Viewing docs for Snowflake v2.13.0
published on Thursday, Feb 26, 2026 by Pulumi
published on Thursday, Feb 26, 2026 by Pulumi
Viewing docs for Snowflake v2.13.0
published on Thursday, Feb 26, 2026 by Pulumi
published on Thursday, Feb 26, 2026 by Pulumi
!> Caution: Preview Feature This feature is considered a preview feature in the provider, regardless of the state of the resource in Snowflake. We do not guarantee its stability. It will be reworked and marked as a stable feature in future releases. Breaking changes are expected, even without bumping the major version. To use this feature, add the relevant feature name to preview_features_enabled field in the provider configuration. Please always refer to the Getting Help section in our Github repo to best determine how to get help for your questions.
Applies a masking policy to a table column.
Only one masking policy may be applied per table column, hence only one snowflake.TableColumnMaskingPolicyApplication resources may be present per table column.
Using two or more snowflake.TableColumnMaskingPolicyApplication resources for the same table column will result in the last one overriding any previously applied masking policies and unresolvable diffs in pulumi preview.
When using this resource to manage a table column’s masking policy make sure to ignore changes to the column’s masking policy in the table definition, otherwise the two resources would conflict. See example below.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as snowflake from "@pulumi/snowflake";
const policy = new snowflake.MaskingPolicy("policy", {
name: "EXAMPLE_MASKING_POLICY",
database: "EXAMPLE_DB",
schema: "EXAMPLE_SCHEMA",
valueDataType: "VARCHAR",
maskingExpression: "case when current_role() in ('ANALYST') then val else sha2(val, 512) end",
returnDataType: "VARCHAR",
});
// Table is created by the default provider
const table = new snowflake.Table("table", {
database: "EXAMPLE_DB",
schema: "EXAMPLE_SCHEMA",
name: "table",
columns: [{
name: "secret",
type: "VARCHAR(16777216)",
}],
});
const application = new snowflake.TableColumnMaskingPolicyApplication("application", {
table: table.fullyQualifiedName,
column: "secret",
maskingPolicy: policy.fullyQualifiedName,
});
import pulumi
import pulumi_snowflake as snowflake
policy = snowflake.MaskingPolicy("policy",
name="EXAMPLE_MASKING_POLICY",
database="EXAMPLE_DB",
schema="EXAMPLE_SCHEMA",
value_data_type="VARCHAR",
masking_expression="case when current_role() in ('ANALYST') then val else sha2(val, 512) end",
return_data_type="VARCHAR")
# Table is created by the default provider
table = snowflake.Table("table",
database="EXAMPLE_DB",
schema="EXAMPLE_SCHEMA",
name="table",
columns=[{
"name": "secret",
"type": "VARCHAR(16777216)",
}])
application = snowflake.TableColumnMaskingPolicyApplication("application",
table=table.fully_qualified_name,
column="secret",
masking_policy=policy.fully_qualified_name)
package main
import (
"github.com/pulumi/pulumi-snowflake/sdk/v2/go/snowflake"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
policy, err := snowflake.NewMaskingPolicy(ctx, "policy", &snowflake.MaskingPolicyArgs{
Name: pulumi.String("EXAMPLE_MASKING_POLICY"),
Database: pulumi.String("EXAMPLE_DB"),
Schema: pulumi.String("EXAMPLE_SCHEMA"),
ValueDataType: "VARCHAR",
MaskingExpression: "case when current_role() in ('ANALYST') then val else sha2(val, 512) end",
ReturnDataType: pulumi.String("VARCHAR"),
})
if err != nil {
return err
}
// Table is created by the default provider
table, err := snowflake.NewTable(ctx, "table", &snowflake.TableArgs{
Database: pulumi.String("EXAMPLE_DB"),
Schema: pulumi.String("EXAMPLE_SCHEMA"),
Name: pulumi.String("table"),
Columns: snowflake.TableColumnArray{
&snowflake.TableColumnArgs{
Name: pulumi.String("secret"),
Type: pulumi.String("VARCHAR(16777216)"),
},
},
})
if err != nil {
return err
}
_, err = snowflake.NewTableColumnMaskingPolicyApplication(ctx, "application", &snowflake.TableColumnMaskingPolicyApplicationArgs{
Table: table.FullyQualifiedName,
Column: pulumi.String("secret"),
MaskingPolicy: policy.FullyQualifiedName,
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Snowflake = Pulumi.Snowflake;
return await Deployment.RunAsync(() =>
{
var policy = new Snowflake.MaskingPolicy("policy", new()
{
Name = "EXAMPLE_MASKING_POLICY",
Database = "EXAMPLE_DB",
Schema = "EXAMPLE_SCHEMA",
ValueDataType = "VARCHAR",
MaskingExpression = "case when current_role() in ('ANALYST') then val else sha2(val, 512) end",
ReturnDataType = "VARCHAR",
});
// Table is created by the default provider
var table = new Snowflake.Table("table", new()
{
Database = "EXAMPLE_DB",
Schema = "EXAMPLE_SCHEMA",
Name = "table",
Columns = new[]
{
new Snowflake.Inputs.TableColumnArgs
{
Name = "secret",
Type = "VARCHAR(16777216)",
},
},
});
var application = new Snowflake.TableColumnMaskingPolicyApplication("application", new()
{
Table = table.FullyQualifiedName,
Column = "secret",
MaskingPolicy = policy.FullyQualifiedName,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.snowflake.MaskingPolicy;
import com.pulumi.snowflake.MaskingPolicyArgs;
import com.pulumi.snowflake.Table;
import com.pulumi.snowflake.TableArgs;
