feat: Add must_change_password variable and credentials outputs (#8)

* feat: Add must_change_password variable and credentials outputs * Update outputs.tf Co-authored-by: Mariusz Wojakowski <[email protected]> * Update variables.tf Co-authored-by: Mariusz Wojakowski <[email protected]> * terraform-docs: automated action Co-authored-by: Mariusz Wojakowski <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
getindata · Jan 23, 2023 · 604003d · 604003d
1 parent 950c7e9
commit 604003d
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -58,6 +58,7 @@ Terraform module can:
 | <a name="input_labels_as_tags"></a> [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.<br>Default is to include all labels.<br>Tags with empty values will not be included in the `tags` output.<br>Set to `[]` to suppress all generated tags.<br>**Notes:**<br>  The value of the `name` tag, if included, will be the `id`, not the `name`.<br>  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be<br>  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | <pre>[<br>  "default"<br>]</pre> | no |
 | <a name="input_last_name"></a> [last\_name](#input\_last\_name) | Last name of the user | `string` | `null` | no |
 | <a name="input_login_name"></a> [login\_name](#input\_login\_name) | The name users use to log in. If not supplied, snowflake will use name instead. | `string` | `null` | no |
+| <a name="input_must_change_password"></a> [must\_change\_password](#input\_must\_change\_password) | Should the user change the password on login. Should be set to true for non service account users | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
@@ -88,6 +89,8 @@ Terraform module can:
 | <a name="output_last_name"></a> [last\_name](#output\_last\_name) | Last name of the user |
 | <a name="output_login_name"></a> [login\_name](#output\_login\_name) | The name users use to log in |
 | <a name="output_name"></a> [name](#output\_name) | Name of the user |
+| <a name="output_password"></a> [password](#output\_password) | Password set for the user |
+| <a name="output_rsa_private_key"></a> [rsa\_private\_key](#output\_rsa\_private\_key) | RSA Private key used for authentication |
 
 ## Providers
 

diff --git a/examples/complete/.envrc b/examples/complete/.envrc
@@ -1 +1,2 @@
-dotenv_if_exists
+#Override defaults
+command -v dotenv && test -f .env && dotenv
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
@@ -1,12 +1,5 @@
-output "display_name" {
-  description = "Specifies the namespace (database only or database and schema) that is active by default for the user's session upon login"
-  value       = module.terraform_snowflake_user.display_name
-}
-output "login_name" {
-  description = "The name users use to log in"
-  value       = module.terraform_snowflake_user.login_name
-}
-output "default_role" {
-  description = "Specifies the role that is active by default for the user's session upon login"
-  value       = module.terraform_snowflake_user.default_role
+output "user_module_outputs" {
+  description = "All user module outputs"
+  value       = module.terraform_snowflake_user
+  sensitive   = true
 }
diff --git a/main.tf b/main.tf
@@ -38,7 +38,7 @@ resource "snowflake_user" "this" {
   comment      = var.comment
 
   password             = one(random_password.this[*].result)
-  must_change_password = true # When password set here - always change password on login
+  must_change_password = var.must_change_password
 
   email      = var.email
   first_name = var.first_name

diff --git a/outputs.tf b/outputs.tf
@@ -47,3 +47,15 @@ output "email" {
   description = "Email address for the user"
   value       = one(snowflake_user.this[*].email)
 }
+
+output "password" {
+  description = "Password set for the user"
+  value       = one(random_password.this[*].result)
+  sensitive   = true
+}
+
+output "rsa_private_key" {
+  description = "RSA Private key used for authentication"
+  value       = one(tls_private_key.this[*].private_key_pem)
+  sensitive   = true
+}
diff --git a/variables.tf b/variables.tf
@@ -90,8 +90,15 @@ variable "descriptor_name" {
   type        = string
   default     = "snowflake-user"
 }
+
 variable "generate_password" {
   description = "Generate a random password using Terraform"
   type        = bool
   default     = false
 }
+
+variable "must_change_password" {
+  description = "Should the user change the password on login. Should be set to true for non service account users"
+  type        = bool
+  default     = true
+}