ðŸ’ŧCLI interface

The easiest way to use SnowDDL is to create and apply YAML configs with CLI interface.

SnowDDL registers snowddl CLI entry-point using setuptools. It should be available in your terminal immediately after installation.

Quick help

usage: snowddl [-h] [-c CONFIG_PATH] [-a ACCOUNT] [-u USER] [-p PASSWORD] [-k PRIVATE_KEY] [-r ROLE] [-w WAREHOUSE] [--passphrase PASSPHRASE] [--env-prefix ENV_PREFIX]
               [--env-admin-role ENV_ADMIN_ROLE] [--max-workers MAX_WORKERS] [--query-tag QUERY_TAG] [--log-level LOG_LEVEL] [--show-sql] [--placeholder-path] [--placeholder-values]
               [--exclude-object-types] [--include-object-types] [--apply-unsafe] [--apply-replace-table] [--apply-masking-policy] [--apply-row-access-policy] [--apply-account-params]
               [--apply-network-policy] [--apply-resource-monitor] [--apply-outbound-share] [--refresh-user-passwords] [--refresh-future-grants] [--refresh-stage-encryption]
               [--refresh-secrets] [--clone-table] [--destroy-without-prefix]
               {plan,apply,destroy} ...

Object management automation tool for Snowflake

positional arguments:
  {plan,apply,destroy}
    plan                           Resolve objects, apply nothing, display suggested changes
    apply                          Resolve objects, apply safe changes, display suggested unsafe changes
    destroy                        Drop objects with specified --env-prefix, use it to reset dev and test environments

options:
  -h, --help                       show this help message and exit
  -c CONFIG_PATH                   Path to config directory OR name of bundled test config (default: current directory)
  -a ACCOUNT                       Snowflake account identifier (default: SNOWFLAKE_ACCOUNT env variable)
  -u USER                          Snowflake user name (default: SNOWFLAKE_USER env variable)
  -p PASSWORD                      Snowflake user password (default: SNOWFLAKE_PASSWORD env variable)
  -k PRIVATE_KEY                   Path to private key file (default: SNOWFLAKE_PRIVATE_KEY_PATH env variable)
  -r ROLE                          Snowflake active role (default: SNOWFLAKE_ROLE env variable)
  -w WAREHOUSE                     Snowflake active warehouse (default: SNOWFLAKE_WAREHOUSE env variable)
  --authenticator AUTHENTICATOR    Authenticator: 'snowflake' or 'externalbrowser' (to use any IdP and a web browser) (default: SNOWFLAKE_AUTHENTICATOR env variable or 'snowflake')
  --passphrase PASSPHRASE          Passphrase for private key file (default: SNOWFLAKE_PRIVATE_KEY_PASSPHRASE env variable)
  --env-prefix ENV_PREFIX          Env prefix added to global object names, used to separate environments (e.g. DEV, PROD)
  --env-prefix-separator           Custom separator for Env prefix (supported values are: '__', '_', '$')
  --env-admin-role ENV_ADMIN_ROLE  Super administration role which should inherit env prefixed SnowDDL role
  --max-workers MAX_WORKERS        Maximum number of workers to resolve objects in parallel
  --query-tag QUERY_TAG            Add QUERY_TAG to all queries produced by SnowDDL
  --log-level LOG_LEVEL            Log level (possible values: DEBUG, INFO, WARNING; default: INFO)
  --show-sql                       Show executed DDL queries
  --show-timers                    Show debug timers
  --show-unused-files              Show warnings for unused config files
  --placeholder-path               Path to config file with environment-specific placeholders
  --placeholder-values             Environment-specific placeholder values in JSON format
  --exclude-object-types           Comma-separated list of object types NOT to resolve
  --include-object-types           Comma-separated list of object types TO resolve, all other types are excluded
  --apply-unsafe                   Additionally apply unsafe changes, which may cause loss of data (ALTER, DROP, etc.)
  --apply-replace-table            Additionally apply REPLACE TABLE when ALTER TABLE is not possible
  --apply-all-policy               Additionally apply changes to all types of POLICIES
  --apply-account-level-policy     Additionally apply changes for ACCOUNT-level policies
  --apply-aggregation-policy       Additionally apply changes to AGGREGATION POLICIES
  --apply-authentication-policy    Additionally apply changes to AUTHENTICATION POLICIES
  --apply-masking-policy           Additionally apply changes to MASKING POLICIES
  --apply-projection-policy        Additionally apply changes to PROJECTION POLICIES
  --apply-row-access-policy        Additionally apply changes to ROW ACCESS POLICIES
  --apply-account-params           Additionally apply changes to ACCOUNT PARAMETERS
  --apply-network-policy           Additionally apply changes to NETWORK POLICIES
  --apply-resource-monitor         Additionally apply changes to RESOURCE MONITORS
  --apply-outbound-share           Additionally apply changes to OUTBOUND SHARES
  --refresh-user-passwords         Additionally refresh passwords of users
  --refresh-future-grants          Additionally refresh missing grants for existing objects derived from future grants
  --refresh-stage-encryption       Additionally refresh stage encryption parameters for existing external stages
  --refresh-secrets                Additionally refresh secrets
  --clone-table                    Clone all tables from source databases (without env_prefix) to destination databases (with env_prefix)
  --destroy-without-prefix         Allow {destroy} action without --env-prefix

Usage notes

  • Action argument is mandatory:

    • Use plan action to preview changes.

    • Use apply action to apply OR suggest changes, depending on other settings.

    • Use destroy action to drop all objects created by SnowDDL previously.

  • SnowDDL provides a few bundled configs for testing and demonstration purposes. You may use such config by passing its name to -c argument.

  • Account identifier should be passed to -a argument without .snowflakecomputing.com.

  • You may use password OR private key for authentication. Private key is recommended for production environment.

  • Object types for --include and --exclude arguments can be found here.

  • Suggested & optionally executed DDL queries are outputted to STDOUT. Logs are outputted to STDERR.

Last updated