import com.pulumi.snowflake.inputs.TableColumnArgs;
import com.pulumi.snowflake.TableColumnMaskingPolicyApplication;
import com.pulumi.snowflake.TableColumnMaskingPolicyApplicationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var policy = new MaskingPolicy("policy", MaskingPolicyArgs.builder()
.name("EXAMPLE_MASKING_POLICY")
.database("EXAMPLE_DB")
.schema("EXAMPLE_SCHEMA")
.valueDataType("VARCHAR")
.maskingExpression("case when current_role() in ('ANALYST') then val else sha2(val, 512) end")
.returnDataType("VARCHAR")
.build());
// Table is created by the default provider
var table = new Table("table", TableArgs.builder()
.database("EXAMPLE_DB")
.schema("EXAMPLE_SCHEMA")
.name("table")
.columns(TableColumnArgs.builder()
.name("secret")
.type("VARCHAR(16777216)")
.build())
.build());
var application = new TableColumnMaskingPolicyApplication("application", TableColumnMaskingPolicyApplicationArgs.builder()
.table(table.fullyQualifiedName())
.column("secret")
.maskingPolicy(policy.fullyQualifiedName())
.build());
}
}
resources:
policy:
type: snowflake:MaskingPolicy
properties:
name: EXAMPLE_MASKING_POLICY
database: EXAMPLE_DB
schema: EXAMPLE_SCHEMA
valueDataType: VARCHAR
maskingExpression: case when current_role() in ('ANALYST') then val else sha2(val, 512) end
returnDataType: VARCHAR
# Table is created by the default provider
table:
type: snowflake:Table
properties:
database: EXAMPLE_DB
schema: EXAMPLE_SCHEMA
name: table
columns:
- name: secret
type: VARCHAR(16777216)
application:
type: snowflake:TableColumnMaskingPolicyApplication
properties:
table: ${table.fullyQualifiedName}
column: secret
maskingPolicy: ${policy.fullyQualifiedName}
Note Instead of using fully_qualified_name, you can reference objects managed outside Terraform by constructing a correct ID, consult identifiers guide.
Note If a field has a default value, it is shown next to the type in the schema.
Create TableColumnMaskingPolicyApplication Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new TableColumnMaskingPolicyApplication(name: string, args: TableColumnMaskingPolicyApplicationArgs, opts?: CustomResourceOptions);@overload
def TableColumnMaskingPolicyApplication(resource_name: str,
args: TableColumnMaskingPolicyApplicationArgs,
opts: Optional[ResourceOptions] = None)
@overload
def TableColumnMaskingPolicyApplication(resource_name: str,
opts: Optional[ResourceOptions] = None,
column: Optional[str] = None,
masking_policy: Optional[str] = None,
table: Optional[str] = None)func NewTableColumnMaskingPolicyApplication(ctx *Context, name string, args TableColumnMaskingPolicyApplicationArgs, opts ...ResourceOption) (*TableColumnMaskingPolicyApplication, error)public TableColumnMaskingPolicyApplication(string name, TableColumnMaskingPolicyApplicationArgs args, CustomResourceOptions? opts = null)
public TableColumnMaskingPolicyApplication(String name, TableColumnMaskingPolicyApplicationArgs args)
public TableColumnMaskingPolicyApplication(String name, TableColumnMaskingPolicyApplicationArgs args, CustomResourceOptions options)
type: snowflake:TableColumnMaskingPolicyApplication
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args TableColumnMaskingPolicyApplicationArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args TableColumnMaskingPolicyApplicationArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args TableColumnMaskingPolicyApplicationArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args TableColumnMaskingPolicyApplicationArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args TableColumnMaskingPolicyApplicationArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var tableColumnMaskingPolicyApplicationResource = new Snowflake.TableColumnMaskingPolicyApplication("tableColumnMaskingPolicyApplicationResource", new()
{
Column = "string",
MaskingPolicy = "string",
Table = "string",
});
example, err := snowflake.NewTableColumnMaskingPolicyApplication(ctx, "tableColumnMaskingPolicyApplicationResource", &snowflake.TableColumnMaskingPolicyApplicationArgs{
Column: pulumi.String("string"),
MaskingPolicy: pulumi.String("string"),
Table: pulumi.String("string"),
})
var tableColumnMaskingPolicyApplicationResource = new TableColumnMaskingPolicyApplication("tableColumnMaskingPolicyApplicationResource", TableColumnMaskingPolicyApplicationArgs.builder()
.column("string")
.maskingPolicy("string")
.table("string")
.build());
table_column_masking_policy_application_resource = snowflake.TableColumnMaskingPolicyApplication("tableColumnMaskingPolicyApplicationResource",
column="string",
masking_policy="string",
table="string")
const tableColumnMaskingPolicyApplicationResource = new snowflake.TableColumnMaskingPolicyApplication("tableColumnMaskingPolicyApplicationResource", {
column: "string",
maskingPolicy: "string",
table: "string",
});
type: snowflake:TableColumnMaskingPolicyApplication
properties:
column: string
maskingPolicy: string
table: string
TableColumnMaskingPolicyApplication Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The TableColumnMaskingPolicyApplication resource accepts the following input properties:
- Column string
- The column to apply the masking policy to.
