diff --git a/api_gateway.tf b/api_gateway.tf index 71c80c9..c12259d 100644 --- a/api_gateway.tf +++ b/api_gateway.tf @@ -22,7 +22,7 @@ resource "aws_api_gateway_rest_api_policy" "ef_to_lambda" { { Effect = "Allow" Principal = { - AWS = "arn:${var.arn_format}:sts::${local.account_id}:assumed-role/${local.api_gw_caller_role_name}/snowflake" + AWS = "arn:${local.aws_partition}:sts::${local.account_id}:assumed-role/${local.api_gw_caller_role_name}/snowflake" } Action = "execute-api:Invoke" Resource = "${aws_api_gateway_rest_api.ef_to_lambda.execution_arn}/*/*/*" diff --git a/api_integration.tf b/api_integration.tf index 6714ea5..086f1ec 100644 --- a/api_integration.tf +++ b/api_integration.tf @@ -5,7 +5,7 @@ resource "snowflake_api_integration" "geff_api_integration" { enabled = true api_provider = length(regexall(".*gov.*", local.aws_region)) > 0 ? "aws_gov_api_gateway" : "aws_api_gateway" api_allowed_prefixes = [local.inferred_api_gw_invoke_url] - api_aws_role_arn = "arn:${var.arn_format}:iam::${local.account_id}:role/${local.api_gw_caller_role_name}" + api_aws_role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/${local.api_gw_caller_role_name}" } resource "snowflake_integration_grant" "geff_api_integration_grant" { diff --git a/examples/complete/main.tf b/examples/complete/main.tf index a054b44..c58752b 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -6,7 +6,6 @@ module "geff" { env = var.env # AWS - arn_format = var.arn_format aws_cloudwatch_metric_namespace = var.aws_cloudwatch_metric_namespace aws_region = var.aws_region @@ -27,6 +26,7 @@ module "geff" { providers = { snowflake.api_integration_role = snowflake.api_integration_role snowflake.storage_integration_role = snowflake.storage_integration_role + snowsql.storage_integration_role = snowsql.storage_integration_role aws = aws } } diff --git a/examples/complete/snowsql_provider.tf b/examples/complete/snowsql_provider.tf new file mode 100644 index 0000000..0ef8961 --- /dev/null +++ b/examples/complete/snowsql_provider.tf @@ -0,0 +1,7 @@ +provider "snowsql" { + alias = "storage_integration_role" + + account = var.snowflake_account + role = var.snowflake_storage_integration_owner_role + username = "example_user" +} diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index b042864..e9e98e5 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -1,15 +1,24 @@ terraform { - required_version = "~> 1.4.6" + required_version = ">= 1.4.6" required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.38.0" + version = "~> 5.72.0" } snowflake = { source = "Snowflake-Labs/snowflake" - version = "~> 0.64.0" + version = "~> 0.73.0" + } + + snowsql = { + source = "aidanmelen/snowsql" + version = ">= 1.3.3" + + configuration_aliases = [ + snowsql.storage_integration_role, + ] } } } diff --git a/iam.tf b/iam.tf index b1b3f1e..d1daf42 100644 --- a/iam.tf +++ b/iam.tf @@ -25,7 +25,7 @@ resource "aws_iam_role" "geff_api_gateway_assume_role" { resource "aws_iam_role_policy_attachment" "gateway_logger_policy_attachment" { role = aws_iam_role.geff_api_gateway_assume_role.id - policy_arn = "arn:${var.arn_format}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" + policy_arn = "arn:${local.aws_partition}:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" } resource "aws_api_gateway_account" "api_gateway" { @@ -100,7 +100,7 @@ data "aws_iam_policy_document" "geff_lambda_policy_doc" { sid = "WriteCloudWatchLogs" effect = "Allow" resources = [ - "arn:${var.arn_format}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${local.lambda_function_name}:*" + "arn:${local.aws_partition}:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${local.lambda_function_name}:*" ] actions = [ @@ -196,7 +196,7 @@ resource "aws_iam_role_policy" "geff_lambda_policy" { data "aws_iam_policy" "geff_lambda_vpc_policy" { count = var.deploy_lambda_in_vpc ? 