Network Policy
You can provide configuration to Snowflake Object Lifecycle Engine for the following operation with network policy:
- Manage the lifecycle of new and existing network policies
Usage
- Default Configuration
- Data Products Configuration
network_policies:
<network-policy-name>:
<configuration-key>: <value>
- network_policy:
name: <network-policy-name>
<configuration-key>: <value>
Supported parameters
The engine supports the parameters listed below.
| Configuration Key | Required/Optional | Data Types and Values | Description |
|---|---|---|---|
allowed_ip_list | Required | String | Specifies one or more IPv4 addresses (CIDR notation) that are allowed access to your Snowflake account |
blocked_ip_list | Optional | Map/List of String | Specifies one or more IPv4 addresses (CIDR notation) that are denied access to your Snowflake account. Note that values 0.0.0.0/0 and 0.0.0.0 are not allowed in BLOCKED_IP_LIST. |
comment | Optional | String | Specifies a comment for the network policy |
deleted | Optional | Boolean: True enables deletion prevention, False does nothing | Specifies what objects are allowed to be deleted |
environment | Optional | String | Specifies the environment in which the network policy is managed. Regex can be provided as well |
manage_mode | Optional | String: all (default), none | Configures what properties to manage for the network policy. See Changing Manage Mode before changing the value. |
namespacing | Optional | String: both (default), none, prefix, suffix | Specifies whether prefix or suffix or both are to be added to the network policy name |
Examples
This first code snippet demonstrates the network policy configuration for a single IP address:
- Default Configuration
- Data Products Configuration
network_policies:
NETWORK_POLICY_1:
comment: "test policy 1"
allowed_ip_list:
- "212.102.142.146/32"
blocked_ip_list:
- "212.102.136.122/32"
- network_policy:
name: NETWORK_POLICY_1
comment: "test policy 1"
allowed_ip_list:
- "212.102.142.146/32"
blocked_ip_list:
- "212.102.136.122/32"
The following example shows the construction of the network policy configuration for multiple IP addresses:
- Default Configuration
- Data Products Configuration
network_policies:
NETWORK_POLICY_2:
comment: "test policy 2"
allowed_ip_list:
- "10.1.1.1/32"
- "10.2.1.0/24"
- "10.3.0.1/24"
- network_policy:
name: NETWORK_POLICY_2
comment: "test policy 2"
allowed_ip_list:
- "10.1.1.1/32"
- "10.2.1.0/24"
- "10.3.0.1/24"
Attaching network policy to user
To attach a network policy to a user, edit the users.yml file and add the network_policy parameter:
- Default Configuration
- Data Products Configuration
users:
TEST_USER_1:
first_name: FOO
last_name: BAR
network_policy: EXAMPLE_NETWORK_POLICY_1
- user:
name: TEST_USER_1
first_name: FOO
last_name: BAR
network_policy: rel(network_policy.EXAMPLE_NETWORK_POLICY_1)
This configuration works whether you manage the EXAMPLE_NETWORK_POLICY_1 through SOLE or if you have defined this network policy in Snowflake directly.
Attaching network policy to account
Attaching a network policy to an account is just as straightforward as it is for attaching it to users.
- Default Configuration
- Data Products Configuration
account:
network_policy: EXAMPLE_NETWORK_POLICY_1
manage_mode: all
grants:
ALL PRIVILEGES:
- ACCOUNTADMIN
- account:
network_policy: rel(network_policy.EXAMPLE_NETWORK_POLICY_1)
manage_mode: all
grants:
ALL PRIVILEGES:
- ACCOUNTADMIN
Again, this configuration works whether you manage the EXAMPLE_NETWORK_POLICY_1 through SOLE or if you have defined this network policy in Snowflake directly.
To not render your Snowflake instance inaccessible to yourself or DataOps remember that the network policy must contain your IP address range in allowed_ip_list. Otherwise, Snowflake will throw an error message and the pipeline will fail.