# Openflow SPCS Setup Guide

**Note: This Notebook can be run in a Warehouse or SPCS Container**

This notebook guides you through setting up Snowflake Openflow on Snowpark Container Services (SPCS).  
Openflow enables real-time data integration and streaming analytics directly within Snowflake.

## Important Notes
- **Preview Feature**: Openflow on SPCS is available as a Public Preview feature as of 29 Sept 2025
- **Account Rollout**: Snowflake is gradually rolling out this feature. Not all accounts may have access immediately
- **Compatibility**: This notebook is compliant with the September 2025 preview release of Openflow SPCS

## Setup Overview

This notebook follows the official Snowflake documentation and covers four main steps:

1. **[Core Snowflake Setup](https://docs.snowflake.com/en/user-guide/data-integration/openflow/setup-openflow-spcs-sf)** - Configure roles, privileges, database objects
2. **[Create Deployment](https://docs.snowflake.com/en/user-guide/data-integration/openflow/setup-openflow-spcs-deployment)** - Set up the Openflow deployment environment
3. **[Create Runtime Role](https://docs.snowflake.com/en/user-guide/data-integration/openflow/setup-openflow-spcs-create-rr)** - Configure runtime permissions
4. **[Create Runtime](https://docs.snowflake.com/en/user-guide/data-integration/openflow/setup-openflow-spcs-create-runtime)** - Deploy the runtime environment

## Prerequisites
- `ACCOUNTADMIN` role or equivalent privileges
- A production Snowflake Account (Trials are not supported)
- Access to Snowsight (Snowflake web interface)
- Account in AWS or Azure Commercial Regions
- Understanding of your network security requirements


In [None]:
# Configuration - Update these values for your environment
# ==========================================================

# User Configuration
YOUR_USER_ACCOUNT = "DCHAFFELSON"  # Update with the user that will access Openflow

# Set Implementation Role with rights to create roles, databases, schemas, etc.
IMPLEMENTATION_ROLE = "ACCOUNTADMIN"

# Name for the role that will have full Admin rights to Openflow, and own Runtime Roles
ADMIN_ROLE_NAME = "OPENFLOWADMIN"

# Openflow Database where Events tables and other objects are created
DATABASE = "OPENFLOW"
SCHEMA = "OPENFLOW"

# This is the Warehouse that the Openflow Runtime will use with Connectors and for Data Engineering tasks
OPENFLOW_WAREHOUSE = "OPENFLOW_WH"

# This is the Warehouse that the user will use for operations, it can be the same as the Openflow Warehouse
USER_WAREHOUSE = OPENFLOW_WAREHOUSE

# Name for the Openflow Deployment
DEPLOYMENT_NAME = "SPCS1"

# Name for the Openflow Events table
EVENT_TABLE_NAME = "EVENTS"

# Name for the Openflow Runtime
RUNTIME_NAME = DEPLOYMENT_NAME + "_RUNTIME1"

# Name for the Openflow Runtime Role
# This role will be used by Openflow to run Connectors and perform your Data Engineering tasks
RUNTIME_ROLE_NAME = "OPENFLOWRUNTIMEROLE_" + RUNTIME_NAME

# Summary
print("✓ Configuration variables set successfully!")
print(f"Database: {DATABASE}")
print(f"Schema: {SCHEMA}")
print(f"Openflow User: {YOUR_USER_ACCOUNT}")
print(f"Deployment: {DEPLOYMENT_NAME}")
print(f"Warehouse: {OPENFLOW_WAREHOUSE}")
print(f"Runtime Role: {RUNTIME_ROLE_NAME}")
print(f"Event Table: {EVENT_TABLE_NAME}")


## Step 1: Core Snowflake Setup

This step sets up the foundational Snowflake resources required for Openflow SPCS deployment.

**Reference**: [Set up Openflow - Snowflake Deployment: Core Snowflake](https://docs.snowflake.com/en/user-guide/data-integration/openflow/setup-openflow-spcs-sf)


### Step 1.1: Create OPENFLOW_ADMIN Role


In [None]:
-- Set context and create the OPENFLOW_ADMIN role
USE ROLE {{IMPLEMENTATION_ROLE}};

-- Create the OPENFLOW_ADMIN role
CREATE ROLE IF NOT EXISTS {{ADMIN_ROLE_NAME}};

-- Grant the role to the specified user
GRANT ROLE {{ADMIN_ROLE_NAME}} TO USER "{{YOUR_USER_ACCOUNT}}";


### Step 1.2 Change User Default Role

Openflow requires that your default role is not a super privileged role.  
If your default role is `ACCOUNTADMIN`, you can use this command to change it.