1 : 0 - arn = "arn:${var.arn_format}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess" + arn = "arn:${local.aws_partition}:iam::aws:policy/service-role/AWSLambdaENIManagementAccess" } resource "aws_iam_policy_attachment" "geff_lambda_vpc_policy_attachment" { diff --git a/kms.tf b/kms.tf index 50a4cdb..3a107b5 100644 --- a/kms.tf +++ b/kms.tf @@ -9,7 +9,7 @@ resource "aws_kms_key" "prod" { Action = "kms:*" Effect = "Allow" Principal = { - AWS = "arn:${var.arn_format}:iam::${local.account_id}:root" + AWS = "arn:${local.aws_partition}:iam::${local.account_id}:root" } Resource = "*" Sid = "Enable IAM User Permissions" diff --git a/storage_integration.tf b/storage_integration.tf index eeae0cc..9776fd6 100644 --- a/storage_integration.tf +++ b/storage_integration.tf @@ -1,17 +1,18 @@ module "storage_integration" { - source = "Snowflake-Labs/storage-integration-aws/snowflake" + source = "Snowflake-Labs/storage-integration-aws/snowflake" + version = "0.2.11" # General prefix = var.prefix env = var.env # AWS - arn_format = var.arn_format data_bucket_arns = var.data_bucket_arns snowflake_integration_user_roles = var.snowflake_integration_user_roles providers = { snowflake.storage_integration_role = snowflake.storage_integration_role + snowsql.storage_integration_role = snowsql.storage_integration_role aws = aws } } diff --git a/variables.tf b/variables.tf index b5f6ace..4375cf3 100644 --- a/variables.tf +++ b/variables.tf @@ -88,12 +88,6 @@ variable "sentry_driver_dsn" { default = "" } -variable "arn_format" { - type = string - description = "ARN format could be aws or aws-us-gov. Defaults to non-gov." - default = "aws" -} - variable "create_dynamodb_table" { type = bool description = "Boolean for if a DynamoDB table is to be created for batch locking." @@ -117,25 +111,18 @@ data "aws_region" "current" {} data "aws_partition" "current" {} locals { - account_id = data.aws_caller_identity.current.account_id - aws_region = data.aws_region.current.name -} - -locals { - lambda_image_repo = "${local.account_id}.dkr.ecr.${local.aws_region}.amazonaws.com/geff" -} + account_id = data.aws_caller_identity.current.account_id + aws_region = data.aws_region.current.name + aws_partition = data.aws_partition.current.partition + aws_dns_suffix = data.aws_partition.current.dns_suffix -locals { + lambda_image_repo = "${local.account_id}.dkr.ecr.${local.aws_region}.${local.aws_dns_suffix}/geff" lambda_image_repo_version = "${local.lambda_image_repo}:${var.geff_image_version}" -} + lambda_function_name = "${local.geff_prefix}-lambda" -locals { - inferred_api_gw_invoke_url = "https://${aws_api_gateway_rest_api.ef_to_lambda.id}.execute-api.${local.aws_region}.amazonaws.com/" - geff_prefix = "${var.prefix}-geff" -} + geff_prefix = "${var.prefix}-geff" -locals { - lambda_function_name = "${local.geff_prefix}-lambda" - api_gw_caller_role_name = "${local.geff_prefix}-api-gateway-caller" - api_gw_logger_role_name = "${local.geff_prefix}-api-gateway-logger" + inferred_api_gw_invoke_url = "https://${aws_api_gateway_rest_api.ef_to_lambda.id}.execute-api.${local.aws_region}.${local.aws_dns_suffix}/" + api_gw_caller_role_name = "${local.geff_prefix}-api-gateway-caller" + api_gw_logger_role_name = "${local.geff_prefix}-api-gateway-logger" } diff --git a/versions.tf b/versions.tf index d93c8e5..18e31b8 100644 --- a/versions.tf +++ b/versions.tf @@ -4,17 +4,26 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.38.0" + version = ">= 5.72.0" } snowflake = { source = "Snowflake-Labs/snowflake" - version = ">= 0.64.0" + version = ">= 0.73.0" configuration_aliases = [ snowflake.api_integration_role, snowflake.storage_integration_role, ] } + + snowsql = { + source = "aidanmelen/snowsql" + version = ">= 1.3.3" + + configuration_aliases = [ + snowsql.storage_integration_role, + ] + } } }