feat: Account v1 readiness resource (#3252)

Introduces refactor to already existing `snowflake_account` resource.

### Changes

- Refactored existing account resource
- Completely rewritten acceptance tests
- Introduced a return type from Create command that is used to parse
org_name + acc_name that is later used in creating new resource id. The
output is always returned. Adding another SQL calls to get this
information may an issue. For example, when account was successfully
created, but e.g. current organization_name couldn't be fetched; this
situation will end up with created account, but with no connection to
the terraform config of this account. This could be fixed by manually
importing the resource. We can discuss this on Monday.

### Next pr

- data source
- next account resource

MIGRATION_GUIDE.md

@@ -9,9 +9,20 @@ across different versions.
 
 ## v0.99.0 ➞ v0.100.0
 
+### snowflake_account resource changes
+
+Changes:
+- `admin_user_type` is now supported. No action required during the migration.
+- `grace_period_in_days` is now required. The field should be explicitly set in the following versions.
+- Account renaming is now supported.
+- `is_org_admin` is a settable field (previously it was read-only field). Changing its value is also supported.
+- `must_change_password` and `is_org_admin` type was changed from `bool` to bool-string (more on that [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/CHANGES_BEFORE_V1.md#empty-values)). No action required during the migration. 
+- The underlying resource identifier was changed from `<account_locator>` to `<organization_name>.<account_name>`. Migration will be done automatically. Notice this introduces changes in how `snowflake_account` resource is imported.
+- New `show_output` field was added (see [raw Snowflake output](./v1-preparations/CHANGES_BEFORE_V1.md#raw-snowflake-output)).
+
 ### snowflake_tag_association resource changes
 #### *(behavior change)* new id format
-In order to provide more functionality for tagging objects, we have changed the resource id from `"TAG_DATABASE"."TAG_SCHEMA"."TAG_NAME"` to `"TAG_DATABASE"."TAG_SCHEMA"."TAG_NAME"|TAG_VALUE|OBJECT_TYPE`. This allows to group tags associations per tag ID, tag value and object type in one resource.
+To provide more functionality for tagging objects, we have changed the resource id from `"TAG_DATABASE"."TAG_SCHEMA"."TAG_NAME"` to `"TAG_DATABASE"."TAG_SCHEMA"."TAG_NAME"|TAG_VALUE|OBJECT_TYPE`. This allows to group tags associations per tag ID, tag value and object type in one resource.
 ```
 resource "snowflake_tag_association" "gold_warehouses" {
   object_identifiers = [snowflake_warehouse.w1.fully_qualified_name, snowflake_warehouse.w2.fully_qualified_name]

docs/resources/account.md

@@ -5,34 +5,58 @@ description: |-
   The account resource allows you to create and manage Snowflake accounts.
 ---
 
+!> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0990--v01000) to use it.
+
 # snowflake_account (Resource)
 
 The account resource allows you to create and manage Snowflake accounts.
 
-!> **Warning** This resource cannot be destroyed!!! The only way to delete accounts is to go through [Snowflake Support](https://docs.snowflake.com/en/user-guide/organizations-manage-accounts.html#deleting-an-account)
-
-~> **Note** ORGADMIN priviliges are required for this resource
+~> **Note** To use this resource you have to use an account with a privilege to use the ORGADMIN role.
 
 ## Example Usage
 
 ```terraform
-provider "snowflake" {
-  role  = "ORGADMIN"
-  alias = "orgadmin"
+## Minimal
+resource "snowflake_account" "minimal" {
+  name                 = "ACCOUNT_NAME"
+  admin_name           = "ADMIN_NAME"
+  admin_password       = "ADMIN_PASSWORD"
+  email                = "[email protected]"
+  edition              = "STANDARD"
+  grace_period_in_days = 3
+}
+
+## Complete (with SERVICE user type)
+resource "snowflake_account" "complete" {
+  name                 = "ACCOUNT_NAME"
+  admin_name           = "ADMIN_NAME"
+  admin_rsa_public_key = "<public_key>"
+  admin_user_type      = "SERVICE"
+  email                = "[email protected]"
+  edition              = "STANDARD"
+  region_group         = "PUBLIC"
+  region               = "AWS_US_WEST_2"
+  comment              = "some comment"
+  is_org_admin         = "true"
+  grace_period_in_days = 3
 }
 