In [None]:
-- Set the default role for the Openflow user as it cannot be ACCOUNTADMIN
ALTER USER "{{YOUR_USER_ACCOUNT}}" SET DEFAULT_ROLE = '{{ADMIN_ROLE_NAME}}';

### Step 1.3: Create a Database, Schema and Default Warehouse for Openflow

In [None]:
-- Create database and schema if they don't exist
CREATE DATABASE IF NOT EXISTS {{DATABASE}};
CREATE SCHEMA IF NOT EXISTS {{DATABASE}}.{{SCHEMA}};
-- Create a Warehouse for Openflow Connectors that need one
CREATE OR REPLACE WAREHOUSE {{OPENFLOW_WAREHOUSE}}
     WITH
         WAREHOUSE_SIZE = 'SMALL'
         AUTO_SUSPEND = 120
         AUTO_RESUME = TRUE;

### Step 1.3: Grant Required Privileges


In [None]:
-- Grant required Openflow privileges to OPENFLOW_ADMIN role
GRANT CREATE OPENFLOW DATA PLANE INTEGRATION ON ACCOUNT TO ROLE {{ADMIN_ROLE_NAME}};
GRANT CREATE OPENFLOW RUNTIME INTEGRATION ON ACCOUNT TO ROLE {{ADMIN_ROLE_NAME}};

-- Compute pools is required for Openflow Deployments
GRANT CREATE COMPUTE POOL ON ACCOUNT TO ROLE {{ADMIN_ROLE_NAME}};

-- We want the Openflow Admin to create and own the Runtime Roles later on
GRANT CREATE ROLE ON ACCOUNT TO ROLE {{ADMIN_ROLE_NAME}};
-- You can revoke this later if you want to

-- We also want the Admin to create and use the event table later
GRANT USAGE ON DATABASE {{DATABASE}} TO ROLE {{ADMIN_ROLE_NAME}};
GRANT USAGE ON SCHEMA {{DATABASE}}.{{SCHEMA}} TO ROLE {{ADMIN_ROLE_NAME}};
GRANT CREATE EVENT TABLE ON SCHEMA {{DATABASE}}.{{SCHEMA}} TO ROLE {{ADMIN_ROLE_NAME}};

-- We also want the Admin to have access to the Warehouse
GRANT USAGE, OPERATE ON WAREHOUSE {{OPENFLOW_WAREHOUSE}} TO ROLE {{ADMIN_ROLE_NAME}};

-- Set the context for the session
USE DATABASE {{DATABASE}};
USE SCHEMA {{SCHEMA}};
USE WAREHOUSE {{OPENFLOW_WAREHOUSE}};

### Step 1.4: Enable BCR Bundle 2025_06

This bundle is required for Database CDC, SaaS, Streaming, or Slack connectors to ensure connectivity to Snowpipe Streaming.


In [None]:
-- Check and enable BCR Bundle 2025_06
-- Check the current status of the bundle
CALL SYSTEM$BEHAVIOR_CHANGE_BUNDLE_STATUS('2025_06');

In [None]:
-- Enable the bundle if it's disabled
CALL SYSTEM$ENABLE_BEHAVIOR_CHANGE_BUNDLE('2025_06');

## Step 2: Create Openflow Deployment

This step creates the Openflow deployment environment with integrated event logging.

**Reference**: [Set up Openflow - Snowflake Deployment: Create deployment](https://docs.snowflake.com/en/user-guide/data-integration/openflow/setup-openflow-spcs-deployment)

### What we'll do:
1. **Create Deployment via UI** - Use Snowsight to create the deployment  
2. **Create and Configure Event Table** - Essential for logging, created and applied immediately


In [None]:
-- Display key variables for deployment creation
SELECT
    '{{ADMIN_ROLE_NAME}}' AS ADMIN_ROLE_NAME,
    '{{DEPLOYMENT_NAME}}' AS DEPLOYMENT_NAME;

### Step 2.1: Launch Openflow and Create Deployment

**Important**: The deployment creation must be done through the Snowsight web interface. Follow the official process:

**Reference**: [Create a deployment](https://docs.snowflake.com/en/user-guide/data-integration/openflow/setup-openflow-spcs-deployment#create-a-deployment)

Follow these steps:

1. **Navigate to Openflow**:
   - Log into Snowsight with your `{{ADMIN_ROLE_NAME}}` role
   - Go to **Data** > **Openflow** in the left navigation

2. **Launch Openflow**:
   - Click **Launch Openflow** button to open the Openflow interface

3. **Create New Deployment**:
   - In the Openflow UI, go to the **Deployments** tab
   - click **Create a deployment**
   - click **Next** on Prerequisites
   - Deploy to `Snowflake`; not `AWS BYOC` or similar
   - Enter deployment name: `{{DEPLOYMENT_NAME}}`
   - Optionally you may supply additional roles here
   - click **Create Deployment**

4. **Complete Creation**:
   - You will get a popup notifying the wait time, click **Close**
   - Wait for deployment status to show "Active"


### Step 2.2: Create Event Table and Link to Deployment

Now that the deployment exists, create the event table and link it to the deployment for logging.


In [None]:
-- Create event table for Openflow logging
USE WAREHOUSE {{USER_WAREHOUSE}};
USE ROLE {{ADMIN_ROLE_NAME}};

CREATE EVENT TABLE IF NOT EXISTS {{DATABASE}}.{{SCHEMA}}.{{EVENT_TABLE_NAME}}
  COMMENT = 'Event table for Openflow deployment logging and monitoring';

-- Verify the event table was created
DESCRIBE EVENT TABLE {{EVENT_TABLE_NAME}};

In [None]:
-- Link event table to deployment
-- First, get the deployment UUID
SHOW OPENFLOW DATA PLANE INTEGRATIONS;

-- Pick your Deployment from the list. It's probably the most recent.
-- If you're not sure, you can get the UUID in the UI from the deployment details
-- If your deployment is not in the list, try switching to ACCOUNTADMIN

In [None]:
-- Then set the event table (replace the UUID with the one from above)
ALTER OPENFLOW DATA PLANE INTEGRATION OPENFLOW_DATAPLANE_123456789_3054_4AF5_BDF0_4B4306E29EFB
SET EVENT_TABLE = '{{DATABASE}}.{{SCHEMA}}.{{EVENT_TABLE_NAME}}';

## Step 3: Create Runtime Role

This step creates a dedicated role for runtime operations with the necessary privileges.

**Reference**: [Set up Openflow - Snowflake Deployment: Create Runtime role](https://docs.snowflake.com/en/user-guide/data-integration/openflow/setup-openflow-spcs-create-rr)

### What we'll create:
1. **Runtime Role** - Dedicated role for runtime operations
2. **Required Privileges** - Permissions needed for runtime execution
3. **Account Objects** - A warehouse and EAI for accessing necessary services


### Step 3.1: Create Runtime Role


In [None]:
-- Create runtime role for Openflow operations
USE ROLE {{ADMIN_ROLE_NAME}};
-- Create the runtime role
CREATE ROLE IF NOT EXISTS {{RUNTIME_ROLE_NAME}};

-- Grant the runtime role to OPENFLOW_ADMIN for management
GRANT ROLE {{RUNTIME_ROLE_NAME}} TO ROLE {{ADMIN_ROLE_NAME}};

-- Grant the runtime role to the Openflow user
GRANT ROLE {{RUNTIME_ROLE_NAME}} TO USER "{{YOUR_USER_ACCOUNT}}";

### Step 3.3: Grant Runtime Privileges

Grant the necessary privileges for runtime operations including database access and compute pool usage.


In [None]:
-- Grant runtime privileges
USE ROLE {{IMPLEMENTATION_ROLE}};
-- Database and schema access
GRANT USAGE ON DATABASE {{DATABASE}} TO ROLE {{RUNTIME_ROLE_NAME}};
GRANT USAGE ON SCHEMA {{DATABASE}}.{{SCHEMA}} TO ROLE {{RUNTIME_ROLE_NAME}};

-- Warehouse usage for runtime operations
GRANT USAGE, OPERATE ON WAREHOUSE {{OPENFLOW_WAREHOUSE}} TO ROLE {{RUNTIME_ROLE_NAME}};

-- Table creation and management privileges
GRANT CREATE TABLE ON SCHEMA {{DATABASE}}.{{SCHEMA}} TO ROLE {{RUNTIME_ROLE_NAME}};
GRANT CREATE VIEW ON SCHEMA {{DATABASE}}.{{SCHEMA}} TO ROLE {{RUNTIME_ROLE_NAME}};
GRANT CREATE STAGE ON SCHEMA {{DATABASE}}.{{SCHEMA}} TO ROLE {{RUNTIME_ROLE_NAME}};

