Eliminated manual Snowflake configuration drift by codifying the entire platform infrastructure. Any change to roles, warehouses, or databases goes through a PR review and automated deployment — no more undocumented manual changes.
The Snowflake environment had accumulated years of manual configuration changes with no audit trail. Nobody knew who had access to what, warehouses were left running unnecessarily, and the monthly Snowflake bill was unpredictable.
There was no source-of-truth for Snowflake configuration. RBAC roles were inconsistent across environments. New environments took days to provision manually. There was no automated cost governance.
Remote Terraform state stored in Azure Blob Storage with state locking. Separate state files per environment.
The Terraform RBAC module creates functional roles that are granted object-level privileges. Users are assigned to functional roles, not directly to objects. This means access reviews are simple: check which functional role a user has, not which objects they can access.
terraform/loader_role.tfTerraform is idempotent by design — running apply twice produces no changes if state matches desired configuration.
Azure DevOps pipeline retries on Snowflake API rate limit errors with exponential backoff.
Terraform plan and apply outputs stored as Azure DevOps pipeline artifacts for full audit trail.
Terraform service principal has only the Snowflake privileges required to manage infrastructure. No ACCOUNTADMIN in pipelines.
Plan on PR, apply on merge to main, manual gate for production. Full pipeline history in Azure DevOps.
Terraform workspaces + environment variable files. Dev → Staging → Prod with identical module code.
terraform/loader_role.tfTerraform definition of the LOADER functional role with database, schema, and table-level grants.
terraform/cost_monitors.tfResource monitor definitions with credit quotas and alert thresholds per warehouse.
azure-pipelines-tf-apply.ymlAzure DevOps pipeline for plan-on-PR and apply-on-merge workflow.
terraform/main.tfRoot Terraform module defining providers, backends, and module composition.
"This is the Terraform IaC solution I built for Snowflake. Let me tell you why this matters. When I inherited the environment, it had years of manual configuration changes with no audit trail. Nobody could tell you who had access to what, or why certain warehouses existed. The monthly Snowflake bill was unpredictable, and provisioning a new environment took 2–3 days. I solved this by codifying the entire Snowflake platform in Terraform. Every warehouse, database, schema, role, and grant is defined in HCL and stored in version control. The RBAC model is functional rather than user-centric. I defined roles by function: LOADER for ingestion pipelines, TRANSFORMER for dbt, REPORTER for BI tools. Users are assigned to functional roles, not directly to objects. This makes access reviews trivial — you just check which role a user has. For cost governance, every warehouse has a Terraform-managed resource monitor. When a warehouse hits 75% of its monthly credit quota, an alert fires. At 100%, it auto-suspends. This eliminated surprise bills. The CI/CD workflow is plan-on-PR, apply-on-merge. Every infrastructure change goes through a PR review where the Terraform plan output is posted as a comment. Reviewers can see exactly what will change before approving. The result: provisioning a new environment now takes under 10 minutes, configuration drift is zero, and every access change has a PR trail."
"I built a Terraform IaC solution for Snowflake covering RBAC, warehouses, and cost governance. The key design was a functional RBAC model (LOADER, TRANSFORMER, REPORTER roles) and a plan-on-PR CI/CD workflow. Provisioning time went from days to under 10 minutes, and we eliminated configuration drift entirely."
How this solution demonstrates enterprise data platform delivery values:
Took ownership of a chaotic Snowflake environment with no documentation and built a complete IaC solution from scratch.
Researched Snowflake Terraform provider capabilities and cost governance patterns before designing the solution.
Importing existing Snowflake resources into Terraform state required careful planning and multiple iterations to avoid disrupting production.
The plan-on-PR workflow was designed specifically to make infrastructure changes reviewable by the whole team, not just me.