Deploy your Snowflake infrastructure using Permifrost

Automated deployment is a key element in a cloud strategy. But did you treat your database models as infrastructure yet?
Pieter-Jan Kerstens

Snowflake is our go-to data platform at Tropos.io. In this blog post we’ll zoom in to account configuration in Snowflake using “Permifrost”, a tool we recently discovered and are excited about.

It can be tedious and time consuming to setup a new Snowflake configuration. Moreover, we often find ourselves applying the same configuration at different clients. Scripting these “blueprints” makes our life much easier and gives us more time to focus on the client’s actual problems.

This is where “Permifrost” – a small tool developed and open sourced by Gitlab – comes in handy. Let’s dive right in!

A brief intro to Permifrost

Permifrost takes a YAML specification file with the following structure:

databases:
 - db_name:
     shared: boolean
 ...
roles:
 - role_name:
     warehouses:
        - ...
     member_of:
        - ...
     privileges:
        databases:
           read:
             - ...
           write:
             - ...
        schemas:
        tables:
     owns:
        databases:
        schemas:
        tables:
  
users:
 - user_name:
     can_login: boolean
     member_of:
        - ...
warehouses:
 - warehouse_name:
     size:  x-small

The main sections in this file are: “databases”, “roles”, “users” and “warehouses”. Permifrost checks a Snowflake configuration against this specification file. It then executes the necessary SQL commands to rectify any detected deviations. Alternatively, it can also just output these SQL commands without directly executing them on the Snowflake database (using the “–dry” flag).

Most of the sections in this specification are rather self-explanatory, so we take a closer look at the “roles” section. This is also the most interesting part for most users.

Role permissions

The YAML specification file specifies permissions for databases, tables and schemas using simple “read” and “write” permissions. Thus, it abstracts away the particular “grant” mechanics for the different database objects. For example database/schema/table permissions for a specific role are specified as:

roles: 
  - role_name: 
    warehouses: 
      - ... 
    member_of: 
      - ... 
    privileges: 
      databases: 
        read: 
          - db_1
          - db_2
          - ...
        write: 
          - ... 
      schemas: 
        read: 
          - db_1.* 
          - db_2.schema_name 
          - db_3.schema_partial_*
          - ... 
        write: 
          - ... 
      tables: 
        read: 
          - db_1.*.* 
          - db_2.schema_name.* 
          - db_2.schema_partial_*.* 
          - db_3.schema_name.table_name
          - ... 
        write: 
          - ... 
   owns: 
     databases: 
       - ... 
     schemas: 
       - ... 
     tables: 
       - ... 
...

Here, the asterisk “*” is a wildcard character that can be used to grant access to:

all current and future tables/schemas in a database (e.g., “db_1.*.*”) or all current and future tables in a specific schema (e.g., “db_2.schema_name.*”);
all current and future tables in schemas matching a pattern (e.g., “db_2.schema_partial_*.*).

The advantage of this YAML specification over a SQL script is that it improves readability and is easier to maintain.

Now that we understand the basics of the YAML specification file, let’s look at an interesting use case.

User management made easy: Permifrost + JinJa

User management is one aspect of a Snowflake configuration that can be tedious, repetitive and time consuming: we regularly have to add users + specify their roles, edit users’ roles and remove users over time.

The flexible YAML structure of Permifrost combined with a template engine such as Jinja in Python allows one to create blueprints that further simplify our life. For example, we can create the following user blueprint in a Permifrost specification file:

...
# Users
users:
{% for user, members in users.items() %}
    - {{ user }}:
      can_login: yes
      member_of:
      {% for member in members %}
        - {{ member }}
      {% endfor %}
{% endfor %}
...

Next, one can – for example – provide the users and their roles in a separate Excel file (provided by e.g., the client) and stitch the above blueprint and Excel file together using a Python script. The final result is a tailored Permifrost YAML specification file!

Conclusion

Permifrost is a nice tool that manages Snowflake configurations by abstracting away the difficult bits and keeping the essentials for us to focus on. This results in much more readable configurations in the form of YAML specification files.

We saw that one can easily create blueprint specification files by leveraging the power and flexibility of a template engine such as JinJa in Python to make e.g., user management easier.

We are further exploring the possibilities Permifrost offers and are excited to see how it further develops in the future!

Pieter-Jan Kerstens

Data engineer

Discover how the Tropos.io dbt Maturity Model can transform your data transformation journey. Learn the stages, key metrics, and practical steps to scale your dbt implementation for reliable, real-time analytics and strategic impact.

Scaling Data Success: The Tropos.io dbt Maturity Model Explained

Meet Kali by Tropos, the first fully automated migration tool to convert legacy data pipelines to Snowflake and dbt, accelerating cloud migration and minimizing risk.

Meet Kali: A New Era of Data Pipeline Migration to Snowflake and dbt

Discover how Generative AI is transforming deviation management in life sciences by enhancing SOP compliance, data quality, and operational efficiency. Learn how AI-driven real-time reporting, integrated with Veeva Vault and Snowflake, ensures complete, structured records for better RCA and CAPA processes.

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_ZET6HEX39B	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_75663021_2	1 minute	Set by Google to distinguish users.
_gat_UA-75663021-2	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
undefined	never	Wistia sets this cookie to collect data on visitor interaction with the website's video-content, to make the website's video-content more relevant for the visitor.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
li_gc	2 years	No description
loglevel	never	No description available.