-- Event table access for logging
GRANT INSERT ON EVENT TABLE {{DATABASE}}.{{SCHEMA}}.{{EVENT_TABLE_NAME}} TO ROLE {{RUNTIME_ROLE_NAME}};
GRANT SELECT ON EVENT TABLE {{DATABASE}}.{{SCHEMA}}.{{EVENT_TABLE_NAME}} TO ROLE {{RUNTIME_ROLE_NAME}};

### Step 3.4: Grant Access to Existing External Access Integrations

If you have existing External Access Integrations (EAIs) for connectors, databases, or external APIs, grant access to the runtime role so they can be used in your runtime.


In [None]:
-- List all existing External Access Integrations in the account
SHOW EXTERNAL ACCESS INTEGRATIONS;

-- This will show you all available EAIs that you might want to grant to your runtime role

In [None]:
-- Grant USAGE on relevant EAIs to the runtime role
-- Uncomment and modify the lines below for EAIs you want to use in your runtime

-- Examples of common EAI grants:
-- GRANT USAGE ON INTEGRATION <YOUR_DATABASE_EAI> TO ROLE {{RUNTIME_ROLE_NAME}};
-- GRANT USAGE ON INTEGRATION <YOUR_API_EAI> TO ROLE {{RUNTIME_ROLE_NAME}};
-- GRANT USAGE ON INTEGRATION <YOUR_CONNECTOR_EAI> TO ROLE {{RUNTIME_ROLE_NAME}};

-- Verify grants
SHOW GRANTS TO ROLE {{RUNTIME_ROLE_NAME}};

## Step 4: Create Runtime

This step creates the compute pool and runtime environment where Openflow data flows will execute.

**Reference**: [Set up Openflow - Snowflake Deployment: Create Runtime](https://docs.snowflake.com/en/user-guide/data-integration/openflow/setup-openflow-spcs-create-runtime)

### What we'll create:
2. **Runtime** - The execution environment for Openflow operations
3. **Runtime Configuration** - Size and scaling settings


In [None]:
-- Display key variables for runtime creation
SELECT
    '{{RUNTIME_NAME}}' AS RUNTIME_NAME;

### Step 4.1: Create Runtime via Snowsight UI

**Important**: Runtime creation is done through the Snowsight web interface. Follow these steps:

1. **Navigate to Deployment**:
   - In Snowsight, go to **Data** > **Openflow**
   - Click **Launch Openflow** 
   - Click on the **Runtimes** tab

2. **Create New Runtime**:
   - Click **+ Create Runtime** button
   - Select your Deployment
   - Enter runtime name: `{{RUNTIME_NAME}}`
   - Select Node Type: Medium is recommended
   - Select Min Nodes: 1 is recommended
   - Select Max Noddes: 3 is recommended
   - Select your Runtime Role created earlier
   - Select your EAIs you created earlier

**NOTE: If your Runtime Role is not in the list, refresh or reload the Control Plane tab**

**NOTE: Any EAIs you select must already be GRANTed to the Runtime Role**

3. **Complete Creation**:
   - Review all settings
   - Click **Create** to finalize the runtime

Wait for the Runtime creation to complete.

You may then Click on the Runtime name to launch it, or browse the Connector catalog.

# Step 5: Remove Openflow
If you want to strip out the changes made to the account, you can run this cell.

**Note** the commands are commented out by default for safety, please uncomment as required.

In [None]:
-- Step 1: Stop and drop tasks that depend on database objects
-- USE ROLE {{IMPLEMENTATION_ROLE}};
-- USE DATABASE {{DATABASE}};
-- USE SCHEMA {{SCHEMA}};

-- Step 3: Drop account-level security objects (integrations and roles)
-- DROP ROLE IF EXISTS {{RUNTIME_ROLE_NAME}};
-- ALTER USER "{{YOUR_USER_ACCOUNT}}" SET DEFAULT_ROLE = "{{IMPLEMENTATION_ROLE}}";
-- DROP ROLE IF EXISTS {{ADMIN_ROLE_NAME}};

-- Step 4: Drop Warehouse
-- DROP WAREHOUSE IF EXISTS {{OPENFLOW_WAREHOUSE}};

-- Step 5: Drop the entire database (removes all child objects automatically)
-- This includes: network rules, event tables, stages, and all other database objects
-- DROP DATABASE IF EXISTS {{DATABASE}};