Snowflake

-- (Optional) Edit these if you prefer something else.
SET role_name = 'ARCWISE_ROLE';
SET user_name = 'ARCWISE_USER';
-- (Optional) You can also use an existing warehouse if desired.
SET warehouse_name = 'ARCWISE_WAREHOUSE';

-- Define a password for the Arcwise user (ideally randomly generated). Remember it for later
SET user_password = '<your-password-here>';

-- Database you want to allow Arcwise to access and snapshot schema that
-- will be created in that database for data snapshot management
SET database_name = '<your-database-here>';
SET snapshot_schema_name = '_ARCWISE_SNAPSHOTS';

-- Database setup
CREATE DATABASE IF NOT EXISTS IDENTIFIER($database_name) COMMENT = 'Arcwise database';

-- Warehouse setup
CREATE WAREHOUSE IF NOT EXISTS IDENTIFIER($warehouse_name)
	warehouse_size = small
	warehouse_type = standard
	auto_suspend = 15
	auto_resume = true
	initially_suspended = true;

-- Role setup
CREATE ROLE IF NOT EXISTS IDENTIFIER($role_name) COMMENT = 'Arcwise default role';

-- User setup
CREATE USER IF NOT EXISTS IDENTIFIER($user_name)
	password = $user_password
	first_name = 'Arcwise'
	last_name = 'User'
	default_warehouse = $warehouse_name
	default_role = $role_name;

-- Assign user -> role
GRANT ROLE IDENTIFIER($role_name) TO USER IDENTIFIER($user_name);

-- Allow role -> warehouse & database
GRANT USAGE ON WAREHOUSE IDENTIFIER($warehouse_name) TO ROLE IDENTIFIER($role_name);
GRANT USAGE ON DATABASE IDENTIFIER($database_name) TO ROLE IDENTIFIER($role_name);

-- Allow role to access all schemas (and tables/views within the schema)
GRANT USAGE ON ALL SCHEMAS IN DATABASE IDENTIFIER($database_name) TO ROLE IDENTIFIER($role_name);
GRANT USAGE ON FUTURE SCHEMAS IN DATABASE IDENTIFIER($database_name) TO ROLE IDENTIFIER($role_name);
-- (Optional) To restrict access to certain schemas: comment out the two lines above and edit below
-- GRANT USAGE ON SCHEMA <your-database>.<your-schema> TO ROLE IDENTIFIER($role_name);

GRANT SELECT ON ALL TABLES IN DATABASE IDENTIFIER($database_name) TO ROLE IDENTIFIER($role_name);
GRANT SELECT ON FUTURE TABLES IN DATABASE IDENTIFIER($database_name) TO ROLE IDENTIFIER($role_name);

GRANT SELECT ON ALL VIEWS IN DATABASE IDENTIFIER($database_name) TO ROLE IDENTIFIER($role_name);
GRANT SELECT ON FUTURE VIEWS IN DATABASE IDENTIFIER($database_name) TO ROLE IDENTIFIER($role_name);

-- Create snapshot schema and grant role ownership over that schema
SET arcwise_snapshots_schema = $database_name || '.' || $snapshot_schema_name;
CREATE SCHEMA IF NOT EXISTS IDENTIFIER($arcwise_snapshots_schema) COMMENT = 'Arcwise-operated schema for managing data snapshots';
GRANT OWNERSHIP ON SCHEMA IDENTIFIER($arcwise_snapshots_schema) TO ROLE IDENTIFIER($role_name) REVOKE CURRENT GRANTS;

-- Allow Arcwise role to analyze query history & table usage activity
GRANT IMPORTED PRIVILEGES ON DATABASE SNOWFLAKE TO ROLE IDENTIFIER($role_name);

GRANT ROLE IDENTIFIER($role_name) TO ROLE SYSADMIN;