From d9b557f7de6c20c16e9d39be9becc92a5a74fb40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Cie=C5=9Blak?= Date: Tue, 9 Jul 2024 12:02:06 +0200 Subject: [PATCH] feat: Add OAUTH integration for custom clients (#2908) Changes: - Added a new resource - `oauth_client_rsa_public_key` and `oauth_client_rsa_public_key_2` are strange fields because they don't have any value returned by the SHOW or DESC, so the only diff is applied by the TF (because those fields are not set in the read operation). Currently, tests show they work, so I left them this way. - Added a deprecation message in the old one - Added acceptance tests for the new resource - Added one commented section where I thought the plan would be different than the actual outcome (no update planned, but it was run) --------- Co-authored-by: Jakub Michalak --- MIGRATION_GUIDE.md | 8 + docs/index.md | 1 + docs/resources/oauth_integration.md | 2 +- .../oauth_integration_for_custom_clients.md | 328 +++++++++ docs/resources/saml2_integration.md | 2 + examples/additional/deprecated_resources.MD | 1 + .../import.sh | 1 + .../resource.tf | 26 + .../helpers/security_integration_client.go | 8 + pkg/provider/provider.go | 1 + pkg/resources/oauth_integration.go | 9 +- .../oauth_integration_for_custom_clients.go | 675 ++++++++++++++++++ ...tion_for_custom_clients_acceptance_test.go | 666 +++++++++++++++++ .../basic/test.tf | 6 + .../basic/variables.tf | 12 + .../complete/test.tf | 17 + .../complete/variables.tf | 46 ++ .../default_values/test.tf | 18 + .../default_values/variables.tf | 45 ++ .../invalid/test.tf | 7 + .../invalid/variables.tf | 15 + .../oauth_integration_for_custom_clients.go | 63 ++ ...uth_integration_for_custom_clients.md.tmpl | 32 + templates/resources/saml2_integration.md.tmpl | 32 + v1-preparations/REMAINING_GA_OBJECTS.MD | 2 +- 25 files changed, 2017 insertions(+), 6 deletions(-) create mode 100644 docs/resources/oauth_integration_for_custom_clients.md create mode 100644 examples/resources/snowflake_oauth_integration_for_custom_clients/import.sh create mode 100644 examples/resources/snowflake_oauth_integration_for_custom_clients/resource.tf create mode 100644 pkg/resources/oauth_integration_for_custom_clients.go create mode 100644 pkg/resources/oauth_integration_for_custom_clients_acceptance_test.go create mode 100644 pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/test.tf create mode 100644 pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/variables.tf create mode 100644 pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/complete/test.tf create mode 100644 pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/complete/variables.tf create mode 100644 pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/default_values/test.tf create mode 100644 pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/default_values/variables.tf create mode 100644 pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/invalid/test.tf create mode 100644 pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/invalid/variables.tf create mode 100644 pkg/schemas/oauth_integration_for_custom_clients.go create mode 100644 templates/resources/oauth_integration_for_custom_clients.md.tmpl create mode 100644 templates/resources/saml2_integration.md.tmpl diff --git a/MIGRATION_GUIDE.md b/MIGRATION_GUIDE.md index 9790aa2f10..fb35776890 100644 --- a/MIGRATION_GUIDE.md +++ b/MIGRATION_GUIDE.md @@ -28,6 +28,14 @@ Added new api authentication resources, i.e.: See reference [doc](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth). +### *(new feature)* snowflake_oauth_integration_for_custom_clients and snowflake_oauth_integration_for_partner_applications resources + +To enhance clarity and functionality, the new resources `snowflake_oauth_integration_for_custom_clients` and `snowflake_oauth_integration_for_partner_applications` have been introduced +to replace the previous `snowflake_oauth_integration`. Recognizing that the old resource carried multiple responsibilities within a single entity, we opted to divide it into two more specialized resources. +The newly introduced resources are aligned with the latest Snowflake documentation at the time of implementation, and adhere to our [new conventions](#general-changes). +This segregation was based on the `oauth_client` attribute, where `CUSTOM` corresponds to `snowflake_oauth_integration_for_custom_clients`, +while other attributes align with `snowflake_oauth_integration_for_partner_applications`. + ### *(new feature)* snowflake_security_integrations datasource Added a new datasource enabling querying and filtering all types of security integrations. Notes: - all results are stored in `security_integrations` field. diff --git a/docs/index.md b/docs/index.md index 6ec1a994f7..0bc8493349 100644 --- a/docs/index.md +++ b/docs/index.md @@ -230,6 +230,7 @@ The Snowflake provider will use the following order of precedence when determini ## Currently deprecated resources - [snowflake_database_old](./docs/resources/database_old) +- [snowflake_oauth_integration](./docs/resources/oauth_integration) - [snowflake_saml_integration](./docs/resources/saml_integration) - use [snowflake_saml2_integration](./docs/resources/saml2_integration) instead - [snowflake_unsafe_execute](./docs/resources/unsafe_execute) diff --git a/docs/resources/oauth_integration.md b/docs/resources/oauth_integration.md index d68a1f3a51..bda0f33d36 100644 --- a/docs/resources/oauth_integration.md +++ b/docs/resources/oauth_integration.md @@ -7,7 +7,7 @@ description: |- # snowflake_oauth_integration (Resource) - +~> **Deprecation** This resource is deprecated and will be removed in a future major version release. Please use snowflake_oauth_integration_for_custom_clients or snowflake_oauth_integration_for_partner_applications instead. ## Example Usage diff --git a/docs/resources/oauth_integration_for_custom_clients.md b/docs/resources/oauth_integration_for_custom_clients.md new file mode 100644 index 0000000000..020b62a829 --- /dev/null +++ b/docs/resources/oauth_integration_for_custom_clients.md @@ -0,0 +1,328 @@ +--- +page_title: "snowflake_oauth_integration_for_custom_clients Resource - terraform-provider-snowflake" +subcategory: "" +description: |- + +--- + +!> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it. + +# snowflake_oauth_integration_for_custom_clients (Resource) + + + +## Example Usage + +```terraform +# basic resource +resource "snowflake_oauth_integration_for_custom_clients" "basic" { + name = "saml_integration" + oauth_client_type = "CONFIDENTIAL" + oauth_redirect_uri = "https://example.com" + blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"] +} + +# resource with all fields set +resource "snowflake_oauth_integration_for_custom_clients" "complete" { + name = "saml_integration" + oauth_client_type = "CONFIDENTIAL" + oauth_redirect_uri = "https://example.com" + enabled = "true" + oauth_allow_non_tls_redirect_uri = "true" + oauth_enforce_pkce = "true" + oauth_use_secondary_roles = "NONE" + pre_authorized_roles_list = ["role_id1", "role_id2"] + blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN", "role_id1", "role_id2"] + oauth_issue_refresh_tokens = "true" + oauth_refresh_token_validity = 87600 + network_policy = "network_policy_id" + oauth_client_rsa_public_key = file("rsa.pub") + oauth_client_rsa_public_key_2 = file("rsa2.pub") + comment = "my oauth integration" +} +``` + + +## Schema + +### Required + +- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. +- `name` (String) Specifies the name of the OAuth integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account. +- `oauth_client_type` (String) Specifies the type of client being registered. Snowflake supports both confidential and public clients. Valid options are: [PUBLIC CONFIDENTIAL] +- `oauth_redirect_uri` (String) Specifies the client URI. After a user is authenticated, the web browser is redirected to this URI. + +### Optional + +- `comment` (String) Specifies a comment for the OAuth integration. +- `enabled` (String) Specifies whether this OAuth integration is enabled or disabled. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. +- `network_policy` (String) Specifies an existing network policy. This network policy controls network traffic that is attempting to exchange an authorization code for an access or refresh token or to use a refresh token to obtain a new access token. +- `oauth_allow_non_tls_redirect_uri` (String) If true, allows setting oauth_redirect_uri to a URI not protected by TLS. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. +- `oauth_client_rsa_public_key` (String) Specifies a Base64-encoded RSA public key, without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource using `terraform taint`. +- `oauth_client_rsa_public_key_2` (String) Specifies a Base64-encoded RSA public key, without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource using `terraform taint`. +- `oauth_enforce_pkce` (String) Boolean that specifies whether Proof Key for Code Exchange (PKCE) should be required for the integration. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. +- `oauth_issue_refresh_tokens` (String) Specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. +- `oauth_refresh_token_validity` (Number) Specifies how long refresh tokens should be valid (in seconds). OAUTH_ISSUE_REFRESH_TOKENS must be set to TRUE. +- `oauth_use_secondary_roles` (String) Specifies whether default secondary roles set in the user properties are activated by default in the session being opened. Valid options are: [IMPLICIT NONE] +- `pre_authorized_roles_list` (Set of String) A set of Snowflake roles that a user does not need to explicitly consent to using after authenticating. + +### Read-Only + +- `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--describe_output)) +- `id` (String) The ID of this resource. +- `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--show_output)) + + +### Nested Schema for `describe_output` + +Read-Only: + +- `blocked_roles_list` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--blocked_roles_list)) +- `comment` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--comment)) +- `enabled` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--enabled)) +- `network_policy` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--network_policy)) +- `oauth_allow_non_tls_redirect_uri` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_allow_non_tls_redirect_uri)) +- `oauth_allowed_authorization_endpoints` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_allowed_authorization_endpoints)) +- `oauth_allowed_token_endpoints` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_allowed_token_endpoints)) +- `oauth_authorization_endpoint` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_authorization_endpoint)) +- `oauth_client_id` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_client_id)) +- `oauth_client_rsa_public_key_2_fp` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_client_rsa_public_key_2_fp)) +- `oauth_client_rsa_public_key_fp` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_client_rsa_public_key_fp)) +- `oauth_client_type` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_client_type)) +- `oauth_enforce_pkce` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_enforce_pkce)) +- `oauth_issue_refresh_tokens` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_issue_refresh_tokens)) +- `oauth_redirect_uri` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_redirect_uri)) +- `oauth_refresh_token_validity` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_refresh_token_validity)) +- `oauth_token_endpoint` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_token_endpoint)) +- `oauth_use_secondary_roles` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_use_secondary_roles)) +- `pre_authorized_roles_list` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--pre_authorized_roles_list)) + + +### Nested Schema for `describe_output.blocked_roles_list` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.comment` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.enabled` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.network_policy` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.oauth_allow_non_tls_redirect_uri` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.oauth_allowed_authorization_endpoints` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.oauth_allowed_token_endpoints` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.oauth_authorization_endpoint` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.oauth_client_id` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.oauth_client_rsa_public_key_2_fp` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.oauth_client_rsa_public_key_fp` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.oauth_client_type` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.oauth_enforce_pkce` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.oauth_issue_refresh_tokens` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.oauth_redirect_uri` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.oauth_refresh_token_validity` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.oauth_token_endpoint` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.oauth_use_secondary_roles` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + +### Nested Schema for `describe_output.pre_authorized_roles_list` + +Read-Only: + +- `default` (String) +- `name` (String) +- `type` (String) +- `value` (String) + + + + +### Nested Schema for `show_output` + +Read-Only: + +- `category` (String) +- `comment` (String) +- `created_on` (String) +- `enabled` (Boolean) +- `integration_type` (String) +- `name` (String) + +## Import + +Import is supported using the following syntax: + +```shell +terraform import snowflake_oauth_integration_for_custom_clients.example "name" +``` diff --git a/docs/resources/saml2_integration.md b/docs/resources/saml2_integration.md index 63b883a032..7f3456d124 100644 --- a/docs/resources/saml2_integration.md +++ b/docs/resources/saml2_integration.md @@ -5,6 +5,8 @@ description: |- --- +!> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it. + # snowflake_saml2_integration (Resource) diff --git a/examples/additional/deprecated_resources.MD b/examples/additional/deprecated_resources.MD index c0e66e2d2d..e33ef71107 100644 --- a/examples/additional/deprecated_resources.MD +++ b/examples/additional/deprecated_resources.MD @@ -1,5 +1,6 @@ ## Currently deprecated resources - [snowflake_database_old](./docs/resources/database_old) +- [snowflake_oauth_integration](./docs/resources/oauth_integration) - [snowflake_saml_integration](./docs/resources/saml_integration) - use [snowflake_saml2_integration](./docs/resources/saml2_integration) instead - [snowflake_unsafe_execute](./docs/resources/unsafe_execute) diff --git a/examples/resources/snowflake_oauth_integration_for_custom_clients/import.sh b/examples/resources/snowflake_oauth_integration_for_custom_clients/import.sh new file mode 100644 index 0000000000..beeddc5d18 --- /dev/null +++ b/examples/resources/snowflake_oauth_integration_for_custom_clients/import.sh @@ -0,0 +1 @@ +terraform import snowflake_oauth_integration_for_custom_clients.example "name" diff --git a/examples/resources/snowflake_oauth_integration_for_custom_clients/resource.tf b/examples/resources/snowflake_oauth_integration_for_custom_clients/resource.tf new file mode 100644 index 0000000000..77f64e69ba --- /dev/null +++ b/examples/resources/snowflake_oauth_integration_for_custom_clients/resource.tf @@ -0,0 +1,26 @@ +# basic resource +resource "snowflake_oauth_integration_for_custom_clients" "basic" { + name = "saml_integration" + oauth_client_type = "CONFIDENTIAL" + oauth_redirect_uri = "https://example.com" + blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"] +} + +# resource with all fields set +resource "snowflake_oauth_integration_for_custom_clients" "complete" { + name = "saml_integration" + oauth_client_type = "CONFIDENTIAL" + oauth_redirect_uri = "https://example.com" + enabled = "true" + oauth_allow_non_tls_redirect_uri = "true" + oauth_enforce_pkce = "true" + oauth_use_secondary_roles = "NONE" + pre_authorized_roles_list = ["role_id1", "role_id2"] + blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN", "role_id1", "role_id2"] + oauth_issue_refresh_tokens = "true" + oauth_refresh_token_validity = 87600 + network_policy = "network_policy_id" + oauth_client_rsa_public_key = file("rsa.pub") + oauth_client_rsa_public_key_2 = file("rsa2.pub") + comment = "my oauth integration" +} diff --git a/pkg/acceptance/helpers/security_integration_client.go b/pkg/acceptance/helpers/security_integration_client.go index f61216414f..1e400b4f3f 100644 --- a/pkg/acceptance/helpers/security_integration_client.go +++ b/pkg/acceptance/helpers/security_integration_client.go @@ -82,6 +82,14 @@ func (c *SecurityIntegrationClient) CreateScimWithRequest(t *testing.T, request return si, c.DropSecurityIntegrationFunc(t, request.GetName()) } +func (c *SecurityIntegrationClient) UpdateOauthForClients(t *testing.T, request *sdk.AlterOauthForCustomClientsSecurityIntegrationRequest) { + t.Helper() + ctx := context.Background() + + err := c.client().AlterOauthForCustomClients(ctx, request) + require.NoError(t, err) +} + func (c *SecurityIntegrationClient) DropSecurityIntegrationFunc(t *testing.T, id sdk.AccountObjectIdentifier) func() { t.Helper() ctx := context.Background() diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go index 83e99b4a16..ea1473e9f1 100644 --- a/pkg/provider/provider.go +++ b/pkg/provider/provider.go @@ -457,6 +457,7 @@ func getResources() map[string]*schema.Resource { "snowflake_notification_integration": resources.NotificationIntegration(), "snowflake_oauth_integration": resources.OAuthIntegration(), "snowflake_oauth_integration_for_partner_applications": resources.OauthIntegrationForPartnerApplications(), + "snowflake_oauth_integration_for_custom_clients": resources.OauthIntegrationForCustomClients(), "snowflake_object_parameter": resources.ObjectParameter(), "snowflake_password_policy": resources.PasswordPolicy(), "snowflake_pipe": resources.Pipe(), diff --git a/pkg/resources/oauth_integration.go b/pkg/resources/oauth_integration.go index de2c745618..2d7e4152ae 100644 --- a/pkg/resources/oauth_integration.go +++ b/pkg/resources/oauth_integration.go @@ -86,10 +86,11 @@ var oauthIntegrationSchema = map[string]*schema.Schema{ // OAuthIntegration returns a pointer to the resource representing an OAuth integration. func OAuthIntegration() *schema.Resource { return &schema.Resource{ - Create: CreateOAuthIntegration, - Read: ReadOAuthIntegration, - Update: UpdateOAuthIntegration, - Delete: DeleteOAuthIntegration, + Create: CreateOAuthIntegration, + Read: ReadOAuthIntegration, + Update: UpdateOAuthIntegration, + Delete: DeleteOAuthIntegration, + DeprecationMessage: "This resource is deprecated and will be removed in a future major version release. Please use snowflake_oauth_integration_for_custom_clients or snowflake_oauth_integration_for_partner_applications instead.", Schema: oauthIntegrationSchema, Importer: &schema.ResourceImporter{ diff --git a/pkg/resources/oauth_integration_for_custom_clients.go b/pkg/resources/oauth_integration_for_custom_clients.go new file mode 100644 index 0000000000..edd3aa9161 --- /dev/null +++ b/pkg/resources/oauth_integration_for_custom_clients.go @@ -0,0 +1,675 @@ +package resources + +import ( + "context" + "errors" + "fmt" + "reflect" + "strconv" + "strings" + + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/helpers" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/internal/collections" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/internal/logging" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/internal/provider" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/schemas" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" +) + +var oauthIntegrationForCustomClientsSchema = map[string]*schema.Schema{ + "name": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + Description: "Specifies the name of the OAuth integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account.", + }, + "oauth_client_type": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateDiagFunc: sdkValidation(sdk.ToOauthSecurityIntegrationClientTypeOption), + DiffSuppressFunc: NormalizeAndCompare(sdk.ToOauthSecurityIntegrationClientTypeOption), + Description: fmt.Sprintf("Specifies the type of client being registered. Snowflake supports both confidential and public clients. Valid options are: %v", sdk.AllOauthSecurityIntegrationClientTypes), + }, + "oauth_redirect_uri": { + Type: schema.TypeString, + Required: true, + Description: "Specifies the client URI. After a user is authenticated, the web browser is redirected to this URI.", + }, + "enabled": { + Type: schema.TypeString, + Optional: true, + Default: BooleanDefault, + ValidateDiagFunc: validateBooleanString, + DiffSuppressFunc: IgnoreChangeToCurrentSnowflakeValueInShow("enabled"), + Description: booleanStringFieldDescription("Specifies whether this OAuth integration is enabled or disabled."), + }, + "oauth_allow_non_tls_redirect_uri": { + Type: schema.TypeString, + Optional: true, + Default: BooleanDefault, + ValidateDiagFunc: validateBooleanString, + DiffSuppressFunc: IgnoreChangeToCurrentSnowflakeValueInShow("oauth_allow_non_tls_redirect_uri"), + Description: booleanStringFieldDescription("If true, allows setting oauth_redirect_uri to a URI not protected by TLS."), + }, + "oauth_enforce_pkce": { + Type: schema.TypeString, + Optional: true, + Default: BooleanDefault, + ValidateDiagFunc: validateBooleanString, + DiffSuppressFunc: IgnoreChangeToCurrentSnowflakeValueInShow("oauth_enforce_pkce"), + Description: booleanStringFieldDescription("Boolean that specifies whether Proof Key for Code Exchange (PKCE) should be required for the integration."), + }, + "oauth_use_secondary_roles": { + Type: schema.TypeString, + Optional: true, + ValidateDiagFunc: sdkValidation(sdk.ToOauthSecurityIntegrationUseSecondaryRolesOption), + DiffSuppressFunc: NormalizeAndCompare(sdk.ToOauthSecurityIntegrationUseSecondaryRolesOption), + Description: fmt.Sprintf("Specifies whether default secondary roles set in the user properties are activated by default in the session being opened. Valid options are: %v", sdk.AllOauthSecurityIntegrationUseSecondaryRoles), + }, + "pre_authorized_roles_list": { + Type: schema.TypeSet, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateDiagFunc: IsValidIdentifier[sdk.AccountObjectIdentifier](), + }, + Optional: true, + Description: "A set of Snowflake roles that a user does not need to explicitly consent to using after authenticating.", + }, + "blocked_roles_list": { + Type: schema.TypeSet, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateDiagFunc: IsValidIdentifier[sdk.AccountObjectIdentifier](), + }, + // TODO(SNOW-1517937): Check if can make optional + Required: true, + Description: "A set of Snowflake roles that a user cannot explicitly consent to using after authenticating.", + }, + "oauth_issue_refresh_tokens": { + Type: schema.TypeString, + Optional: true, + Default: BooleanDefault, + ValidateDiagFunc: validateBooleanString, + DiffSuppressFunc: IgnoreChangeToCurrentSnowflakeValueInShow("oauth_issue_refresh_tokens"), + Description: booleanStringFieldDescription("Specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired."), + }, + "oauth_refresh_token_validity": { + Type: schema.TypeInt, + Optional: true, + Default: IntDefault, + ValidateFunc: validation.IntAtLeast(0), + Description: "Specifies how long refresh tokens should be valid (in seconds). OAUTH_ISSUE_REFRESH_TOKENS must be set to TRUE.", + }, + "network_policy": { + Type: schema.TypeString, + Optional: true, + Description: "Specifies an existing network policy. This network policy controls network traffic that is attempting to exchange an authorization code for an access or refresh token or to use a refresh token to obtain a new access token.", + ValidateDiagFunc: IsValidIdentifier[sdk.AccountObjectIdentifier](), + }, + "oauth_client_rsa_public_key": { + Type: schema.TypeString, + Optional: true, + DiffSuppressFunc: ignoreTrimSpaceSuppressFunc, + Description: "Specifies a Base64-encoded RSA public key, without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource using `terraform taint`.", + }, + "oauth_client_rsa_public_key_2": { + Type: schema.TypeString, + Optional: true, + DiffSuppressFunc: ignoreTrimSpaceSuppressFunc, + Description: "Specifies a Base64-encoded RSA public key, without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource using `terraform taint`.", + }, + "comment": { + Type: schema.TypeString, + Optional: true, + Description: "Specifies a comment for the OAuth integration.", + }, + ShowOutputAttributeName: { + Type: schema.TypeList, + Computed: true, + Description: "Outputs the result of `SHOW SECURITY INTEGRATION` for the given integration.", + Elem: &schema.Resource{ + Schema: schemas.ShowSecurityIntegrationSchema, + }, + }, + DescribeOutputAttributeName: { + Type: schema.TypeList, + Computed: true, + Description: "Outputs the result of `DESCRIBE SECURITY INTEGRATION` for the given integration.", + Elem: &schema.Resource{ + Schema: schemas.DescribeOauthIntegrationForCustomClients, + }, + }, +} + +func OauthIntegrationForCustomClients() *schema.Resource { + return &schema.Resource{ + Schema: oauthIntegrationForCustomClientsSchema, + + CreateContext: CreateContextOauthIntegrationForCustomClients, + ReadContext: ReadContextOauthIntegrationForCustomClients(true), + UpdateContext: UpdateContextOauthIntegrationForCustomClients, + DeleteContext: DeleteContextOauthIntegrationForCustomClients, + + CustomizeDiff: customdiff.All( + ComputedIfAnyAttributeChanged( + ShowOutputAttributeName, + "name", + "enabled", + "comment", + ), + ComputedIfAnyAttributeChanged( + DescribeOutputAttributeName, + "oauth_client_type", + "oauth_redirect_uri", + "enabled", + "oauth_allow_non_tls_redirect_uri", + "oauth_enforce_pkce", + "oauth_use_secondary_roles", + "pre_authorized_roles_list", + "blocked_roles_list", + "oauth_issue_refresh_tokens", + "oauth_refresh_token_validity", + "network_policy", + "oauth_client_rsa_public_key", + "oauth_client_rsa_public_key_2", + "comment", + ), + ), + + Importer: &schema.ResourceImporter{ + StateContext: ImportOauthForCustomClientsIntegration, + }, + } +} + +func ImportOauthForCustomClientsIntegration(ctx context.Context, d *schema.ResourceData, meta any) ([]*schema.ResourceData, error) { + logging.DebugLogger.Printf("[DEBUG] Starting oauth integration for custom clients import") + client := meta.(*provider.Context).Client + id := helpers.DecodeSnowflakeID(d.Id()).(sdk.AccountObjectIdentifier) + + integration, err := client.SecurityIntegrations.ShowByID(ctx, id) + if err != nil { + return nil, err + } + + integrationProperties, err := client.SecurityIntegrations.Describe(ctx, id) + if err != nil { + return nil, err + } + + if err = d.Set("enabled", booleanStringFromBool(integration.Enabled)); err != nil { + return nil, err + } + + if allowNonTlsRedirectUri, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "OAUTH_ALLOW_NON_TLS_REDIRECT_URI" + }); err == nil { + if err = d.Set("oauth_allow_non_tls_redirect_uri", allowNonTlsRedirectUri.Value); err != nil { + return nil, err + } + } + + if enforcePkce, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "OAUTH_ENFORCE_PKCE" + }); err == nil { + if err = d.Set("oauth_enforce_pkce", enforcePkce.Value); err != nil { + return nil, err + } + } + + if issueRefreshTokens, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "OAUTH_ISSUE_REFRESH_TOKENS" + }); err == nil { + if err = d.Set("oauth_issue_refresh_tokens", issueRefreshTokens.Value); err != nil { + return nil, err + } + } + + if refreshTokenValidity, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "OAUTH_REFRESH_TOKEN_VALIDITY" + }); err == nil { + refreshTokenValidityValue, err := strconv.ParseInt(refreshTokenValidity.Value, 10, 64) + if err != nil { + return nil, err + } + if err = d.Set("oauth_refresh_token_validity", refreshTokenValidityValue); err != nil { + return nil, err + } + } + + return []*schema.ResourceData{d}, nil +} + +func CreateContextOauthIntegrationForCustomClients(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics { + client := meta.(*provider.Context).Client + + id := sdk.NewAccountObjectIdentifier(d.Get("name").(string)) + oauthClientType, err := sdk.ToOauthSecurityIntegrationClientTypeOption(d.Get("oauth_client_type").(string)) + if err != nil { + return diag.FromErr(err) + } + req := sdk.NewCreateOauthForCustomClientsSecurityIntegrationRequest(id, oauthClientType, d.Get("oauth_redirect_uri").(string)) + + if v := d.Get("enabled").(string); v != BooleanDefault { + parsedBool, err := booleanStringToBool(v) + if err != nil { + return diag.FromErr(err) + } + req.WithEnabled(parsedBool) + } + + if v := d.Get("oauth_allow_non_tls_redirect_uri").(string); v != BooleanDefault { + parsedBool, err := booleanStringToBool(v) + if err != nil { + return diag.FromErr(err) + } + req.WithOauthAllowNonTlsRedirectUri(parsedBool) + } + + if v := d.Get("oauth_enforce_pkce").(string); v != BooleanDefault { + parsedBool, err := booleanStringToBool(v) + if err != nil { + return diag.FromErr(err) + } + req.WithOauthEnforcePkce(parsedBool) + } + + if v, ok := d.GetOk("oauth_use_secondary_roles"); ok { + oauthUseSecondaryRoles, err := sdk.ToOauthSecurityIntegrationUseSecondaryRolesOption(v.(string)) + if err != nil { + return diag.FromErr(err) + } + req.WithOauthUseSecondaryRoles(oauthUseSecondaryRoles) + } + + if v, ok := d.GetOk("pre_authorized_roles_list"); ok { + elems := expandStringList(v.(*schema.Set).List()) + preAuthorizedRoles := make([]sdk.AccountObjectIdentifier, len(elems)) + for i := range elems { + preAuthorizedRoles[i] = sdk.NewAccountObjectIdentifier(elems[i]) + } + req.WithPreAuthorizedRolesList(sdk.PreAuthorizedRolesListRequest{PreAuthorizedRolesList: preAuthorizedRoles}) + } + + if v, ok := d.GetOk("blocked_roles_list"); ok { + elems := expandStringList(v.(*schema.Set).List()) + blockedRoles := make([]sdk.AccountObjectIdentifier, len(elems)) + for i := range elems { + blockedRoles[i] = sdk.NewAccountObjectIdentifier(elems[i]) + } + req.WithBlockedRolesList(sdk.BlockedRolesListRequest{BlockedRolesList: blockedRoles}) + } + + if v := d.Get("oauth_issue_refresh_tokens").(string); v != BooleanDefault { + parsedBool, err := booleanStringToBool(v) + if err != nil { + return diag.FromErr(err) + } + req.WithOauthIssueRefreshTokens(parsedBool) + } + + if v := d.Get("oauth_refresh_token_validity").(int); v != IntDefault { + req.WithOauthRefreshTokenValidity(v) + } + + if v, ok := d.GetOk("network_policy"); ok { + req.WithNetworkPolicy(sdk.NewAccountObjectIdentifier(v.(string))) + } + + if v, ok := d.GetOk("oauth_client_rsa_public_key"); ok { + req.WithOauthClientRsaPublicKey(v.(string)) + } + + if v, ok := d.GetOk("oauth_client_rsa_public_key_2"); ok { + req.WithOauthClientRsaPublicKey2(v.(string)) + } + + if v, ok := d.GetOk("comment"); ok { + req.WithComment(v.(string)) + } + + if err := client.SecurityIntegrations.CreateOauthForCustomClients(ctx, req); err != nil { + return diag.FromErr(err) + } + + d.SetId(helpers.EncodeSnowflakeID(id)) + + return ReadContextOauthIntegrationForCustomClients(false)(ctx, d, meta) +} + +func ReadContextOauthIntegrationForCustomClients(withExternalChangesMarking bool) schema.ReadContextFunc { + return func(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics { + client := meta.(*provider.Context).Client + id := helpers.DecodeSnowflakeID(d.Id()).(sdk.AccountObjectIdentifier) + + integration, err := client.SecurityIntegrations.ShowByID(ctx, id) + if err != nil { + if errors.Is(err, sdk.ErrObjectNotFound) { + d.SetId("") + return diag.Diagnostics{ + diag.Diagnostic{ + Severity: diag.Warning, + Summary: "Failed to query security integration. Marking the resource as removed.", + Detail: fmt.Sprintf("Security integration name: %s, Err: %s", id.FullyQualifiedName(), err), + }, + } + } + return diag.FromErr(err) + } + + integrationProperties, err := client.SecurityIntegrations.Describe(ctx, id) + if err != nil { + return diag.FromErr(err) + } + + if c := integration.Category; c != sdk.SecurityIntegrationCategory { + return diag.FromErr(fmt.Errorf("expected %v to be a %s integration, got %v", id, sdk.SecurityIntegrationCategory, c)) + } + + if err := d.Set("name", integration.Name); err != nil { + return diag.FromErr(err) + } + + if err := d.Set("comment", integration.Comment); err != nil { + return diag.FromErr(err) + } + + oauthClientType, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "OAUTH_CLIENT_TYPE" + }) + if err != nil { + return diag.FromErr(fmt.Errorf("failed to find oauth client type, err = %w", err)) + } + if err := d.Set("oauth_client_type", oauthClientType.Value); err != nil { + return diag.FromErr(err) + } + + oauthRedirectUri, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "OAUTH_REDIRECT_URI" + }) + if err != nil { + return diag.FromErr(fmt.Errorf("failed to find oauth redirect uri, err = %w", err)) + } + if err := d.Set("oauth_redirect_uri", oauthRedirectUri.Value); err != nil { + return diag.FromErr(err) + } + + preAuthorizedRolesList, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "PRE_AUTHORIZED_ROLES_LIST" + }) + if err != nil { + return diag.FromErr(fmt.Errorf("failed to find pre authorized roles list, err = %w", err)) + } + var preAuthorizedRoles []string + if len(preAuthorizedRolesList.Value) > 0 { + preAuthorizedRoles = strings.Split(preAuthorizedRolesList.Value, ",") + } + if err := d.Set("pre_authorized_roles_list", preAuthorizedRoles); err != nil { + return diag.FromErr(err) + } + + blockedRolesList, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "BLOCKED_ROLES_LIST" + }) + if err != nil { + return diag.FromErr(fmt.Errorf("failed to find pre authorized roles list, err = %w", err)) + } + var blockedRoles []string + if len(blockedRolesList.Value) > 0 { + blockedRoles = strings.Split(blockedRolesList.Value, ",") + } + if err := d.Set("blocked_roles_list", blockedRoles); err != nil { + return diag.FromErr(err) + } + + networkPolicy, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "NETWORK_POLICY" + }) + if err != nil { + return diag.FromErr(fmt.Errorf("failed to find network policy, err = %w", err)) + } + if err := d.Set("network_policy", sdk.NewAccountObjectIdentifier(networkPolicy.Value).Name()); err != nil { + return diag.FromErr(err) + } + + if withExternalChangesMarking { + if err = handleExternalChangesToObjectInShow(d, + showMapping{"enabled", "enabled", integration.Enabled, booleanStringFromBool(integration.Enabled), nil}, + ); err != nil { + return diag.FromErr(err) + } + + oauthAllowNonTlsRedirectUri, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "OAUTH_ALLOW_NON_TLS_REDIRECT_URI" + }) + if err != nil { + return diag.FromErr(err) + } + + oauthEnforcePkce, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "OAUTH_ENFORCE_PKCE" + }) + if err != nil { + return diag.FromErr(err) + } + + oauthUseSecondaryRoles, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "OAUTH_USE_SECONDARY_ROLES" + }) + if err != nil { + return diag.FromErr(err) + } + + oauthIssueRefreshTokens, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "OAUTH_ISSUE_REFRESH_TOKENS" + }) + if err != nil { + return diag.FromErr(err) + } + + oauthRefreshTokenValidity, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "OAUTH_REFRESH_TOKEN_VALIDITY" + }) + if err != nil { + return diag.FromErr(err) + } + + if err = handleExternalChangesToObjectInDescribe(d, + describeMapping{"oauth_allow_non_tls_redirect_uri", "oauth_allow_non_tls_redirect_uri", oauthAllowNonTlsRedirectUri.Value, oauthAllowNonTlsRedirectUri.Value, nil}, + describeMapping{"oauth_enforce_pkce", "oauth_enforce_pkce", oauthEnforcePkce.Value, oauthEnforcePkce.Value, nil}, + describeMapping{"oauth_use_secondary_roles", "oauth_use_secondary_roles", oauthUseSecondaryRoles.Value, oauthUseSecondaryRoles.Value, nil}, + describeMapping{"oauth_issue_refresh_tokens", "oauth_issue_refresh_tokens", oauthIssueRefreshTokens.Value, oauthIssueRefreshTokens.Value, nil}, + describeMapping{"oauth_refresh_token_validity", "oauth_refresh_token_validity", oauthRefreshTokenValidity.Value, oauthRefreshTokenValidity.Value, nil}, + ); err != nil { + return diag.FromErr(err) + } + } + + if err = setStateToValuesFromConfig(d, oauthIntegrationForCustomClientsSchema, []string{ + "enabled", + "oauth_allow_non_tls_redirect_uri", + "oauth_enforce_pkce", + "oauth_use_secondary_roles", + "oauth_issue_refresh_tokens", + "oauth_refresh_token_validity", + }); err != nil { + return diag.FromErr(err) + } + + if err = d.Set(ShowOutputAttributeName, []map[string]any{schemas.SecurityIntegrationToSchema(integration)}); err != nil { + return diag.FromErr(err) + } + + if err = d.Set(DescribeOutputAttributeName, []map[string]any{schemas.DescribeOauthIntegrationForCustomClientsToSchema(integrationProperties)}); err != nil { + return diag.FromErr(err) + } + + return nil + } +} + +func UpdateContextOauthIntegrationForCustomClients(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics { + client := meta.