-resource "snowflake_account" "ac1" {
-  provider             = snowflake.orgadmin
-  name                 = "SNOWFLAKE_TEST_ACCOUNT"
-  admin_name           = "John Doe"
-  admin_password       = "Abcd1234!"
-  email                = "[email protected]"
-  first_name           = "John"
-  last_name            = "Doe"
-  must_change_password = true
+## Complete (with PERSON user type)
+resource "snowflake_account" "complete" {
+  name                 = "ACCOUNT_NAME"
+  admin_name           = "ADMIN_NAME"
+  admin_password       = "ADMIN_PASSWORD"
+  admin_user_type      = "PERSON"
+  first_name           = "first_name"
+  last_name            = "last_name"
+  email                = "[email protected]"
+  must_change_password = "false"
   edition              = "STANDARD"
-  comment              = "Snowflake Test Account"
+  region_group         = "PUBLIC"
   region               = "AWS_US_WEST_2"
+  comment              = "some comment"
+  is_org_admin         = "true"
+  grace_period_in_days = 3
 }
 ```
 -> **Note** Instead of using fully_qualified_name, you can reference objects managed outside Terraform by constructing a correct ID, consult [identifiers guide](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/guides/identifiers#new-computed-fully-qualified-name-field-in-resources).
@@ -43,33 +67,70 @@ resource "snowflake_account" "ac1" {
 
 ### Required
 
-- `admin_name` (String) Login name of the initial administrative user of the account. A new user is created in the new account with this name and password and granted the ACCOUNTADMIN role in the account. A login name can be any string consisting of letters, numbers, and underscores. Login names are always case-insensitive.
-- `edition` (String) [Snowflake Edition](https://docs.snowflake.com/en/user-guide/intro-editions.html) of the account. Valid values are: STANDARD | ENTERPRISE | BUSINESS_CRITICAL
-- `email` (String, Sensitive) Email address of the initial administrative user of the account. This email address is used to send any notifications about the account.
-- `name` (String) Specifies the identifier (i.e. name) for the account; must be unique within an organization, regardless of which Snowflake Region the account is in. In addition, the identifier must start with an alphabetic character and cannot contain spaces or special characters except for underscores (_). Note that if the account name includes underscores, features that do not accept account names with underscores (e.g. Okta SSO or SCIM) can reference a version of the account name that substitutes hyphens (-) for the underscores.
+- `admin_name` (String, Sensitive) Login name of the initial administrative user of the account. A new user is created in the new account with this name and password and granted the ACCOUNTADMIN role in the account. A login name can be any string consisting of letters, numbers, and underscores. Login names are always case-insensitive. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource manually using "terraform taint".
+- `edition` (String) Snowflake Edition of the account. See more about Snowflake Editions in the [official documentation](https://docs.snowflake.com/en/user-guide/intro-editions). Valid options are: `STANDARD` | `ENTERPRISE` | `BUSINESS_CRITICAL`
+- `email` (String, Sensitive) Email address of the initial administrative user of the account. This email address is used to send any notifications about the account. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource manually using "terraform taint".
+- `grace_period_in_days` (Number) Specifies the number of days during which the account can be restored (“undropped”). The minimum is 3 days and the maximum is 90 days.
+- `name` (String) Specifies the identifier (i.e. name) for the account. It must be unique within an organization, regardless of which Snowflake Region the account is in and must start with an alphabetic character and cannot contain spaces or special characters except for underscores (_). Note that if the account name includes underscores, features that do not accept account names with underscores (e.g. Okta SSO or SCIM) can reference a version of the account name that substitutes hyphens (-) for the underscores.
 
 ### Optional
 
-- `admin_password` (String, Sensitive) Password for the initial administrative user of the account. Optional if the `ADMIN_RSA_PUBLIC_KEY` parameter is specified. For more information about passwords in Snowflake, see [Snowflake-provided Password Policy](https://docs.snowflake.com/en/sql-reference/sql/create-account.html#:~:text=Snowflake%2Dprovided%20Password%20Policy).
-- `admin_rsa_public_key` (String, Sensitive) Assigns a public key to the initial administrative user of the account in order to implement [key pair authentication](https://docs.snowflake.com/en/sql-reference/sql/create-account.html#:~:text=key%20pair%20authentication) for the user. Optional if the `ADMIN_PASSWORD` parameter is specified.
+- `admin_password` (String, Sensitive) Password for the initial administrative user of the account. Either admin_password or admin_rsa_public_key has to be specified. This field cannot be used whenever admin_user_type is set to SERVICE. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource manually using "terraform taint".
