Feature/snowcap improvements

secure/snowcap/.env.sample

@@ -1,4 +1,5 @@
 SNOWFLAKE_ACCOUNT=
+SNOWFLAKE_ACCOUNT_PII=
 SNOWFLAKE_USER=
 SNOWFLAKE_ROLE=securityadmin
 SNOWFLAKE_PRIVATE_KEY_PATH=/config/.ssl/dev-private.pem

secure/snowcap/apply.sh

@@ -8,6 +8,7 @@ else
     echo "File .env does not exist. Please create a .env file with the following variables:"
     echo ""
     echo "SNOWFLAKE_ACCOUNT="
+    echo "SNOWFLAKE_ACCOUNT_PII="
     echo "SNOWFLAKE_USER="
     echo "SNOWFLAKE_ROLE="
     echo "SNOWFLAKE_PRIVATE_KEY_PATH="
@@ -16,14 +17,40 @@ else
     exit 1
 fi
 
-export $(cat .env | xargs)
+# Load env vars safely
+set -a
+. ./.env
+set +a
+
+# Default to non-PII (standard) account
+ACCOUNT_TO_USE="$SNOWFLAKE_ACCOUNT"
+EXCLUDE_RESOURCES=""
+
+# If -pii flag is passed, switch to PII (enterprise) account
+if [[ "$1" == "-pii" ]]; then
+  ACCOUNT_TO_USE="$SNOWFLAKE_ACCOUNT_PII"
+else
+  # Standard accounts don't support enterprise-only features
+  EXCLUDE_RESOURCES="--exclude masking_policy,tag,tag_reference,tag_masking_policy_reference"
+fi
+
+# Override SNOWFLAKE_ACCOUNT for the snowcap run
+export SNOWFLAKE_ACCOUNT="$ACCOUNT_TO_USE"
+
+echo "=========="
+echo "Using SNOWFLAKE_ACCOUNT=$SNOWFLAKE_ACCOUNT"
+if [[ -n "$EXCLUDE_RESOURCES" ]]; then
+  echo "Excluding enterprise-only resources (standard account)"
+fi
+echo "=========="
 
 # SNOWCAP_LOG_LEVEL=DEBUG
-uvx --from snowcap@git+https://github.com/datacoves/snowcap.git \
+uvx --from snowcap@git+https://github.com/datacoves/snowcap.git@masking_policies_support \
     --refresh \
     snowcap apply \
     --config resources/ \
-    --sync_resources role,grant,role_grant \
+    --sync_resources role,grant,role_grant,warehouse,database,user,masking_policy,tag,tag_reference,tag_masking_policy_reference \
+    $EXCLUDE_RESOURCES
     # --use-account-usage
 
 

secure/snowcap/plan.sh

@@ -8,6 +8,7 @@ else
     echo "File .env does not exist. Please create a .env file with the following variables:"
     echo ""
     echo "SNOWFLAKE_ACCOUNT="
+    echo "SNOWFLAKE_ACCOUNT_PII="
     echo "SNOWFLAKE_USER="
     echo "SNOWFLAKE_ROLE="
     echo "SNOWFLAKE_PRIVATE_KEY_PATH="
@@ -16,10 +17,36 @@ else
     exit 1
 fi
 
-export $(cat .env | xargs)
+# Load env vars safely
+set -a
+. ./.env
+set +a
 
-uvx --from snowcap@git+https://github.com/datacoves/snowcap.git \
+# Default to non-PII (standard) account
+ACCOUNT_TO_USE="$SNOWFLAKE_ACCOUNT"
+EXCLUDE_RESOURCES=""
+
+# If -pii flag is passed, switch to PII (enterprise) account
+if [[ "$1" == "-pii" ]]; then
+  ACCOUNT_TO_USE="$SNOWFLAKE_ACCOUNT_PII"
+else
+  # Standard accounts don't support enterprise-only features
+  EXCLUDE_RESOURCES="--exclude masking_policy,tag,tag_reference,tag_masking_policy_reference"
+fi
+
+# Override SNOWFLAKE_ACCOUNT for the snowcap run
+export SNOWFLAKE_ACCOUNT="$ACCOUNT_TO_USE"
+
+echo "=========="
+echo "Using SNOWFLAKE_ACCOUNT=$SNOWFLAKE_ACCOUNT"
+if [[ -n "$EXCLUDE_RESOURCES" ]]; then
+  echo "Excluding enterprise-only resources (standard account)"
+fi
+echo "=========="
+
+uvx --from snowcap@git+https://github.com/datacoves/snowcap.git@masking_policies_support \
     --refresh \
     snowcap plan \
     --config resources/ \
-    --sync_resources role,grant,role_grant
+    --sync_resources role,grant,role_grant,warehouse,database,user,masking_policy,tag,tag_reference,tag_masking_policy_reference \
+    $EXCLUDE_RESOURCES

