The easiest way to use SnowDDL is to create and apply YAML configs with CLI interface.
SnowDDL registers snowddl CLI entry-point using setuptools. It should be available in your terminal immediately after installation.
Quick help
usage: snowddl [-h] [-c CONFIG_PATH] [-a ACCOUNT] [-u USER] [-p PASSWORD] [-k PRIVATE_KEY] [-r ROLE] [-w WAREHOUSE] [--authenticator AUTHENTICATOR]
[--passphrase PASSPHRASE] [--env-prefix ENV_PREFIX] [--env-prefix-separator {__,_,$}] [--env-admin-role ENV_ADMIN_ROLE] [--max-workers MAX_WORKERS]
[--query-tag QUERY_TAG] [--log-level LOG_LEVEL] [--show-sql] [--show-timers] [--show-unused-files] [--placeholder-path] [--placeholder-values]
[--exclude-object-types] [--include-object-types] [--apply-unsafe] [--apply-replace-table] [--apply-all-policy] [--apply-account-level-policy]
[--apply-aggregation-policy] [--apply-authentication-policy] [--apply-masking-policy] [--apply-projection-policy] [--apply-row-access-policy]
[--apply-account-params] [--apply-network-policy] [--apply-resource-monitor] [--apply-outbound-share] [--refresh-user-passwords] [--refresh-future-grants]
[--refresh-stage-encryption] [--refresh-secrets] [--clone-table] [--destroy-without-prefix]
{plan,apply,destroy,validate} ...
Object management automation tool for Snowflake
positional arguments:
{plan,apply,destroy,validate}
plan Resolve objects, apply nothing, display suggested changes
apply Resolve objects, apply safe changes, display suggested unsafe changes
destroy Drop objects with specified --env-prefix, use it to reset dev and test environments
validate Validate config only, do not connect to Snowflake
options:
-h, --help show this help message and exit
-c CONFIG_PATH Path to config directory OR name of bundled test config (default: current directory)
-a ACCOUNT Snowflake account identifier (default: SNOWFLAKE_ACCOUNT env variable)
-u USER Snowflake user name (default: SNOWFLAKE_USER env variable)
-p PASSWORD Snowflake user password (default: SNOWFLAKE_PASSWORD env variable)
-k PRIVATE_KEY Path to private key file (default: SNOWFLAKE_PRIVATE_KEY_PATH env variable)
-r ROLE Snowflake active role (default: SNOWFLAKE_ROLE env variable)
-w WAREHOUSE Snowflake active warehouse (default: SNOWFLAKE_WAREHOUSE env variable)
--authenticator AUTHENTICATOR Authenticator: 'snowflake', 'externalbrowser', 'oauth_snowpark` (default: SNOWFLAKE_AUTHENTICATOR env variable or 'snowflake')
--passphrase PASSPHRASE Passphrase for private key file (default: SNOWFLAKE_PRIVATE_KEY_PASSPHRASE env variable)
--env-prefix ENV_PREFIX Env prefix added to global object names, used to separate environments (e.g. DEV, PROD)
--env-prefix-separator {__,_,$} Custom separator for Env prefix (supported values are: '__', '_', '$')
--env-admin-role ENV_ADMIN_ROLE Super administration role which should inherit env prefixed SnowDDL role
--max-workers MAX_WORKERS Maximum number of workers to resolve objects in parallel
--query-tag QUERY_TAG Add QUERY_TAG to all queries produced by SnowDDL
--log-level LOG_LEVEL Log level (possible values: DEBUG, INFO, WARNING; default: INFO)
--show-sql Show executed DDL queries
--show-timers Show debug timers
--show-unused-files Show warnings for unused config files
--placeholder-path Path to config file with environment-specific placeholders
--placeholder-values Environment-specific placeholder values in JSON format
--exclude-object-types Comma-separated list of object types NOT to resolve
--include-object-types Comma-separated list of object types TO resolve, all other types are excluded
--apply-unsafe Additionally apply unsafe changes, which may cause loss of data (ALTER, DROP, etc.)
--apply-replace-table Additionally apply REPLACE TABLE when ALTER TABLE is not possible
--apply-all-policy Additionally apply changes for all types of policies
--apply-account-level-policy Additionally apply changes for ACCOUNT-level policies
--apply-aggregation-policy Additionally apply changes to AGGREGATION POLICIES
--apply-authentication-policy Additionally apply changes to AUTHENTICATION POLICIES
--apply-masking-policy Additionally apply changes to MASKING POLICIES
--apply-projection-policy Additionally apply changes to PROJECTION POLICIES
--apply-row-access-policy Additionally apply changes to ROW ACCESS POLICIES
--apply-account-params Additionally apply changes to ACCOUNT PARAMETERS
--apply-network-policy Additionally apply changes to NETWORK POLICIES
--apply-resource-monitor Additionally apply changes to RESOURCE MONITORS
--apply-outbound-share Additionally apply changes to OUTBOUND SHARES
--refresh-user-passwords Additionally refresh passwords of users
--refresh-future-grants Additionally refresh missing grants for existing objects derived from future grants
--refresh-stage-encryption Additionally refresh stage encryption parameters for existing external stages
--refresh-secrets Additionally refresh secrets
--clone-table Clone all tables from source databases (without env_prefix) to destination databases (with env_prefix)
--destroy-without-prefix Allow {destroy} action without --env-prefix
Usage notes
Action argument is mandatory:
Use plan action to preview changes.
Use apply action to apply OR suggest changes, depending on other settings.
Use destroy action to drop all objects created by SnowDDL previously.
Use validate action to validate the declared config only without connecting to Snowflake.
SnowDDL provides a few bundled configs for testing and demonstration purposes. You may use such config by passing its name to -c argument.
Account identifier should be passed to -a argument without .snowflakecomputing.com.
You may use password OR private key for authentication. Private key is recommended for production environment.
Object types for --include and --exclude arguments can be found here.
Suggested & optionally executed DDL queries are outputted to STDOUT. Logs are outputted to STDERR.