(*provider.Context).Client + id := helpers.DecodeSnowflakeID(d.Id()).(sdk.AccountObjectIdentifier) + set, unset := sdk.NewOauthForCustomClientsIntegrationSetRequest(), sdk.NewOauthForCustomClientsIntegrationUnsetRequest() + + if d.HasChange("oauth_redirect_uri") { + set.WithOauthRedirectUri(d.Get("oauth_redirect_uri").(string)) + } + + if d.HasChange("enabled") { + if v := d.Get("enabled").(string); v != BooleanDefault { + parsedBool, err := booleanStringToBool(v) + if err != nil { + return diag.FromErr(err) + } + set.WithEnabled(parsedBool) + } else { + unset.WithEnabled(true) + } + } + + if d.HasChange("oauth_allow_non_tls_redirect_uri") { + if v := d.Get("oauth_allow_non_tls_redirect_uri").(string); v != BooleanDefault { + parsedBool, err := booleanStringToBool(v) + if err != nil { + return diag.FromErr(err) + } + set.WithOauthAllowNonTlsRedirectUri(parsedBool) + } else { + // TODO(SNOW-1515781): No unset available for this field (setting Snowflake default) + set.WithOauthAllowNonTlsRedirectUri(false) + } + } + + if d.HasChange("oauth_enforce_pkce") { + if v := d.Get("oauth_enforce_pkce").(string); v != BooleanDefault { + parsedBool, err := booleanStringToBool(v) + if err != nil { + return diag.FromErr(err) + } + set.WithOauthEnforcePkce(parsedBool) + } else { + // TODO(SNOW-1515781): No unset available for this field (setting Snowflake default) + set.WithOauthEnforcePkce(false) + } + } + + if d.HasChange("oauth_use_secondary_roles") { + if v, ok := d.GetOk("oauth_use_secondary_roles"); ok { + oauthUseSecondaryRoles, err := sdk.ToOauthSecurityIntegrationUseSecondaryRolesOption(v.(string)) + if err != nil { + return diag.FromErr(err) + } + set.WithOauthUseSecondaryRoles(oauthUseSecondaryRoles) + } else { + unset.WithOauthUseSecondaryRoles(true) + } + } + + if d.HasChange("pre_authorized_roles_list") { + elems := expandStringList(d.Get("pre_authorized_roles_list").(*schema.Set).List()) + preAuthorizedRoles := make([]sdk.AccountObjectIdentifier, len(elems)) + for i := range elems { + preAuthorizedRoles[i] = sdk.NewAccountObjectIdentifier(elems[i]) + } + set.WithPreAuthorizedRolesList(sdk.PreAuthorizedRolesListRequest{PreAuthorizedRolesList: preAuthorizedRoles}) + } + + if d.HasChange("blocked_roles_list") { + elems := expandStringList(d.Get("blocked_roles_list").(*schema.Set).List()) + blockedRoles := make([]sdk.AccountObjectIdentifier, len(elems)) + for i := range elems { + blockedRoles[i] = sdk.NewAccountObjectIdentifier(elems[i]) + } + set.WithBlockedRolesList(sdk.BlockedRolesListRequest{BlockedRolesList: blockedRoles}) + } + + if d.HasChange("oauth_issue_refresh_tokens") { + if v := d.Get("oauth_issue_refresh_tokens").(string); v != BooleanDefault { + parsedBool, err := booleanStringToBool(v) + if err != nil { + return diag.FromErr(err) + } + set.WithOauthIssueRefreshTokens(parsedBool) + } else { + // TODO(SNOW-1515781): No unset available for this field (setting Snowflake default) + set.WithOauthIssueRefreshTokens(true) + } + } + + if d.HasChange("oauth_refresh_token_validity") { + if v := d.Get("oauth_refresh_token_validity").(int); v != IntDefault { + set.WithOauthRefreshTokenValidity(v) + } else { + // TODO(SNOW-1515781): No unset available for this field (setting Snowflake default; 90 days in seconds) + set.WithOauthRefreshTokenValidity(7_776_000) + } + } + + if d.HasChange("network_policy") { + if v, ok := d.GetOk("network_policy"); ok { + set.WithNetworkPolicy(sdk.NewAccountObjectIdentifier(v.(string))) + } else { + unset.WithNetworkPolicy(true) + } + } + + if d.HasChange("oauth_client_rsa_public_key") { + if v, ok := d.GetOk("oauth_client_rsa_public_key"); ok { + set.WithOauthClientRsaPublicKey(v.(string)) + } else { + unset.WithOauthClientRsaPublicKey(true) + } + } + + if d.HasChange("oauth_client_rsa_public_key_2") { + if v, ok := d.GetOk("oauth_client_rsa_public_key_2"); ok { + set.WithOauthClientRsaPublicKey2(v.(string)) + } else { + unset.WithOauthClientRsaPublicKey2(true) + } + } + + if d.HasChange("comment") { + set.WithComment(d.Get("comment").(string)) + } + + if !reflect.DeepEqual(*set, sdk.OauthForCustomClientsIntegrationSetRequest{}) { + if err := client.SecurityIntegrations.AlterOauthForCustomClients(ctx, sdk.NewAlterOauthForCustomClientsSecurityIntegrationRequest(id).WithSet(*set)); err != nil { + return diag.FromErr(err) + } + } + + if !reflect.DeepEqual(*unset, sdk.OauthForCustomClientsIntegrationUnsetRequest{}) { + if err := client.SecurityIntegrations.AlterOauthForCustomClients(ctx, sdk.NewAlterOauthForCustomClientsSecurityIntegrationRequest(id).WithUnset(*unset)); err != nil { + return diag.FromErr(err) + } + } + + return ReadContextOauthIntegrationForCustomClients(false)(ctx, d, meta) +} + +func DeleteContextOauthIntegrationForCustomClients(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics { + id := helpers.DecodeSnowflakeID(d.Id()).(sdk.AccountObjectIdentifier) + client := meta.(*provider.Context).Client + + err := client.SecurityIntegrations.Drop(ctx, sdk.NewDropSecurityIntegrationRequest(sdk.NewAccountObjectIdentifier(id.Name())).WithIfExists(true)) + if err != nil { + return diag.Diagnostics{ + diag.Diagnostic{ + Severity: diag.Error, + Summary: "Error deleting integration", + Detail: fmt.Sprintf("id %v err = %v", id.Name(), err), + }, + } + } + + d.SetId("") + return nil +} diff --git a/pkg/resources/oauth_integration_for_custom_clients_acceptance_test.go b/pkg/resources/oauth_integration_for_custom_clients_acceptance_test.go new file mode 100644 index 0000000000..2bc16b4af1 --- /dev/null +++ b/pkg/resources/oauth_integration_for_custom_clients_acceptance_test.go @@ -0,0 +1,666 @@ +package resources_test + +import ( + "regexp" + "testing" + + tfjson "github.com/hashicorp/terraform-json" + + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/importchecks" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/planchecks" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/resources" + "github.com/hashicorp/terraform-plugin-testing/plancheck" + + acc "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/helpers/random" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk" + "github.com/hashicorp/terraform-plugin-testing/config" + "github.com/hashicorp/terraform-plugin-testing/helper/resource" + "github.com/hashicorp/terraform-plugin-testing/tfversion" +) + +func TestAcc_OauthIntegrationForCustomClients_Basic(t *testing.T) { + networkPolicy, networkPolicyCleanup := acc.TestClient().NetworkPolicy.CreateNetworkPolicy(t) + t.Cleanup(networkPolicyCleanup) + + preAuthorizedRole, preauthorizedRoleCleanup := acc.TestClient().Role.CreateRole(t) + t.Cleanup(preauthorizedRoleCleanup) + + blockedRole, blockedRoleCleanup := acc.TestClient().Role.CreateRole(t) + t.Cleanup(blockedRoleCleanup) + + validUrl := "https://example.com" + id := acc.TestClient().Ids.RandomAccountObjectIdentifier() + key, _ := random.GenerateRSAPublicKey(t) + comment := random.Comment() + + m := func(complete bool) map[string]config.Variable { + c := map[string]config.Variable{ + "name": config.StringVariable(id.Name()), + "oauth_client_type": config.StringVariable(string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + "oauth_redirect_uri": config.StringVariable(validUrl), + "blocked_roles_list": config.SetVariable(config.StringVariable("ACCOUNTADMIN"), config.StringVariable("SECURITYADMIN")), + } + if complete { + c["blocked_roles_list"] = config.SetVariable(config.StringVariable("ACCOUNTADMIN"), config.StringVariable("SECURITYADMIN"), config.StringVariable(blockedRole.ID().Name())) + c["comment"] = config.StringVariable(comment) + c["enabled"] = config.BoolVariable(true) + c["network_policy"] = config.StringVariable(networkPolicy.Name) + c["oauth_allow_non_tls_redirect_uri"] = config.BoolVariable(true) + c["oauth_allowed_authorization_endpoints"] = config.SetVariable(config.StringVariable("http://allowed.com")) + c["oauth_allowed_token_endpoints"] = config.SetVariable(config.StringVariable("http://allowed.com")) + c["oauth_authorization_endpoint"] = config.StringVariable("http://auth.com") + c["oauth_client_rsa_public_key"] = config.StringVariable(key) + c["oauth_client_rsa_public_key_2"] = config.StringVariable(key) + c["oauth_enforce_pkce"] = config.BoolVariable(true) + c["oauth_issue_refresh_tokens"] = config.BoolVariable(true) + c["oauth_refresh_token_validity"] = config.IntegerVariable(86400) + c["oauth_token_endpoint"] = config.StringVariable("http://auth.com") + c["oauth_use_secondary_roles"] = config.StringVariable(string(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit)) + c["pre_authorized_roles_list"] = config.SetVariable(config.StringVariable(preAuthorizedRole.ID().Name())) + } + return c + } + resource.Test(t, resource.TestCase{ + ProtoV6ProviderFactories: acc.TestAccProtoV6ProviderFactories, + PreCheck: func() { acc.TestAccPreCheck(t) }, + TerraformVersionChecks: []tfversion.TerraformVersionCheck{ + tfversion.RequireAbove(tfversion.Version1_5_0), + }, + Steps: []resource.TestStep{ + // create with empty optionals + { + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_OauthIntegrationForCustomClients/basic"), + ConfigVariables: m(false), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "name", id.Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_type", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_redirect_uri", validUrl), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "enabled", resources.BooleanDefault), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_allow_non_tls_redirect_uri", resources.BooleanDefault), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_enforce_pkce", resources.BooleanDefault), + resource.TestCheckNoResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_use_secondary_roles"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "pre_authorized_roles_list.#", "0"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "blocked_roles_list.#", "2"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_issue_refresh_tokens", resources.BooleanDefault), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_refresh_token_validity", "-1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "network_policy", ""), + resource.TestCheckNoResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key"), + resource.TestCheckNoResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key_2"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "comment", ""), + + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.name", id.Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.integration_type", "OAUTH - CUSTOM"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.category", "SECURITY"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.enabled", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.comment", ""), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.created_on"), + + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_type.0.value", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_redirect_uri.0.value", validUrl), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.enabled.0.value", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allow_non_tls_redirect_uri.0.value", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_enforce_pkce.0.value", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_use_secondary_roles.0.value", "NONE"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.pre_authorized_roles_list.