Today We will gonna through overview of terraform as KTs first topic.

Thank you for joining this session. The objective of this session is to provide you with a comprehensive Service
account user creation walkthrough, user creation walkthrough, infra for each data product.
I hope you have basic understanding of Terraform, Terraform is an open-source Infrastructure as Code (IaC) tool
developed by HashiCorp. It allows us to define, provision, and manage cloud resources using a declarative
configuration language. Instead of manually configuring resources, Terraform automates the process, ensuring
consistency and scalability.

In our organization, we use Terraform to manage both Snowflake and AWS resources.

Using Snowflake Integration, we mainly focuses on:

• Managing databases, schemas, and tables.

• Automating role-based access control (RBAC).

• Ensuring consistent data structure deployment and their security.

And with AWS Integration we focused on:

• Managing S3 buckets, and IAM policies.

There are four snowflake accounts, Data Fabric pre-prod and prod and Vertex content (VCMS) pre-prod and prod.
And There are two repositories to manage these snowflake account.
1. Vdf-snowflake-infra 2.vdf-vertexcontent-infra. I have mostly work around Data Fabric, which is snowflake-infra.
lets go through the code.

Key Concepts in Terraform:

• Providers: These are plugins that enable Terraform to interact with cloud platforms like AWS and
Snowflake.

• Resources: Describes the infrastructure components to be created or managed (e.g., Snowflake tables,
AWS S3 buckets). E. g This resource is to implement databases on snowflake.

.tfvars files in Terraform are used to define and manage input variables. They allow you to store variable
values separately from the main Terraform configuration, improving flexibility, reusability, and security.
These files are particularly useful when working with multiple environments or when handling sensitive
information. We have four tfvars files for four environment dev qa stage and prod.

These are the grants files, we are using these files to provide grants resource to each snowflake object.

And then we have users.tf which is main topic of todays session, using this users.tf file, we created service
accounts i.e machine user. There are two users in snowflake, 1. Human user 2. Machine users. For human
users, we have snowflake-user repository, which I will show you later. And Machine user are implemented
using this file.

For service user implementations, firstly we have check our story, that mentions user name, default
warehouse and default role. We have Make sure this default warehouse and role is available on snowflake,
otherwise we have to create them.

Lets go through the code,

Assume we are creating EINVOICE app user, this is snowflake user resource. First we have mention count
parameter. If we want to create user per account, eg in this story, it is mention that we have to create one
user per account, ie one for prod, one for preprod account. In grooming session, u can clarify this. After
 that, mention name and login name which are provided in story. There are two option for security of
machine user, 1. RSA keys and 2. Password. We mostly use RSA keys for machine users. To generate RSA
keys, we can refer this website. Using this, Create encrypted keys, and store it in your folder. Later we have
store them in 1password. In this code, we have declared variable, as var.snowflake_einvoice_app_pubkey
it is variable for public key for this user. This variable is implemented in variable.tf file, provide necessary
parameters like type, description. Then mention warehouse and role anme.

Later we need to give grants to the mentioned role in grants-role.tf file. We can give grant to user for more
than one role. E.g, this user have grants to these roles. here also we need to mention count function, role
name, user name and other parameters.

Lastly we have to mention pubkeys for github workflows. Pubkeys are stored in github secrets. We fetch it
using these files, so we need to mention this variable in all these files.

And the last step is to store these keys and password to the 1password. for preprod we have access but for
prod, we need to these share keys to Priyanka or sai, only they have access to prod vault.
After these all steps, we need to perform terraform fmt, fmt means terraform format. Using this terraform
removes white spaces and format the code.

So there are Workflow Stages in terraform:

1. Write: Define the infrastructure using HashiCorp Configuration Language (HCL). We have written the code
in these repositories.

2. Plan: Preview changes Terraform will apply without making modifications. We plan and apply through
github action. Before deploy the changes we need to go the plan, we have to check each and every changes
in plan, if we find any changes apart from our code, we need to find the owner of that, if they confirm the
changes only then And then deploy.

3. Apply: Execute the apply to deploy resources.

4. Then we have to remove whole repository, then we have Destroy workflow: Remove resources
managed by Terraform if needed. We don’t use it unless n until requirements are.

After deployment, we have to validate on snowflake. Validate username and roles assigned to it.

For Human users we have, snowflake-user repo, for each account there is separate config file. So we need to
create user on df pre-prod, we can make changes in this file, if we want to create user on both preprod and prod,
we need to make changes in both file. Let discuss this user. Like machine user, human user story mention default
warehouse and role name. Accordingly we have to create it. We need to mention the all these parameters as it is.

After mentioning all details, same steps we need to follow, plan on preprod and then deploy on preprod, and then
validate on snowflake account.

Another point I have to discuss that, For each pipeline we have separate repositories, eg. For Einvoice pipeline, we
have Einvoice-infra, In snowflake infra repo, we have implemented clientconfig snowflake objects, similarly in
Einvoice-infra, we have implemented Einvoice-pipeline snowflake and aws objects.

So that’s it, Thank you for your attention. I hope this session has provided you with a clearer understanding of
Terraform.

Feel free to ask any questions you may have, and I will do my best to address them.