What does this repo signal mean?

Snowflake (Arctic) published Snowflake-Labs/terraform-snowflake-workload-identity-federation (HCL). This repository signal exposes tooling, eval, infrastructure, or model-adjacent work before it may appear in a launch post. High-signal details: repo Snowflake-Labs/terraform-snowflake-workload-identity-federation · language HCL · Routine Terraform module repo. onlylabs links this event to 1 captured evidence page and 6 related repo signals.

Snowflake (Arctic) Repo: Snowflake-Labs/terraform-snowflake-workload-identity-federation

Captured source

source ↗

GitHub/github.com/Snowflake-Labs/terraform-snowflake-workload-identity-federation

Snowflake-Labs/terraform-snowflake-workload-identity-federation repository metadata

Source ↗

published Oct 22, 2025seen 5dcaptured 12hhttp 200method plain

Snowflake-Labs/terraform-snowflake-workload-identity-federation

Description: A Terraform module for workload identity federation (WIF) on Snowflake

Language: HCL

License: Apache-2.0

Stars: 0

Forks: 0

Open issues: 1

Created: 2025-10-22T20:03:13Z

Pushed: 2026-05-14T21:19:27Z

Default branch: main

Fork: no

Archived: no

README:

Snowflake Workload Identity Federation terraform Module

![Terraform Validation](https://github.com/Snowflake-Labs/terraform-snowflake-workload-identity-federation/actions/workflows/terraform-validate.yml)

This module provides a composable method to configure Workload Identity Federation for Snowflake.

Terraform Technical Documentation

Requirements

| Name | Version | | ---- | ------- | | [terraform](#requirement\_terraform) | >= 1.5.0 | | [snowflake](#requirement\_snowflake) | >= 2.13.0, [snowflake](#provider\_snowflake) | >= 2.13.0, [aws\_role\_arn](#input\_aws\_role\_arn) | ARN of the AWS role to use for WIF | string | null | no | | [azure\_service\_principal\_id](#input\_azure\_service\_principal\_id) | The case-sensitive Object ID (Principal ID) of the managed identity assigned to the Azure workload. | string | null | no | | [azure\_tenant\_id](#input\_azure\_tenant\_id) | Azure tenant ID | string | null | no | | [gcp\_service\_account\_id](#input\_gcp\_service\_account\_id) | The unique ID of the GCP service account to use for WIF | string | null | no | | [oidc\_audience\_list](#input\_oidc\_audience\_list) | Specifies which values must be present in the aud claim of the ID token issued by the OIDC provider. Snowflake accepts the attestation if the aud claim contains at least one of the specified audiences. | list(string) | [ "snowflakecomputing.com" ] | no | | [oidc\_issuer\_url](#input\_oidc\_issuer\_url) | The OpenID Connect (OIDC) issuer URL. | string | null | no | | [oidc\_subject](#input\_oidc\_subject) | The identifier of the workload that is connecting to Snowflake. The format of the value is specific to the OIDC provider that is issuing the attestation. | string | null | no | | [wif\_role\_name](#input\_wif\_role\_name) | Name of the Snowflake role to create for WIF. | string | n/a | yes | | [wif\_role\_permissions](#input\_wif\_role\_permissions) | A map of objects describing the custom permissions to grant to the WIF role. Note that for schemas, the name must be in DATABASE.SCHEMA format. | map(object({ type = string # one of "database", "schema", "warehouse" name = string # name of the database, schema, or warehouse. Schema must be in DB.SCHEMA format. permissions = list(string) # list of permissions to grant })) | {} | no | | [wif\_type](#input\_wif\_type) | The type of WIF identity to create. Must be one of: aws, azure, gcp, oidc. | string | "aws" | no | | [wif\_user\_default\_warehouse](#input\_wif\_user\_default\_warehouse) | (Optional) Default warehouse for the WIF service user. Must already exist if provided (not validated by module). | string | null | no | | [wif\_user\_name](#input\_wif\_user\_name) | Name of the Snowflake Service User to create for WIF. | string | n/a | yes | | [wif\_user\_network\_policy\_name](#input\_wif\_user\_network\_policy\_name) | (Optional) The name of an existing network policy to attach to the WIF user. | string | null | no |

Outputs

| Name | Description | | ---- | ----------- | | [wif\_role\_name](#output\_wif\_role\_name) | Name of the Snowflake role created for WIF. | | [wif\_user\_name](#output\_wif\_user\_name) | Name of the Snowflake service user created for WIF. |

Development

Prerequisites

Terraform >= 1.5.0
Pre-commit (optional, for git hooks)
terraform-docs (if using pre-commit)

Contributing

Contributions are welcome! Please follow these guidelines:

1. Fork the repository 2. Create a feature branch (git checkout -b feature/amazing-feature) 3. Commit your changes (git commit -m 'Add amazing feature') 4. Push to the branch (git push origin feature/amazing-feature) 5. Open a Pull Request

Code Standards

Follow Terraform Style Guide
Run terraform fmt before committing
Ensure all validation checks pass
Update documentation for any changes

License

This project is licensed under the Apache License 2.0 - see the [LICENSE](LICENSE) file for details.

Support

For questions, issues, or contributions, please open an issue on GitHub. Support is provided on a best-effort basis, and Snowflake Support is unable to assist with content in this repository.

Excerpt shown — open the source for the full document.

Notability

notability 3.0/10

Routine Terraform module repo