Skip to content

Commit

Permalink
fix: Make blocked_roles_field optional in OAuth security integrations (
Browse files Browse the repository at this point in the history
…#3267)

<!-- Feel free to delete comments as you fill this in -->
- make the `blocked_roles_field` optional in OAuth security integrations
- when tried to use `NormalizeAndCompareIdentifiersInSet`, the diff was
suppressed in step 2 of the new tests, resulting in the role not being
removed - this will be fixed next
<!-- summary of changes -->

## Test Plan
<!-- detail ways in which this PR has been tested or needs to be tested
-->
* [x] acceptance tests
<!-- add more below if you think they are relevant -->
* [ ] …

## References
<!-- issues documentation links, etc  -->
#3171

## TODO
- use `NormalizeAndCompareIdentifiersInSet` in this field; also in
external oauth resource
  • Loading branch information
sfc-gh-jmichalak authored Dec 12, 2024
1 parent 933335f commit 7197b57
Show file tree
Hide file tree
Showing 25 changed files with 1,096 additions and 63 deletions.
15 changes: 14 additions & 1 deletion MIGRATION_GUIDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,27 @@ across different versions.
## v0.99.0 ➞ v0.100.0

### snowflake_oauth_integration_for_partner_applications and snowflake_oauth_integration_for_custom_clients resource changes
#### *(behavior change)* `blocked_roles_list` field is no longer required

Previously, `blocked_roles_list` field was required to handle default account roles like `ACCOUNTADMIN`, `ORGADMIN`, and `SECURITYADMIN`.

Now, it is optional, because of using the value of `OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST` parameter (read more below).

No changes in the configuration are necessary.

#### *(behavior change)* new field `related_parameters`

To handle `blocked_roles_list` field properly in both of the resources, we introduce `related_parameters` field. This field is a list of parameters related to OAuth integrations. It is a computed-only field containing value of `OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST` account parameter (see [docs](https://docs.snowflake.com/en/sql-reference/parameters#oauth-add-privileged-roles-to-blocked-list)).

### snowflake_account resource changes

Changes:
- `admin_user_type` is now supported. No action required during the migration.
- `grace_period_in_days` is now required. The field should be explicitly set in the following versions.
- Account renaming is now supported.
- `is_org_admin` is a settable field (previously it was read-only field). Changing its value is also supported.
- `must_change_password` and `is_org_admin` type was changed from `bool` to bool-string (more on that [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/CHANGES_BEFORE_V1.md#empty-values)). No action required during the migration.
- `must_change_password` and `is_org_admin` type was changed from `bool` to bool-string (more on that [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/CHANGES_BEFORE_V1.md#empty-values)). No action required during the migration.
- The underlying resource identifier was changed from `<account_locator>` to `<organization_name>.<account_name>`. Migration will be done automatically. Notice this introduces changes in how `snowflake_account` resource is imported.
- New `show_output` field was added (see [raw Snowflake output](./v1-preparations/CHANGES_BEFORE_V1.md#raw-snowflake-output)).

Expand Down
2 changes: 1 addition & 1 deletion docs/resources/external_oauth_integration.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ resource "snowflake_external_oauth_integration" "test" {
- `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATIONS` for the given security integration. (see [below for nested schema](#nestedatt--describe_output))
- `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
- `id` (String) The ID of this resource.
- `related_parameters` (List of Object) Paramteres related to this security integration. (see [below for nested schema](#nestedatt--related_parameters))
- `related_parameters` (List of Object) Parameters related to this security integration. (see [below for nested schema](#nestedatt--related_parameters))
- `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATIONS` for the given security integration. (see [below for nested schema](#nestedatt--show_output))

<a id="nestedatt--describe_output"></a>
Expand Down
24 changes: 22 additions & 2 deletions docs/resources/oauth_integration_for_custom_clients.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ resource "snowflake_oauth_integration_for_custom_clients" "basic" {
name = "integration"
oauth_client_type = "CONFIDENTIAL"
oauth_redirect_uri = "https://example.com"
blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"]
}
# resource with all fields set
Expand Down Expand Up @@ -53,13 +52,13 @@ resource "snowflake_oauth_integration_for_custom_clients" "complete" {

### Required

- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. For more information about this resource, see [docs](./account_role).
- `name` (String) Specifies the name of the OAuth integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account. Due to technical limitations (read more [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `"`.
- `oauth_client_type` (String) Specifies the type of client being registered. Snowflake supports both confidential and public clients. Valid options are: `PUBLIC` | `CONFIDENTIAL`.
- `oauth_redirect_uri` (String) Specifies the client URI. After a user is authenticated, the web browser is redirected to this URI.