- Masking
Policy string - Fully qualified name (
database.schema.policyname) of the policy to apply. - Table string
- The fully qualified name (
database.schema.table) of the table to apply the masking policy to.
- Column string
- The column to apply the masking policy to.
- Masking
Policy string - Fully qualified name (
database.schema.policyname) of the policy to apply. - Table string
- The fully qualified name (
database.schema.table) of the table to apply the masking policy to.
- column String
- The column to apply the masking policy to.
- masking
Policy String - Fully qualified name (
database.schema.policyname) of the policy to apply. - table String
- The fully qualified name (
database.schema.table) of the table to apply the masking policy to.
- column string
- The column to apply the masking policy to.
- masking
Policy string - Fully qualified name (
database.schema.policyname) of the policy to apply. - table string
- The fully qualified name (
database.schema.table) of the table to apply the masking policy to.
- column str
- The column to apply the masking policy to.
- masking_
policy str - Fully qualified name (
database.schema.policyname) of the policy to apply. - table str
- The fully qualified name (
database.schema.table) of the table to apply the masking policy to.
- column String
- The column to apply the masking policy to.
- masking
Policy String - Fully qualified name (
database.schema.policyname) of the policy to apply. - table String
- The fully qualified name (
database.schema.table) of the table to apply the masking policy to.
Outputs
All input properties are implicitly available as output properties. Additionally, the TableColumnMaskingPolicyApplication resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing TableColumnMaskingPolicyApplication Resource
Get an existing TableColumnMaskingPolicyApplication resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: TableColumnMaskingPolicyApplicationState, opts?: CustomResourceOptions): TableColumnMaskingPolicyApplication@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
column: Optional[str] = None,
masking_policy: Optional[str] = None,
table: Optional[str] = None) -> TableColumnMaskingPolicyApplicationfunc GetTableColumnMaskingPolicyApplication(ctx *Context, name string, id IDInput, state *TableColumnMaskingPolicyApplicationState, opts ...ResourceOption) (*TableColumnMaskingPolicyApplication, error)public static TableColumnMaskingPolicyApplication Get(string name, Input<string> id, TableColumnMaskingPolicyApplicationState? state, CustomResourceOptions? opts = null)public static TableColumnMaskingPolicyApplication get(String name, Output<String> id, TableColumnMaskingPolicyApplicationState state, CustomResourceOptions options)resources: _: type: snowflake:TableColumnMaskingPolicyApplication get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Column string
- The column to apply the masking policy to.
- Masking
Policy string - Fully qualified name (
database.schema.policyname) of the policy to apply. - Table string
- The fully qualified name (
database.schema.table) of the table to apply the masking policy to.
- Column string
- The column to apply the masking policy to.
- Masking
Policy string - Fully qualified name (
database.schema.policyname) of the policy to apply. - Table string
- The fully qualified name (
database.schema.table) of the table to apply the masking policy to.
- column String
- The column to apply the masking policy to.
- masking
Policy String - Fully qualified name (
database.schema.policyname) of the policy to apply. - table String
- The fully qualified name (
database.schema.table) of the table to apply the masking policy to.
- column string
- The column to apply the masking policy to.
- masking
Policy string - Fully qualified name (
database.schema.policyname) of the policy to apply. - table string
- The fully qualified name (
database.schema.table) of the table to apply the masking policy to.
- column str
- The column to apply the masking policy to.
- masking_
policy str - Fully qualified name (
database.schema.policyname) of the policy to apply. - table str
- The fully qualified name (
database.schema.table) of the table to apply the masking policy to.
- column String
- The column to apply the masking policy to.
- masking
Policy String - Fully qualified name (
database.schema.policyname) of the policy to apply. - table String
- The fully qualified name (
database.schema.table) of the table to apply the masking policy to.
Package Details
- Repository
- Snowflake pulumi/pulumi-snowflake
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
snowflakeTerraform Provider.
Viewing docs for Snowflake v2.13.0
published on Thursday, Feb 26, 2026 by Pulumi
published on Thursday, Feb 26, 2026 by Pulumi
