control.
 1. Add the *private* key for the user to whatever system needs to access Snowflake.
 
 Service accounts should not be shared across different applications,
@@ -225,6 +227,7 @@ The **elt** module has the following configuration:
 | [snowflake_role_grants.analytics_r_to_reporter](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
 | [snowflake_role_grants.analytics_rwc_to_transformer](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
 | [snowflake_role_grants.loader_to_airflow](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
+| [snowflake_role_grants.loader_to_fivetran](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
 | [snowflake_role_grants.loader_to_sysadmin](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
 | [snowflake_role_grants.loading_to_loader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
 | [snowflake_role_grants.raw_r_to_reader](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
@@ -242,16 +245,14 @@ The **elt** module has the following configuration:
 | [snowflake_role_grants.transforming_to_transformer](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_grants) | resource |
 | [snowflake_user.airflow](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/user) | resource |
 | [snowflake_user.dbt](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/user) | resource |
+| [snowflake_user.fivetran](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/user) | resource |
 | [snowflake_user.github_ci](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/user) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_airflow_public_key"></a> [airflow\_public\_key](#input\_airflow\_public\_key) | Public key for Airflow service user | `string` | n/a | yes |
-| <a name="input_dbt_public_key"></a> [dbt\_public\_key](#input\_dbt\_public\_key) | Public key for dbt Cloud service user | `string` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | Environment suffix | `string` | n/a | yes |
-| <a name="input_github_ci_public_key"></a> [github\_ci\_public\_key](#input\_github\_ci\_public\_key) | Public key for GitHub CI service user | `string` | n/a | yes |
 
 ## Outputs
 

terraform/snowflake/environments/dev/main.tf

@@ -12,21 +12,6 @@ variable "locator" {
   type        = string
 }
 
-variable "airflow_public_key" {
-  description = "Public key for Airflow service user"
-  type        = string
-}
-
-variable "dbt_public_key" {
-  description = "Public key for dbt Cloud service user"
-  type        = string
-}
-
-variable "github_ci_public_key" {
-  description = "Public key for GitHub CI service user"
-  type        = string
-}
-
 ############################
 #         Providers        #
 ############################
@@ -86,8 +71,5 @@ module "elt" {
     snowflake.useradmin     = snowflake.useradmin,
   }
 
-  environment          = var.environment
-  airflow_public_key   = var.airflow_public_key
-  dbt_public_key       = var.dbt_public_key
-  github_ci_public_key = var.github_ci_public_key
+  environment = var.environment
 }

terraform/snowflake/environments/dev/terraform.tfvars

@@ -1,5 +1,2 @@
-airflow_public_key   = ""
-dbt_public_key       = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxGn4yPVeOTBHFDCEf6idprUOLUyR12FICA8UAOtLzYDIqJdSHcQUhrHqqXtPn0Zp8YJbfSbUadNmP5van3F8Q0DcuY+SWOd0MeeSJYkoaib1YTARzLidVn3HSSiQofuSTw60lvc8POMH9Km9q2wLiVmOaGSSbgXBk3K22jb1J2QVoJeOT0awJRgZTAix9TOQEFiUmXZEBe23rPzP86yoERr0JCDlDYjB17S83FxF+gZdpv92Mjbi5s5SBXSPHwIPKUN6qOEAmL5fRheSD+J3TNPmZw8H6w4kYJlSxAQUflumhj7M7eeWwCqnB+OakaBxOVjbe3x80JaVZXPUTnFg0QIDAQAB"
-github_ci_public_key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj9d6NsUrmluQL87jpksnMTc+lVvbMBIjemtMYvnxlBYW+TyQhmwZDKD4ety05LBb7VPXDs0bovTtIgTBRmG7wmD11egsWKigglH4qgNF0FQbfJZ5zEx5kUtp3DBL/CMsa87Pz1FrDIISxvdcfkCIi05M3p1iseqW1nFvogfLM6fO2eVzXj7n/9thDRtVx2NJAKrbe1D2ePwUuZ71RT/C5pjoNdPHa/KqVwau9PPd+Ce6+nvnw6dVYG4PoJzud8R0FGk0W77AHlXeyRb4MiaukuCjSN+aFbolBY41lViP3X8daESzF+VOB5nv4q93T0HyUPu8TbUeJl1bX5/AOtQn6QIDAQAB"
-locator              = "heb41095"
-environment          = "DEV"
+locator     = "heb41095"
+environment = "DEV"