### Optional

- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. By default, this list includes the ACCOUNTADMIN, ORGADMIN and SECURITYADMIN roles. To remove these privileged roles from the list, use the ALTER ACCOUNT command to set the OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST account parameter to FALSE. For more information about this resource, see [docs](./account_role).
- `comment` (String) Specifies a comment for the OAuth integration.
- `enabled` (String) Specifies whether this OAuth integration is enabled or disabled. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
- `network_policy` (String) Specifies an existing network policy. This network policy controls network traffic that is attempting to exchange an authorization code for an access or refresh token or to use a refresh token to obtain a new access token. For more information about this resource, see [docs](./network_policy).
Expand All @@ -77,6 +76,7 @@ resource "snowflake_oauth_integration_for_custom_clients" "complete" {
- `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--describe_output))
- `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
- `id` (String) The ID of this resource.
- `related_parameters` (List of Object) Parameters related to this security integration. (see [below for nested schema](#nestedatt--related_parameters))
- `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--show_output))

<a id="nestedatt--describe_output"></a>
Expand Down Expand Up @@ -314,6 +314,26 @@ Read-Only:



<a id="nestedatt--related_parameters"></a>
### Nested Schema for `related_parameters`

Read-Only:

- `oauth_add_privileged_roles_to_blocked_list` (List of Object) (see [below for nested schema](#nestedobjatt--related_parameters--oauth_add_privileged_roles_to_blocked_list))

<a id="nestedobjatt--related_parameters--oauth_add_privileged_roles_to_blocked_list"></a>
### Nested Schema for `related_parameters.oauth_add_privileged_roles_to_blocked_list`

Read-Only:

- `default` (String)
- `description` (String)
- `key` (String)
- `level` (String)
- `value` (String)



<a id="nestedatt--show_output"></a>
### Nested Schema for `show_output`

Expand Down
24 changes: 22 additions & 2 deletions docs/resources/oauth_integration_for_partner_applications.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" {
name = "example"
oauth_client = "LOOKER"
oauth_redirect_uri = "http://example.com"
blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"]
}
# resource with all fields set
Expand All @@ -44,12 +43,12 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" {

### Required

- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. For more information about this resource, see [docs](./account_role).
- `name` (String) Specifies the name of the OAuth integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account. Due to technical limitations (read more [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `"`.
- `oauth_client` (String) Creates an OAuth interface between Snowflake and a partner application. Valid options are: `LOOKER` | `TABLEAU_DESKTOP` | `TABLEAU_SERVER`.

### Optional

- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. By default, this list includes the ACCOUNTADMIN, ORGADMIN and SECURITYADMIN roles. To remove these privileged roles from the list, use the ALTER ACCOUNT command to set the OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST account parameter to FALSE. For more information about this resource, see [docs](./account_role).
- `comment` (String) Specifies a comment for the OAuth integration.
- `enabled` (String) Specifies whether this OAuth integration is enabled or disabled. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
- `oauth_issue_refresh_tokens` (String) Specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
Expand All @@ -62,6 +61,7 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" {
- `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--describe_output))
- `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
- `id` (String) The ID of this resource.
- `related_parameters` (List of Object) Parameters related to this security integration. (see [below for nested schema](#nestedatt--related_parameters))
- `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--show_output))

<a id="nestedatt--describe_output"></a>
Expand Down Expand Up @@ -299,6 +299,26 @@ Read-Only:



<a id="nestedatt--related_parameters"></a>
### Nested Schema for `related_parameters`

Read-Only:

- `oauth_add_privileged_roles_to_blocked_list` (List of Object) (see [below for nested schema](#nestedobjatt--related_parameters--oauth_add_privileged_roles_to_blocked_list))

<a id="nestedobjatt--related_parameters--oauth_add_privileged_roles_to_blocked_list"></a>
### Nested Schema for `related_parameters.oauth_add_privileged_roles_to_blocked_list`

Read-Only:

- `default` (String)
- `description` (String)
- `key` (String)
- `level` (String)
- `value` (String)



<a id="nestedatt--show_output"></a>
### Nested Schema for `show_output`

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ resource "snowflake_oauth_integration_for_custom_clients" "basic" {
name = "integration"
oauth_client_type = "CONFIDENTIAL"
oauth_redirect_uri = "https://example.com"
blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"]
}

# resource with all fields set
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" {
name = "example"
oauth_client = "LOOKER"
oauth_redirect_uri = "http://example.com"
blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"]
}

# resource with all fields set
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,14 @@ var allResourceSchemaDefs = []ResourceSchemaDef{
name: "Account",
schema: resources.Account().Schema,
},
{
name: "OauthIntegrationForCustomClients",
schema: resources.OauthIntegrationForCustomClients().Schema,
},
{
name: "OauthIntegrationForPartnerApplications",
schema: resources.OauthIntegrationForPartnerApplications().Schema,
},
{
name: "FunctionJava",
schema: resources.FunctionJava().Schema,
Expand Down
Loading

0 comments on commit 7197b57

Please sign in to comment.