+- `admin_rsa_public_key` (String) Assigns a public key to the initial administrative user of the account. Either admin_password or admin_rsa_public_key has to be specified. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource manually using "terraform taint".
+- `admin_user_type` (String) Used for setting the type of the first user that is assigned the ACCOUNTADMIN role during account creation. Valid options are: `PERSON` | `SERVICE` | `LEGACY_SERVICE` External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource manually using "terraform taint".
 - `comment` (String) Specifies a comment for the account.
-- `first_name` (String, Sensitive) First name of the initial administrative user of the account
-- `grace_period_in_days` (Number) Specifies the number of days to wait before dropping the account. The default is 3 days.
-- `last_name` (String, Sensitive) Last name of the initial administrative user of the account
-- `must_change_password` (Boolean) Specifies whether the new user created to administer the account is forced to change their password upon first login into the account.
-- `region` (String) ID of the Snowflake Region where the account is created. If no value is provided, Snowflake creates the account in the same Snowflake Region as the current account (i.e. the account in which the CREATE ACCOUNT statement is executed.)
-- `region_group` (String) ID of the Snowflake Region where the account is created. If no value is provided, Snowflake creates the account in the same Snowflake Region as the current account (i.e. the account in which the CREATE ACCOUNT statement is executed.)
+- `first_name` (String, Sensitive) First name of the initial administrative user of the account. This field cannot be used whenever admin_user_type is set to SERVICE. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource manually using "terraform taint".
+- `is_org_admin` (String) Sets an account property that determines whether the ORGADMIN role is enabled in the account. Only an organization administrator (i.e. user with the ORGADMIN role) can set the property.
+- `last_name` (String, Sensitive) Last name of the initial administrative user of the account. This field cannot be used whenever admin_user_type is set to SERVICE. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource manually using "terraform taint".
+- `must_change_password` (String) Specifies whether the new user created to administer the account is forced to change their password upon first login into the account. This field cannot be used whenever admin_user_type is set to SERVICE. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource manually using "terraform taint".
+- `region` (String) [Snowflake Region ID](https://docs.snowflake.com/en/user-guide/admin-account-identifier.html#label-snowflake-region-ids) of the region where the account is created. If no value is provided, Snowflake creates the account in the same Snowflake Region as the current account (i.e. the account in which the CREATE ACCOUNT statement is executed.)
+- `region_group` (String) ID of the region group where the account is created. To retrieve the region group ID for existing accounts in your organization, execute the [SHOW REGIONS](https://docs.snowflake.com/en/sql-reference/sql/show-regions) command. For information about when you might need to specify region group, see [Region groups](https://docs.snowflake.com/en/user-guide/admin-account-identifier.html#label-region-groups).
 
 ### Read-Only
 
 - `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
 - `id` (String) The ID of this resource.
-- `is_org_admin` (Boolean) Indicates whether the ORGADMIN role is enabled in an account. If TRUE, the role is enabled.
+- `show_output` (List of Object) Outputs the result of `SHOW ACCOUNTS` for the given account. (see [below for nested schema](#nestedatt--show_output))
+
+<a id="nestedatt--show_output"></a>
+### Nested Schema for `show_output`
+
+Read-Only:
+
+- `account_locator` (String)
+- `account_locator_url` (String)
+- `account_name` (String)
+- `account_old_url_last_used` (String)
+- `account_old_url_saved_on` (String)
+- `account_url` (String)
+- `comment` (String)
+- `consumption_billing_entity_name` (String)
+- `created_on` (String)
+- `dropped_on` (String)
+- `edition` (String)
+- `is_events_account` (Boolean)
+- `is_org_admin` (Boolean)
+- `is_organization_account` (Boolean)
+- `managed_accounts` (Number)
+- `marketplace_consumer_billing_entity_name` (String)
+- `marketplace_provider_billing_entity_name` (String)
+- `moved_on` (String)
+- `moved_to_organization` (String)
+- `old_account_url` (String)
+- `organization_name` (String)
+- `organization_old_url` (String)
+- `organization_old_url_last_used` (String)
+- `organization_old_url_saved_on` (String)
+- `organization_url_expiration_on` (String)
+- `region_group` (String)
+- `restored_on` (String)
+- `scheduled_deletion_time` (String)
+- `snowflake_region` (String)
 
 ## Import
 
 Import is supported using the following syntax:
 