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.blocked_roles_list.0.value", "ACCOUNTADMIN,SECURITYADMIN"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_issue_refresh_tokens.0.value", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_refresh_token_validity.0.value", "7776000"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.network_policy.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_rsa_public_key_fp.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_rsa_public_key_2_fp.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.comment.0.value", ""), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_id.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_authorization_endpoint.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_token_endpoint.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allowed_authorization_endpoints.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allowed_token_endpoints.0.value"), + ), + }, + // import - without optionals + { + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_OauthIntegrationForCustomClients/basic"), + ConfigVariables: m(false), + ResourceName: "snowflake_oauth_integration_for_custom_clients.test", + ImportState: true, + ImportStateCheck: importchecks.ComposeAggregateImportStateCheck( + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "name", id.Name()), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_client_type", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_redirect_uri", validUrl), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "enabled", "false"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_allow_non_tls_redirect_uri", "false"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_enforce_pkce", "false"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "pre_authorized_roles_list.#", "0"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "blocked_roles_list.#", "2"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_issue_refresh_tokens", "true"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_refresh_token_validity", "7776000"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "network_policy", ""), + importchecks.TestCheckResourceAttrNotInInstanceState(id.Name(), "oauth_client_rsa_public_key"), + importchecks.TestCheckResourceAttrNotInInstanceState(id.Name(), "oauth_client_rsa_public_key_2"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "comment", ""), + ), + }, + // set optionals + { + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_OauthIntegrationForCustomClients/complete"), + ConfigVariables: m(true), + ConfigPlanChecks: resource.ConfigPlanChecks{ + PreApply: []plancheck.PlanCheck{ + plancheck.ExpectResourceAction("snowflake_oauth_integration_for_custom_clients.test", plancheck.ResourceActionUpdate), + }, + }, + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "name", id.Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_type", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_redirect_uri", validUrl), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "enabled", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_allow_non_tls_redirect_uri", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_enforce_pkce", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_use_secondary_roles", string(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "pre_authorized_roles_list.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "pre_authorized_roles_list.0", preAuthorizedRole.ID().Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "blocked_roles_list.#", "3"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_issue_refresh_tokens", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_refresh_token_validity", "86400"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "network_policy", sdk.NewAccountObjectIdentifier(networkPolicy.Name).Name()), // TODO(SNOW-999049): Fix during identifiers rework + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key", key), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key_2", key), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "comment", comment), + + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.name", id.Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.integration_type", "OAUTH - CUSTOM"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.category", "SECURITY"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.enabled", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.comment", comment), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.created_on"), + + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_type.0.value", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_redirect_uri.0.value", validUrl), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.enabled.0.value", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allow_non_tls_redirect_uri.0.value", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_enforce_pkce.0.value", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_use_secondary_roles.0.value", string(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.pre_authorized_roles_list.0.value", preAuthorizedRole.ID().Name()), + // Not asserted, because it also contains other default roles + // resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.blocked_roles_list.0.value"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_issue_refresh_tokens.0.value", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_refresh_token_validity.0.value", "86400"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.network_policy.0.value", sdk.NewAccountObjectIdentifier(networkPolicy.Name).Name()), // TODO(SNOW-999049): Fix during identifiers rework + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_rsa_public_key_fp.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_rsa_public_key_2_fp.0.value"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.comment.0.value", comment), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_id.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_authorization_endpoint.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_token_endpoint.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allowed_authorization_endpoints.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allowed_token_endpoints.0.value"), + ), + }, + // import - complete + { + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_OauthIntegrationForCustomClients/complete"), + ConfigVariables: m(true), + ResourceName: "snowflake_oauth_integration_for_custom_clients.test", + ImportState: true, + ImportStateCheck: importchecks.ComposeAggregateImportStateCheck( + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "name", id.Name()), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_client_type", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_redirect_uri", validUrl), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "enabled", "true"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_allow_non_tls_redirect_uri", "true"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_enforce_pkce", "true"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "pre_authorized_roles_list.#", "1"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "pre_authorized_roles_list.0", preAuthorizedRole.ID().Name()), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "blocked_roles_list.#", "3"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_issue_refresh_tokens", "true"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_refresh_token_validity", "86400"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "network_policy", sdk.NewAccountObjectIdentifier(networkPolicy.Name).Name()), // TODO(SNOW-999049): Fix during identifiers rework + importchecks.TestCheckResourceAttrNotInInstanceState(id.Name(), "oauth_client_rsa_public_key"), + importchecks.TestCheckResourceAttrNotInInstanceState(id.Name(), "oauth_client_rsa_public_key_2"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "comment", comment), + ), + }, + // change externally + { + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_OauthIntegrationForCustomClients/complete"), + ConfigVariables: m(true), + PreConfig: func() { + acc.TestClient().SecurityIntegration.UpdateOauthForClients(t, sdk.NewAlterOauthForCustomClientsSecurityIntegrationRequest(id).WithUnset( + *sdk.NewOauthForCustomClientsIntegrationUnsetRequest(). + WithEnabled(true). + WithNetworkPolicy(true). + WithOauthUseSecondaryRoles(true). + WithOauthClientRsaPublicKey(true). + WithOauthClientRsaPublicKey2(true), + )) + }, + ConfigPlanChecks: resource.ConfigPlanChecks{ + PreApply: []plancheck.PlanCheck{ + plancheck.ExpectResourceAction("snowflake_oauth_integration_for_custom_clients.test", plancheck.ResourceActionUpdate), + + planchecks.ExpectDrift("snowflake_oauth_integration_for_custom_clients.test", "enabled", sdk.String("true"), sdk.String("false")), + planchecks.ExpectDrift("snowflake_oauth_integration_for_custom_clients.test", "network_policy", sdk.String(sdk.NewAccountObjectIdentifier(networkPolicy.Name).Name()), sdk.String("")), + planchecks.ExpectDrift("snowflake_oauth_integration_for_custom_clients.test", "oauth_use_secondary_roles", sdk.String(string(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit)), sdk.String(string(sdk.OauthSecurityIntegrationUseSecondaryRolesNone))), + planchecks.ExpectDrift("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key", sdk.String(key), sdk.String(key)), + planchecks.ExpectDrift("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key_2", sdk.String(key), sdk.String(key)), + + planchecks.ExpectChange("snowflake_oauth_integration_for_custom_clients.test", "enabled", tfjson.ActionUpdate, sdk.String("false"), sdk.String("true")), + planchecks.ExpectChange("snowflake_oauth_integration_for_custom_clients.test", "network_policy", tfjson.ActionUpdate, sdk.String(""), sdk.String(sdk.NewAccountObjectIdentifier(networkPolicy.Name).Name())), + planchecks.ExpectChange("snowflake_oauth_integration_for_custom_clients.test", "oauth_use_secondary_roles", tfjson.ActionUpdate, sdk.String(string(sdk.OauthSecurityIntegrationUseSecondaryRolesNone)), sdk.String(string(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit))), + planchecks.ExpectChange("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key", tfjson.ActionUpdate, sdk.String(key), sdk.String(key)), + planchecks.ExpectChange("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key_2", tfjson.ActionUpdate, sdk.String(key), sdk.String(key)), + }, + }, + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "name", id.Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_type", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_redirect_uri", validUrl), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "enabled", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_allow_non_tls_redirect_uri", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_enforce_pkce", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_use_secondary_roles", string(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "pre_authorized_roles_list.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "pre_authorized_roles_list.0", preAuthorizedRole.ID().Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "blocked_roles_list.#", "3"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_issue_refresh_tokens", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_refresh_token_validity", "86400"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "network_policy", sdk.NewAccountObjectIdentifier(networkPolicy.Name).Name()), // TODO(SNOW-999049): Fix during identifiers rework + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key", key), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key_2", key), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "comment", comment), + + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.name", id.Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.integration_type", "OAUTH - CUSTOM"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.category", "SECURITY"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.enabled", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.comment", comment), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.created_on"), + + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_type.0.value", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_redirect_uri.0.value", validUrl), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.enabled.0.value", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allow_non_tls_redirect_uri.0.value", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_enforce_pkce.0.value", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_use_secondary_roles.0.value", string(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.pre_authorized_roles_list.0.value", preAuthorizedRole.ID().Name()), + // Not asserted, because it also contains other default roles + // resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.blocked_roles_list.0.value"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_issue_refresh_tokens.0.value", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_refresh_token_validity.0.value", "86400"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.network_policy.0.value", sdk.NewAccountObjectIdentifier(networkPolicy.Name).Name()), // TODO(SNOW-999049): Fix during identifiers rework + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_rsa_public_key_fp.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_rsa_public_key_2_fp.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.comment.0.value", comment), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_id.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_authorization_endpoint.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_token_endpoint.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allowed_authorization_endpoints.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allowed_token_endpoints.0.value"), + ), + }, + // unset + { + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_OauthIntegrationForCustomClients/basic"), + ConfigVariables: m(false), + ConfigPlanChecks: resource.ConfigPlanChecks{ + PreApply: []plancheck.PlanCheck{ + plancheck.ExpectResourceAction("snowflake_oauth_integration_for_custom_clients.test", plancheck.ResourceActionUpdate), + }, + }, + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "name", id.Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_type", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_redirect_uri", validUrl), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "enabled", resources.BooleanDefault), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_allow_non_tls_redirect_uri", resources.BooleanDefault), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_enforce_pkce", resources.BooleanDefault), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_use_secondary_roles", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "pre_authorized_roles_list.#", "0"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "blocked_roles_list.#", "2"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_issue_refresh_tokens", resources.BooleanDefault), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_refresh_token_validity", "-1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "network_policy", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key_2", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "comment", ""), + + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.name", id.Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.integration_type", "OAUTH - CUSTOM"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.category", "SECURITY"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.enabled", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.comment", ""), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.created_on"), + + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_type.0.value", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_redirect_uri.0.value", validUrl), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.enabled.0.value", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allow_non_tls_redirect_uri.0.value", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_enforce_pkce.0.value", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_use_secondary_roles.0.value", "NONE"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.pre_authorized_roles_list.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.blocked_roles_list.0.value", "ACCOUNTADMIN,SECURITYADMIN"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_issue_refresh_tokens.0.value", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_refresh_token_validity.0.value", "7776000"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.network_policy.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_rsa_public_key_fp.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_rsa_public_key_2_fp.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.comment.0.value", ""), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_id.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_authorization_endpoint.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_token_endpoint.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allowed_authorization_endpoints.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allowed_token_endpoints.0.value"), + ), + }, + }, + }) +} + +func TestAcc_OauthIntegrationForCustomClients_Complete(t *testing.T) { + networkPolicy, networkPolicyCleanup := acc.TestClient().NetworkPolicy.CreateNetworkPolicy(t) + t.Cleanup(networkPolicyCleanup) + + preAuthorizedRole, preauthorizedRoleCleanup := acc.TestClient().Role.CreateRole(t) + t.Cleanup(preauthorizedRoleCleanup) + + blockedRole, blockedRoleCleanup := acc.TestClient().Role.CreateRole(t) + t.Cleanup(blockedRoleCleanup) + + validUrl := "https://example.com" + id := acc.TestClient().Ids.RandomAccountObjectIdentifier() + key, _ := random.GenerateRSAPublicKey(t) + comment := random.Comment() + + configVariables := config.Variables{ + "name": config.StringVariable(id.Name()), + "oauth_client_type": config.StringVariable(string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + "oauth_redirect_uri": config.StringVariable(validUrl), + "blocked_roles_list": config.SetVariable(config.StringVariable("ACCOUNTADMIN"), config.StringVariable("SECURITYADMIN"), config.StringVariable(blockedRole.ID().Name())), + "comment": config.StringVariable(comment), + "enabled": config.BoolVariable(true), + "network_policy": config.StringVariable(networkPolicy.Name), + "oauth_allow_non_tls_redirect_uri": config.BoolVariable(true), + "oauth_allowed_authorization_endpoints": config.SetVariable(config.StringVariable("http://allowed.com")), + "oauth_allowed_token_endpoints": config.SetVariable(config.StringVariable("http://allowed.com")), + "oauth_authorization_endpoint": config.StringVariable("http://auth.com"), + "oauth_client_rsa_public_key": config.StringVariable(key), + "oauth_client_rsa_public_key_2": config.StringVariable(key), + "oauth_enforce_pkce": config.BoolVariable(true), + "oauth_issue_refresh_tokens": config.BoolVariable(true), + "oauth_refresh_token_validity": config.IntegerVariable(86400), + "oauth_token_endpoint": config.StringVariable("http://auth.com"), + "oauth_use_secondary_roles": config.StringVariable(string(sdk.OauthSecurityIntegrationUseSecondaryRolesNone)), + "pre_authorized_roles_list": config.SetVariable(config.StringVariable(preAuthorizedRole.ID().Name())), + } + + resource.Test(t, resource.TestCase{ + ProtoV6ProviderFactories: acc.TestAccProtoV6ProviderFactories, + PreCheck: func() { acc.TestAccPreCheck(t) }, + TerraformVersionChecks: []tfversion.TerraformVersionCheck{ + tfversion.RequireAbove(tfversion.Version1_5_0), + }, + Steps: []resource.TestStep{ + { + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_OauthIntegrationForCustomClients/complete"), + ConfigVariables: configVariables, + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "name", id.Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_type", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_redirect_uri", validUrl), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "enabled", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_allow_non_tls_redirect_uri", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_enforce_pkce", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_use_secondary_roles", string(sdk.OauthSecurityIntegrationUseSecondaryRolesNone)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "pre_authorized_roles_list.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "pre_authorized_roles_list.0", preAuthorizedRole.ID().Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "blocked_roles_list.#", "3"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_issue_refresh_tokens", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_refresh_token_validity", "86400"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "network_policy", sdk.NewAccountObjectIdentifier(networkPolicy.Name).Name()), // TODO(SNOW-999049): Fix during identifiers rework + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key", key), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key_2", key), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "comment", comment), + + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.name", id.Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.integration_type", "OAUTH - CUSTOM"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.category", "SECURITY"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.enabled", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.comment", comment), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.created_on"), + + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_type.0.value", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_redirect_uri.0.value", validUrl), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.enabled.0.value", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allow_non_tls_redirect_uri.0.value", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_enforce_pkce.0.value", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_use_secondary_roles.0.value", "NONE"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.pre_authorized_roles_list.0.value", preAuthorizedRole.ID().Name()), + // Not asserted, because it also contains other default roles + // resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.blocked_roles_list.0.value"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_issue_refresh_tokens.0.value", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_refresh_token_validity.0.value", "86400"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.network_policy.0.value", sdk.NewAccountObjectIdentifier(networkPolicy.Name).Name()), // TODO(SNOW-999049): Fix during identifiers rework + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_rsa_public_key_fp.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_rsa_public_key_2_fp.0.value"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.comment.0.value", comment), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_id.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_authorization_endpoint.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_token_endpoint.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allowed_authorization_endpoints.