Skip to content

Support Network Rules

Describe the feature

Add support for Snowflake network policies and network rules.

I am imagining an addition to the config that looks like this:

# Network Policies
network_policies:
    - network_policy_name:
        owner: owner_name
        activated_on_account: boolean
        allow:
            - network_rule_name
        block:
            - network_rule_name
    - network_policy_name:
        owner: owner_name
        block:
            - network_rule_name
    ... ... ...
# Network Rules
network_rules:
    - network_rule_name:
        owner: owner_name
        database: database_name
        schema: schema_name
        comment: |
            my network rule comment
        values:
            - 01.23.45.67/89
            - 98.76.54.32/10
    - network_rule_name:
        owner: owner_name
        database: database_name
        schema: schema_name
        values:
            - 01.23.45.67/89

# Users
users:
    - user_name:
        can_login: boolean
        network_policy: network_policy_name
        member_of:
            - role_name
            ...
    - user_name:
        owner: role_name
    ... ... ...

Describe alternatives you've considered

The current alternative is managing network policies and rules manually vis Snowflake console or via SQL commands.

Additional context

Similar to other entities managed in Permifrost, users would need to create network policies and rules manually. Permifrost would manage how each of those entities are defined and the relationships between the two, as well as the relationships between policies and users. A boolean flag could also mark which network policy is activated at the account-level.

To keep things simple, this would only work with IPv4 addresses and not private networks.

Who will this benefit?

This will benefit any org that maintains network policies on their Snowflake account to restrict incoming traffic to their Snowflake instance. It will also give teams more ability to manage network policies on a user-level. Managing individual network rules is cumbersome, but managing the relationship between network rules, network policies, and users is even more difficult to do in a clean way without some kind of version control. I suspect that this feature would enable teams to put in place more thorough security restrictions than they would if managing manually.

Are you interested in contributing this feature?

Yes! I would be interested in building this out if there is community interest and support for it.