 ```shell
-terraform import snowflake_account.account <account_locator>
+terraform import snowflake_account.example '"<organization_name>"."<account_name>"'
 ```

examples/resources/snowflake_account/import.sh

@@ -0,0 +1 @@
+terraform import snowflake_account.example '"<organization_name>"."<account_name>"'

examples/resources/snowflake_account/resource.tf

@@ -1,18 +1,42 @@
-provider "snowflake" {
-  role  = "ORGADMIN"
-  alias = "orgadmin"
+## Minimal
+resource "snowflake_account" "minimal" {
+  name                 = "ACCOUNT_NAME"
+  admin_name           = "ADMIN_NAME"
+  admin_password       = "ADMIN_PASSWORD"
+  email                = "[email protected]"
+  edition              = "STANDARD"
+  grace_period_in_days = 3
+}
+
+## Complete (with SERVICE user type)
+resource "snowflake_account" "complete" {
+  name                 = "ACCOUNT_NAME"
+  admin_name           = "ADMIN_NAME"
+  admin_rsa_public_key = "<public_key>"
+  admin_user_type      = "SERVICE"
+  email                = "[email protected]"
+  edition              = "STANDARD"
+  region_group         = "PUBLIC"
+  region               = "AWS_US_WEST_2"
+  comment              = "some comment"
+  is_org_admin         = "true"
+  grace_period_in_days = 3
 }
 
-resource "snowflake_account" "ac1" {
-  provider             = snowflake.orgadmin
-  name                 = "SNOWFLAKE_TEST_ACCOUNT"
-  admin_name           = "John Doe"
-  admin_password       = "Abcd1234!"
-  email                = "[email protected]"
-  first_name           = "John"
-  last_name            = "Doe"
-  must_change_password = true
+## Complete (with PERSON user type)
+resource "snowflake_account" "complete" {
+  name                 = "ACCOUNT_NAME"
+  admin_name           = "ADMIN_NAME"
+  admin_password       = "ADMIN_PASSWORD"
+  admin_user_type      = "PERSON"
+  first_name           = "first_name"
+  last_name            = "last_name"
+  email                = "[email protected]"
+  must_change_password = "false"
   edition              = "STANDARD"
-  comment              = "Snowflake Test Account"
+  region_group         = "PUBLIC"
   region               = "AWS_US_WEST_2"
+  comment              = "some comment"
+  is_org_admin         = "true"
+  grace_period_in_days = 3
 }

pkg/acceptance/bettertestspoc/assert/resourceassert/account_resource_ext.go

@@ -0,0 +1,11 @@
+package resourceassert
+
+import (
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/bettertestspoc/assert"
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk"
+)
+
+func (a *AccountResourceAssert) HasAdminUserType(expected sdk.UserType) *AccountResourceAssert {
+	a.AddAssertion(assert.ValueSet("admin_user_type", string(expected)))
+	return a
+}