CLI interface

The easiest way to use SnowDDL is to create and apply YAML configs with CLI interface.
SnowDDL registers snowddl CLI entry-point using setuptools. It should be available in your terminal immediately after installation.

Quick help

usage: snowddl [-h] [-c CONFIG_PATH] [-a ACCOUNT] [-u USER] [-p PASSWORD] [-k PRIVATE_KEY] [-r ROLE] [-w WAREHOUSE] [--passphrase PASSPHRASE] [--env-prefix ENV_PREFIX]
[--env-admin-role ENV_ADMIN_ROLE] [--max-workers MAX_WORKERS] [--query-tag QUERY_TAG] [--log-level LOG_LEVEL] [--show-sql] [--placeholder-path] [--placeholder-values]
[--exclude-object-types] [--include-object-types] [--apply-unsafe] [--apply-replace-table] [--apply-masking-policy] [--apply-row-access-policy] [--apply-account-params]
[--apply-network-policy] [--apply-resource-monitor] [--apply-outbound-share] [--refresh-user-passwords] [--refresh-future-grants] [--refresh-stage-encryption]
[--refresh-secrets] [--clone-table] [--destroy-without-prefix]
{plan,apply,destroy} ...
Object management automation tool for Snowflake
positional arguments:
plan Resolve objects, apply nothing, display suggested changes
apply Resolve objects, apply safe changes, display suggested unsafe changes
destroy Drop objects with specified --env-prefix, use it to reset dev and test environments
-h, --help show this help message and exit
-c CONFIG_PATH Path to config directory OR name of bundled test config (default: current directory)
-a ACCOUNT Snowflake account identifier (default: SNOWFLAKE_ACCOUNT env variable)
-u USER Snowflake user name (default: SNOWFLAKE_USER env variable)
-p PASSWORD Snowflake user password (default: SNOWFLAKE_PASSWORD env variable)
-k PRIVATE_KEY Path to private key file (default: SNOWFLAKE_PRIVATE_KEY_PATH env variable)
-r ROLE Snowflake active role (default: SNOWFLAKE_ROLE env variable)
-w WAREHOUSE Snowflake active warehouse (default: SNOWFLAKE_WAREHOUSE env variable)
--passphrase PASSPHRASE Passphrase for private key file (default: SNOWFLAKE_PRIVATE_KEY_PASSPHRASE env variable)
--env-prefix ENV_PREFIX Env prefix added to global object names, used to separate environments (e.g. DEV, PROD)
--env-admin-role ENV_ADMIN_ROLE Super administration role which should inherit env prefixed SnowDDL role
--max-workers MAX_WORKERS Maximum number of workers to resolve objects in parallel
--query-tag QUERY_TAG Add QUERY_TAG to all queries produced by SnowDDL
--log-level LOG_LEVEL Log level (possible values: DEBUG, INFO, WARNING; default: INFO)
--show-sql Show executed DDL queries
--placeholder-path Path to config file with environment-specific placeholders
--placeholder-values Environment-specific placeholder values in JSON format
--exclude-object-types Comma-separated list of object types NOT to resolve
--include-object-types Comma-separated list of object types TO resolve, all other types are excluded
--apply-unsafe Additionally apply unsafe changes, which may cause loss of data (ALTER, DROP, etc.)
--apply-replace-table Additionally apply REPLACE TABLE when ALTER TABLE is not possible
--apply-masking-policy Additionally apply changes to MASKING POLICIES
--apply-row-access-policy Additionally apply changes to ROW ACCESS POLICIES
--apply-account-params Additionally apply changes to ACCOUNT PARAMETERS
--apply-network-policy Additionally apply changes to NETWORK POLICIES
--apply-resource-monitor Additionally apply changes to RESOURCE MONITORS
--apply-outbound-share Additionally apply changes to OUTBOUND SHARES
--refresh-user-passwords Additionally refresh passwords of users
--refresh-future-grants Additionally refresh missing grants for existing objects derived from future grants
--refresh-stage-encryption Additionally refresh stage encryption parameters for existing external stages
--refresh-secrets Additionally refresh secrets
--clone-table Clone all tables from source databases (without env_prefix) to destination databases (with env_prefix)
--destroy-without-prefix Allow {destroy} action without --env-prefix

Usage notes

  • Action argument is mandatory:
    • Use plan action to preview changes.
    • Use apply action to apply OR suggest changes, depending on other settings.
    • Use destroy action to drop all objects created by SnowDDL previously.
  • SnowDDL provides a few bundled configs for testing and demonstration purposes. You may use such config by passing its name to -c argument.
  • Account identifier should be passed to -a argument without
  • You may use password OR private key for authentication. Private key is recommended for production environment.
  • Object types for --include and --exclude arguments can be found here.
  • Suggested & optionally executed DDL queries are outputted to STDOUT. Logs are outputted to STDERR.