terraform/snowflake/environments/prd/main.tf

@@ -12,21 +12,6 @@ variable "locator" {
   type        = string
 }
 
-variable "airflow_public_key" {
-  description = "Public key for Airflow service user"
-  type        = string
-}
-
-variable "dbt_public_key" {
-  description = "Public key for dbt Cloud service user"
-  type        = string
-}
-
-variable "github_ci_public_key" {
-  description = "Public key for GitHub CI service user"
-  type        = string
-}
-
 ############################
 #         Providers        #
 ############################
@@ -86,8 +71,5 @@ module "elt" {
     snowflake.useradmin     = snowflake.useradmin,
   }
 
-  environment          = var.environment
-  airflow_public_key   = var.airflow_public_key
-  dbt_public_key       = var.dbt_public_key
-  github_ci_public_key = var.github_ci_public_key
+  environment = var.environment
 }

terraform/snowflake/environments/prd/terraform.tfvars

@@ -1,5 +1,2 @@
-airflow_public_key   = ""
-dbt_public_key       = ""
-github_ci_public_key = ""
-locator              = "heb41095"
-environment          = "PRD"
+locator     = "heb41095"
+environment = "PRD"

terraform/snowflake/modules/elt/users.tf

@@ -11,7 +11,6 @@ resource "snowflake_user" "dbt" {
   default_role      = snowflake_role.transformer.name
 
   must_change_password = false
-  rsa_public_key       = var.dbt_public_key
 }
 
 
@@ -24,8 +23,17 @@ resource "snowflake_user" "airflow" {
   default_role      = snowflake_role.loader.name
 
   must_change_password = false
-  rsa_public_key       = var.airflow_public_key
+}
+
+resource "snowflake_user" "fivetran" {
+  provider = snowflake.useradmin
+  name     = "FIVETRAN_SVC_USER_${var.environment}"
+  comment  = "Service user for Fivetran"
+
+  default_warehouse = module.loading["XS"].name
+  default_role      = snowflake_role.loader.name
 
+  must_change_password = false
 }
 
 resource "snowflake_user" "github_ci" {
@@ -37,7 +45,6 @@ resource "snowflake_user" "github_ci" {
   default_role      = snowflake_role.reader.name
 
   must_change_password = false
-  rsa_public_key       = var.github_ci_public_key
 }
 
 ######################################
@@ -58,6 +65,13 @@ resource "snowflake_role_grants" "loader_to_airflow" {
   users                  = [snowflake_user.airflow.name]
 }
 
+resource "snowflake_role_grants" "loader_to_fivetran" {
+  provider               = snowflake.useradmin
+  role_name              = snowflake_role.loader.name
+  enable_multiple_grants = true
+  users                  = [snowflake_user.fivetran.name]
+}
+
 resource "snowflake_role_grants" "reader_to_github_ci" {
   provider               = snowflake.useradmin
   role_name              = snowflake_role.reader.name

terraform/snowflake/modules/elt/variables.tf

@@ -2,18 +2,3 @@ variable "environment" {
   description = "Environment suffix"
   type        = string
 }
-
-variable "airflow_public_key" {
-  description = "Public key for Airflow service user"
-  type        = string
-}
-
-variable "dbt_public_key" {
-  description = "Public key for dbt Cloud service user"
-  type        = string
-}
-
-variable "github_ci_public_key" {
-  description = "Public key for GitHub CI service user"
-  type        = string
-}

terraform/snowflake/modules/elt/warehouses.tf

@@ -4,9 +4,9 @@
 
 locals {
   sizes = {
-    "XS"  = "x-small",
-    "XL"  = "x-large",
-    "4XL" = "4x-large",
+    "XS"  = "X-SMALL",
+    "XL"  = "X-LARGE",
+    "4XL" = "4X-LARGE",
   }
 }