secure/snowcap/resources/databases.yml

@@ -2,6 +2,9 @@ vars:
   - name: databases
     type: list
     default:
+      - name: governance
+        owner: sysadmin
+        max_data_extension_time_in_days: 30
       - name: raw
         owner: loader
         max_data_extension_time_in_days: 10

secure/snowcap/resources/masking_policies.yml

@@ -0,0 +1,65 @@
+masking_policies:
+  # String/VARCHAR columns
+  - name: governance.policies.mask_pii_string
+    args:
+      - name: val
+        data_type: VARCHAR
+    returns: VARCHAR
+    body: |
+      CASE
+        WHEN IS_ROLE_IN_SESSION('Z_UNMASK__PII') THEN val
+        ELSE '***MASKED***'
+      END
+    comment: Masks PII string data
+
+  # Numeric columns
+  - name: governance.policies.mask_pii_number
+    args:
+      - name: val
+        data_type: NUMBER
+    returns: NUMBER
+    body: |
+      CASE
+        WHEN IS_ROLE_IN_SESSION('Z_UNMASK__PII') THEN val
+        ELSE NULL
+      END
+    comment: Masks PII numeric data
+
+  # Float columns
+  - name: governance.policies.mask_pii_float
+    args:
+      - name: val
+        data_type: FLOAT
+    returns: FLOAT
+    body: |
+      CASE
+        WHEN IS_ROLE_IN_SESSION('Z_UNMASK__PII') THEN val
+        ELSE NULL
+      END
+    comment: Masks PII float data
+
+  # Date columns
+  - name: governance.policies.mask_pii_date
+    args:
+      - name: val
+        data_type: DATE
+    returns: DATE
+    body: |
+      CASE
+        WHEN IS_ROLE_IN_SESSION('Z_UNMASK__PII') THEN val
+        ELSE NULL
+      END
+    comment: Masks PII date data
+
+  # Timestamp columns
+  - name: governance.policies.mask_pii_timestamp
+    args:
+      - name: val
+        data_type: TIMESTAMP_NTZ
+    returns: TIMESTAMP_NTZ
+    body: |
+      CASE
+        WHEN IS_ROLE_IN_SESSION('Z_UNMASK__PII') THEN val
+        ELSE NULL
+      END
+    comment: Masks PII timestamp data

secure/snowcap/resources/object_templates/user.yml

@@ -0,0 +1,7 @@
+# Warehouses
+users:
+  - for_each: var.users
+    name: "{{ each.value.name }}"
+    owner: SECURITYADMIN
+    type: "{{ each.value.type }}"
+    default_secondary_roles: []

secure/snowcap/resources/roles__base.yml

@@ -2,12 +2,17 @@ roles:
   - name: z_account__create_database
   - name: z_db__tst_balboa  # Used to grant access to TST databases
   - name: z_db__balboa_dev__create_schema
+
   - name: z_schemas__db__raw
+  - name: z_schemas__db__governance
+
   - name: z_tables_views__select
 
   - name: z_policy_row_region_de
   - name: z_policy_row_region_all
 
+  - name: z_unmask__pii
+
 grants:
   - priv: "CREATE DATABASE"
     on: "ACCOUNT"
@@ -23,6 +28,12 @@ grants:
       - "future schemas in database raw"
     to: z_schemas__db__raw
 
+  - priv: "USAGE"
+    on:
+      - "all schemas in database governance"
+      - "future schemas in database governance"
+    to: z_schemas__db__governance
+
   - for_each: var.databases
     priv: "SELECT"
     on:

secure/snowcap/resources/roles__functional.yml

@@ -5,6 +5,7 @@ roles:
   - name: bot_integration
 
   - name: analyst
+  - name: analyst_pii
   - name: loader
   - name: transformer_dbt
 