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allowed_token_endpoints.0.value"), + ), + }, + { + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_OauthIntegrationForCustomClients/complete"), + ConfigVariables: configVariables, + ResourceName: "snowflake_oauth_integration_for_custom_clients.test", + ImportState: true, + ImportStateCheck: importchecks.ComposeAggregateImportStateCheck( + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "name", id.Name()), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_client_type", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_redirect_uri", validUrl), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "enabled", "true"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_allow_non_tls_redirect_uri", "true"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_enforce_pkce", "true"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "pre_authorized_roles_list.#", "1"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "pre_authorized_roles_list.0", preAuthorizedRole.ID().Name()), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "blocked_roles_list.#", "3"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_issue_refresh_tokens", "true"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "oauth_refresh_token_validity", "86400"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "network_policy", sdk.NewAccountObjectIdentifier(networkPolicy.Name).Name()), // TODO(SNOW-999049): Fix during identifiers rework + importchecks.TestCheckResourceAttrNotInInstanceState(id.Name(), "oauth_client_rsa_public_key"), + importchecks.TestCheckResourceAttrNotInInstanceState(id.Name(), "oauth_client_rsa_public_key_2"), + importchecks.TestCheckResourceAttrInstanceState(id.Name(), "comment", comment), + ), + }, + }, + }) +} + +func TestAcc_OauthIntegrationForCustomClients_DefaultValues(t *testing.T) { + validUrl := "https://example.com" + id := acc.TestClient().Ids.RandomAccountObjectIdentifier() + + configVariables := func(defaultsSet bool) config.Variables { + variables := config.Variables{ + "name": config.StringVariable(id.Name()), + "oauth_client_type": config.StringVariable(string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + "oauth_redirect_uri": config.StringVariable(validUrl), + "blocked_roles_list": config.SetVariable(config.StringVariable("ACCOUNTADMIN"), config.StringVariable("SECURITYADMIN")), + } + + variables["enabled"] = config.BoolVariable(false) + variables["oauth_allow_non_tls_redirect_uri"] = config.BoolVariable(false) + variables["oauth_enforce_pkce"] = config.BoolVariable(false) + variables["oauth_use_secondary_roles"] = config.StringVariable(string(sdk.OauthSecurityIntegrationUseSecondaryRolesNone)) + variables["pre_authorized_roles_list"] = config.SetVariable() + variables["oauth_issue_refresh_tokens"] = config.BoolVariable(false) + variables["oauth_refresh_token_validity"] = config.IntegerVariable(7776000) + variables["network_policy"] = config.StringVariable("") + variables["oauth_client_rsa_public_key"] = config.StringVariable("") + variables["oauth_client_rsa_public_key_2"] = config.StringVariable("") + variables["comment"] = config.StringVariable("") + + return variables + } + + resource.Test(t, resource.TestCase{ + ProtoV6ProviderFactories: acc.TestAccProtoV6ProviderFactories, + PreCheck: func() { acc.TestAccPreCheck(t) }, + TerraformVersionChecks: []tfversion.TerraformVersionCheck{ + tfversion.RequireAbove(tfversion.Version1_5_0), + }, + Steps: []resource.TestStep{ + { + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_OauthIntegrationForCustomClients/default_values"), + ConfigVariables: configVariables(true), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "name", id.Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_type", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_redirect_uri", validUrl), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "enabled", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_allow_non_tls_redirect_uri", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_enforce_pkce", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_use_secondary_roles", string(sdk.OauthSecurityIntegrationUseSecondaryRolesNone)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "pre_authorized_roles_list.#", "0"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "blocked_roles_list.#", "2"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_issue_refresh_tokens", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_refresh_token_validity", "7776000"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "network_policy", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key_2", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "comment", ""), + + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.name", id.Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.integration_type", "OAUTH - CUSTOM"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.category", "SECURITY"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.enabled", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.comment", ""), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.created_on"), + + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_type.0.value", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_redirect_uri.0.value", validUrl), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.enabled.0.value", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allow_non_tls_redirect_uri.0.value", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_enforce_pkce.0.value", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_use_secondary_roles.0.value", "NONE"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.pre_authorized_roles_list.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.blocked_roles_list.0.value", "ACCOUNTADMIN,SECURITYADMIN"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_issue_refresh_tokens.0.value", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_refresh_token_validity.0.value", "7776000"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.network_policy.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_rsa_public_key_fp.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_rsa_public_key_2_fp.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.comment.0.value", ""), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_id.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_authorization_endpoint.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_token_endpoint.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allowed_authorization_endpoints.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allowed_token_endpoints.0.value"), + ), + }, + { + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_OauthIntegrationForCustomClients/basic"), + ConfigVariables: configVariables(false), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "name", id.Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_type", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_redirect_uri", validUrl), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "enabled", resources.BooleanDefault), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_allow_non_tls_redirect_uri", resources.BooleanDefault), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_enforce_pkce", resources.BooleanDefault), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_use_secondary_roles", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "pre_authorized_roles_list.#", "0"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "blocked_roles_list.#", "2"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_issue_refresh_tokens", resources.BooleanDefault), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_refresh_token_validity", "-1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "network_policy", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_client_rsa_public_key_2", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "comment", ""), + + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.name", id.Name()), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.integration_type", "OAUTH - CUSTOM"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.category", "SECURITY"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.enabled", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.comment", ""), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "show_output.0.created_on"), + + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.#", "1"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_type.0.value", string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_redirect_uri.0.value", validUrl), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.enabled.0.value", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allow_non_tls_redirect_uri.0.value", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_enforce_pkce.0.value", "false"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_use_secondary_roles.0.value", "NONE"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.pre_authorized_roles_list.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.blocked_roles_list.0.value", "ACCOUNTADMIN,SECURITYADMIN"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_issue_refresh_tokens.0.value", "true"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_refresh_token_validity.0.value", "7776000"), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.network_policy.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_rsa_public_key_fp.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_rsa_public_key_2_fp.0.value", ""), + resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.comment.0.value", ""), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_client_id.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_authorization_endpoint.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_token_endpoint.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allowed_authorization_endpoints.0.value"), + resource.TestCheckResourceAttrSet("snowflake_oauth_integration_for_custom_clients.test", "describe_output.0.oauth_allowed_token_endpoints.0.value"), + ), + }, + }, + }) +} + +func TestAcc_OauthIntegrationForCustomClients_Invalid(t *testing.T) { + id := acc.TestClient().Ids.RandomAccountObjectIdentifier() + + invalidUseSecondaryRoles := config.Variables{ + "name": config.StringVariable(id.Name()), + "oauth_client_type": config.StringVariable(string(sdk.OauthSecurityIntegrationClientTypeConfidential)), + "oauth_redirect_uri": config.StringVariable("https://example.com"), + "oauth_use_secondary_roles": config.StringVariable("invalid"), + "blocked_roles_list": config.SetVariable(config.StringVariable("ACCOUNTADMIN"), config.StringVariable("SECURITYADMIN")), + } + + invalidClientType := config.Variables{ + "name": config.StringVariable(id.Name()), + "oauth_client_type": config.StringVariable("invalid"), + "oauth_redirect_uri": config.StringVariable("https://example.com"), + "oauth_use_secondary_roles": config.StringVariable(string(sdk.OauthSecurityIntegrationUseSecondaryRolesNone)), + "blocked_roles_list": config.SetVariable(config.StringVariable("ACCOUNTADMIN"), config.StringVariable("SECURITYADMIN")), + } + + resource.Test(t, resource.TestCase{ + ProtoV6ProviderFactories: acc.TestAccProtoV6ProviderFactories, + PreCheck: func() { acc.TestAccPreCheck(t) }, + TerraformVersionChecks: []tfversion.TerraformVersionCheck{ + tfversion.RequireAbove(tfversion.Version1_5_0), + }, + Steps: []resource.TestStep{ + { + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_OauthIntegrationForCustomClients/invalid"), + ConfigVariables: invalidUseSecondaryRoles, + ExpectError: regexp.MustCompile(`Error: invalid OauthSecurityIntegrationUseSecondaryRolesOption: INVALID`), + }, + { + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_OauthIntegrationForCustomClients/invalid"), + ConfigVariables: invalidClientType, + ExpectError: regexp.MustCompile(`Error: invalid OauthSecurityIntegrationClientTypeOption: INVALID`), + }, + }, + }) +} diff --git a/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/test.tf b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/test.tf new file mode 100644 index 0000000000..83e0ae30b7 --- /dev/null +++ b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/test.tf @@ -0,0 +1,6 @@ +resource "snowflake_oauth_integration_for_custom_clients" "test" { + name = var.name + oauth_client_type = var.oauth_client_type + oauth_redirect_uri = var.oauth_redirect_uri + blocked_roles_list = var.blocked_roles_list +} diff --git a/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/variables.tf b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/variables.tf new file mode 100644 index 0000000000..eacd431fd3 --- /dev/null +++ b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/variables.tf @@ -0,0 +1,12 @@ +variable "name" { + type = string +} +variable "oauth_client_type" { + type = string +} +variable "oauth_redirect_uri" { + type = string +} +variable "blocked_roles_list" { + type = set(string) +} diff --git a/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/complete/test.tf b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/complete/test.tf new file mode 100644 index 0000000000..8330c46690 --- /dev/null +++ b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/complete/test.tf @@ -0,0 +1,17 @@ +resource "snowflake_oauth_integration_for_custom_clients" "test" { + blocked_roles_list = var.blocked_roles_list + comment = var.comment + enabled = var.enabled + name = var.name + network_policy = var.network_policy + oauth_allow_non_tls_redirect_uri = var.oauth_allow_non_tls_redirect_uri + oauth_client_rsa_public_key = var.oauth_client_rsa_public_key + oauth_client_rsa_public_key_2 = var.oauth_client_rsa_public_key_2 + oauth_client_type = var.oauth_client_type + oauth_enforce_pkce = var.oauth_enforce_pkce + oauth_issue_refresh_tokens = var.oauth_issue_refresh_tokens + oauth_redirect_uri = var.oauth_redirect_uri + oauth_refresh_token_validity = var.oauth_refresh_token_validity + oauth_use_secondary_roles = var.oauth_use_secondary_roles + pre_authorized_roles_list = var.pre_authorized_roles_list +} diff --git a/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/complete/variables.tf b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/complete/variables.tf new file mode 100644 index 0000000000..9d98ea92c8 --- /dev/null +++ b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/complete/variables.tf @@ -0,0 +1,46 @@ + +variable "blocked_roles_list" { + type = set(string) +} +variable "comment" { + type = string +} +variable "enabled" { + type = bool +} +variable "name" { + type = string +} +variable "network_policy" { + type = string +} +variable "oauth_allow_non_tls_redirect_uri" { + type = bool +} +variable "oauth_client_rsa_public_key" { + type = string +} +variable "oauth_client_rsa_public_key_2" { + type = string +} +variable "oauth_client_type" { + type = string +} +variable "oauth_enforce_pkce" { + type = bool +} +variable "oauth_issue_refresh_tokens" { + type = bool +} +variable "oauth_redirect_uri" { + type = string +} +variable "oauth_refresh_token_validity" { + type = number +} +variable "oauth_use_secondary_roles" { + type = string +} +variable "pre_authorized_roles_list" { + type = set(string) +} diff --git a/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/default_values/test.tf b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/default_values/test.tf new file mode 100644 index 0000000000..6cf1b66134 --- /dev/null +++ b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/default_values/test.tf @@ -0,0 +1,18 @@ +resource "snowflake_oauth_integration_for_custom_clients" "test" { + name = var.name + oauth_client_type = var.oauth_client_type + oauth_redirect_uri = var.oauth_redirect_uri + blocked_roles_list = var.blocked_roles_list + + enabled = var.enabled + oauth_allow_non_tls_redirect_uri = var.oauth_allow_non_tls_redirect_uri + oauth_enforce_pkce = var.oauth_enforce_pkce + oauth_use_secondary_roles = var.oauth_use_secondary_roles + pre_authorized_roles_list = var.pre_authorized_roles_list + oauth_issue_refresh_tokens = var.oauth_issue_refresh_tokens + oauth_refresh_token_validity = var.oauth_refresh_token_validity + network_policy = var.network_policy + oauth_client_rsa_public_key = var.oauth_client_rsa_public_key + oauth_client_rsa_public_key_2 = var.oauth_client_rsa_public_key_2 + comment = var.comment +} diff --git a/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/default_values/variables.tf b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/default_values/variables.tf new file mode 100644 index 0000000000..d2e2c543f2 --- /dev/null +++ b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/default_values/variables.tf @@ -0,0 +1,45 @@ +variable "name" { + type = string +} +variable "oauth_client_type" { + type = string +} +variable "oauth_redirect_uri" { + type = string +} +variable "blocked_roles_list" { + type = set(string) +} +variable "enabled" { + type = bool +} +variable "oauth_allow_non_tls_redirect_uri" { + type = bool +} +variable "oauth_enforce_pkce" { + type = bool +} +variable "oauth_use_secondary_roles" { + type = string +} +variable "pre_authorized_roles_list" { + type = set(string) +} +variable "oauth_issue_refresh_tokens" { + type = bool +} +variable "oauth_refresh_token_validity" { + type = number +} +variable "network_policy" { + type = string +} +variable "oauth_client_rsa_public_key" { + type = string +} +variable "oauth_client_rsa_public_key_2" { + type = string +} +variable "comment" { + type = string +} diff --git a/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/invalid/test.tf b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/invalid/test.tf new file mode 100644 index 0000000000..f0166eb688 --- /dev/null +++ b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/invalid/test.tf @@ -0,0 +1,7 @@ +resource "snowflake_oauth_integration_for_custom_clients" "test" { + name = var.name + oauth_client_type = var.oauth_client_type + oauth_redirect_uri = var.oauth_redirect_uri + oauth_use_secondary_roles = var.oauth_use_secondary_roles + blocked_roles_list = var.blocked_roles_list +} diff --git a/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/invalid/variables.tf b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/invalid/variables.tf new file mode 100644 index 0000000000..71afeb8ae8 --- /dev/null +++ b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/invalid/variables.tf @@ -0,0 +1,15 @@ +variable "name" { + type = string +} +variable "oauth_client_type" { + type = string +} +variable "oauth_redirect_uri" { + type = string +} +variable "oauth_use_secondary_roles" { + type = string +} +variable "blocked_roles_list" { + type = set(string) +} diff --git a/pkg/schemas/oauth_integration_for_custom_clients.go b/pkg/schemas/oauth_integration_for_custom_clients.go new file mode 100644 index 0000000000..06f35e4106 --- /dev/null +++ b/pkg/schemas/oauth_integration_for_custom_clients.go @@ -0,0 +1,63 @@ +package schemas + +import ( + "log" + "strings" + + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +var DescribeOauthIntegrationForCustomClients = map[string]*schema.Schema{ + "oauth_client_type": DescribePropertyListSchema, + "oauth_redirect_uri": DescribePropertyListSchema, + "enabled": DescribePropertyListSchema, + "oauth_allow_non_tls_redirect_uri": DescribePropertyListSchema, + "oauth_enforce_pkce": DescribePropertyListSchema, + "oauth_use_secondary_roles": DescribePropertyListSchema, + "pre_authorized_roles_list": DescribePropertyListSchema, + "blocked_roles_list": DescribePropertyListSchema, + "oauth_issue_refresh_tokens": DescribePropertyListSchema, + "oauth_refresh_token_validity": DescribePropertyListSchema, + "network_policy": DescribePropertyListSchema, + "oauth_client_rsa_public_key_fp": DescribePropertyListSchema, + "oauth_client_rsa_public_key_2_fp": DescribePropertyListSchema, + "comment": DescribePropertyListSchema, + "oauth_client_id": DescribePropertyListSchema, + "oauth_authorization_endpoint": DescribePropertyListSchema, + "oauth_token_endpoint": DescribePropertyListSchema, + "oauth_allowed_authorization_endpoints": DescribePropertyListSchema, + "oauth_allowed_token_endpoints": DescribePropertyListSchema, +} + +func DescribeOauthIntegrationForCustomClientsToSchema(integrationProperties []sdk.SecurityIntegrationProperty) map[string]any { + propsSchema := make(map[string]any) + for _, property := range integrationProperties { + property := property + switch property.Name { + case "OAUTH_CLIENT_TYPE", + "OAUTH_REDIRECT_URI", + "ENABLED", + "OAUTH_ALLOW_NON_TLS_REDIRECT_URI", + "OAUTH_ENFORCE_PKCE", + "OAUTH_USE_SECONDARY_ROLES", + "PRE_AUTHORIZED_ROLES_LIST", + "BLOCKED_ROLES_LIST", + "OAUTH_ISSUE_REFRESH_TOKENS", + "OAUTH_REFRESH_TOKEN_VALIDITY", + "NETWORK_POLICY", + "OAUTH_CLIENT_RSA_PUBLIC_KEY_FP", + "OAUTH_CLIENT_RSA_PUBLIC_KEY_2_FP", + "COMMENT", + "OAUTH_CLIENT_ID", + "OAUTH_AUTHORIZATION_ENDPOINT", + "OAUTH_TOKEN_ENDPOINT", + "OAUTH_ALLOWED_AUTHORIZATION_ENDPOINTS", + "OAUTH_ALLOWED_TOKEN_ENDPOINTS": + propsSchema[strings.ToLower(property.Name)] = []map[string]any{SecurityIntegrationPropertyToSchema(&property)} + default: + log.Printf("[WARN] unexpected property %v returned from Snowflake", property.Name) + } + } + return propsSchema +} diff --git a/templates/resources/oauth_integration_for_custom_clients.md.tmpl b/templates/resources/oauth_integration_for_custom_clients.md.tmpl new file mode 100644 index 0000000000..e7f66bbf91 --- /dev/null +++ b/templates/resources/oauth_integration_for_custom_clients.md.tmpl @@ -0,0 +1,32 @@ +--- +page_title: "{{.Name}} {{.Type}} - {{.ProviderName}}" +subcategory: "" +description: |- +{{ if gt (len (split .Description "")) 1 -}} +{{ index (split .Description "") 1 | plainmarkdown | trimspace | prefixlines " " }} +{{- else -}} +{{ .Description | plainmarkdown | trimspace | prefixlines " " }} +{{- end }} +--- + +!> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it. + +# {{.Name}} ({{.Type}}) + +{{ .Description | trimspace }} + +{{ if .HasExample -}} +## Example Usage + +{{ tffile (printf "examples/resources/%s/resource.tf" .Name)}} +{{- end }} + +{{ .SchemaMarkdown | trimspace }} +{{- if .HasImport }} + +## Import + +Import is supported using the following syntax: + +{{ codefile "shell" (printf "examples/resources/%s/import.sh" .Name)}} +{{- end }} diff --git a/templates/resources/saml2_integration.md.tmpl b/templates/resources/saml2_integration.md.tmpl new file mode 100644 index 0000000000..e7f66bbf91 --- /dev/null +++ b/templates/resources/saml2_integration.md.tmpl @@ -0,0 +1,32 @@ +--- +page_title: "{{.Name}} {{.Type}} - {{.ProviderName}}" +subcategory: "" +description: |- +{{ if gt (len (split .Description "")) 1 -}} +{{ index (split .Description "") 1 | plainmarkdown | trimspace | prefixlines " " }} +{{- else -}} +{{ .Description | plainmarkdown | trimspace | prefixlines " " }} +{{- end }} +--- + +!> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it. + +# {{.Name}} ({{.Type}}) + +{{ .Description | trimspace }} + +{{ if .HasExample -}} +## Example Usage + +{{ tffile (printf "examples/resources/%s/resource.tf" .Name)}} +{{- end }} + +{{ .SchemaMarkdown | trimspace }} +{{- if .HasImport }} + +## Import + +Import is supported using the following syntax: + +{{ codefile "shell" (printf "examples/resources/%s/import.sh" .Name)}} +{{- end }} diff --git a/v1-preparations/REMAINING_GA_OBJECTS.MD b/v1-preparations/REMAINING_GA_OBJECTS.MD index fe6ea6cc2d..ebdb328e3c 100644 --- a/v1-preparations/REMAINING_GA_OBJECTS.MD +++ b/v1-preparations/REMAINING_GA_OBJECTS.MD @@ -39,4 +39,4 @@ Known issues lists open issues touching the given object. Note that some of thes | PIPE | ❌ | [#2785](https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/2785), [#2075](https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/2075), [#1781](https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/1781), [#1707](https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/1707), [#1478](https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/1478), [#533](https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/533) | | SECRET | ❌ | [#2545](https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/2545) | | SEQUENCE | ❌ | [#2589](https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/2589) | -| SESSION POLICY | ❌ | - | +| SESSION POLICY | ❌ | [#2870](https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/2870) |