@@ -23,6 +24,10 @@ role_grants:
       - z_db__raw
       - z_schemas__db__raw
 
+      # GOVERNANCE
+      - z_db__governance
+      - z_schemas__db__governance
+
       # BALBOA
       - z_db__balboa
       - z_schema__dbt_test__audit
@@ -72,6 +77,9 @@ role_grants:
       # STAGES
       - z_stage__raw__dbt_artifacts__artifacts__read
 
+      # APPLY TAGS
+      - z_tag__apply__pii
+
       # WAREHOUSES
       - z_wh__wh_transforming
       - z_wh__wh_transforming_dynamic_tables
@@ -81,6 +89,11 @@ role_grants:
       - z_base__analyst
       - z_tables_views__select
 
+  - to_role: analyst_pii
+    roles:
+      - analyst
+      - z_unmask__pii
+
   - to_role: catalog
     roles:
       - z_wh__wh_catalog
@@ -100,6 +113,10 @@ role_grants:
       - z_db__raw
       - z_schemas__db__raw
 
+      # GOVERNANCE
+      - z_db__governance
+      - z_schemas__db__governance
+
       # Shared DBs
       - z_db__covid19_epidemiological_data
       - z_db__snowflake
@@ -112,6 +129,8 @@ role_grants:
       - z_stage__raw__dbt_artifacts__artifacts__write
       - z_stage__balboa_apps__resources__streamlit__write
 
+      - z_tag__apply__pii
+
       - z_tables_views__select
 
   - to_role: bot_integration

secure/snowcap/resources/schemas.yml

@@ -9,6 +9,10 @@ vars:
       - name: RAW.SNAPSHOTS
         owner: transformer_dbt
 
+      # GOVERNANCE DB
+      - name: GOVERNANCE.TAGS
+      - name: GOVERNANCE.POLICIES
+
       # BALBOA DB
       - name: BALBOA.DBT_TEST__AUDIT
 

secure/snowcap/resources/tag_masking_policies.yml

@@ -0,0 +1,16 @@
+tag_masking_policy_references:
+  # Use fully qualified names: database.schema.name
+  - tag_name: governance.tags.pii
+    masking_policy_name: governance.policies.mask_pii_string
+
+  - tag_name: governance.tags.pii
+    masking_policy_name: governance.policies.mask_pii_number
+
+  - tag_name: governance.tags.pii
+    masking_policy_name: governance.policies.mask_pii_float
+
+  - tag_name: governance.tags.pii
+    masking_policy_name: governance.policies.mask_pii_date
+
+  - tag_name: governance.tags.pii
+    masking_policy_name: governance.policies.mask_pii_timestamp

secure/snowcap/resources/tags.yml

@@ -0,0 +1,11 @@
+tags:
+  - name: governance.tags.pii
+    comment: Personally Identifiable Information
+
+roles:
+  - name: z_tag__apply__pii
+
+grants:
+  - priv: APPLY
+    on: tag governance.tags.pii
+    to: z_tag__apply__pii

secure/snowcap/resources/users.yml

@@ -1,3 +1,45 @@
+# Users
+vars:
+  - name: users
+    type: list
+    default:
+      - name: alejandro
+        type: PERSON
+      - name: fernando
+        type: PERSON
+      - name: jesus
+        type: PERSON
+      - name: ian
+        type: PERSON
+      - name: gomezn
+        type: PERSON
+      - name: sebastian
+        type: PERSON
+      - name: stephen
+        type: PERSON
+
+    # Service Accounts
+      - name: svc_airbyte
+        type: SERVICE
+      - name: svc_airflow
+        type: SERVICE
+      - name: svc_datacoves
+        type: SERVICE
+      - name: svc_fivetran
+        type: SERVICE
+      - name: svc_github_actions
+        type: SERVICE
+      - name: svc_balboa_ci
+        type: SERVICE
+      - name: svc_dbt_coves_ci
+        type: SERVICE
+      - name: svc_datacoves_platform_ci
+        type: SERVICE
+      - name: svc_datahub
+        type: SERVICE
+      - name: svc_superset
+        type: LEGACY_SERVICE
+
 role_grants:
   - to_user: alejandro
     roles:
@@ -22,6 +64,7 @@ role_grants:
   - to_user: gomezn
     roles:
       - analyst
+      - analyst_pii
       - finance_team
       - loader
       - transformer_dbt

training_and_demos/claude/readme.md

@@ -0,0 +1 @@
+curl -fsSL https://claude.ai/install.sh | bash