feat: Add service user and legacy service user resources

MIGRATION_GUIDE.md

@@ -7,6 +7,36 @@ across different versions.
 > [!TIP]
 > We highly recommend upgrading the versions one by one instead of bulk upgrades.
 
+## v0.96.0 ➞ v0.97.0
+
+### new snowflake_service_user and snowflake_legacy_service_user resources
+
+Release v0.95.0 introduced reworked `snowflake_user` resource. As [noted](#note-user-types), the new `SERVICE` and `LEGACY_SERVICE` user types were not supported.
+
+This release introduces two new resources to handle these new user types: `snowflake_service_user` and `snowflake_legacy_service_user`.
+
+Both resources have schemas almost identical to the `snowflake_user` resource with the following exceptions:
+- `snowflake_service_user` does not contain the following fields (because they are not supported for the user of type `SERVICE` in Snowflake):
+  - `password`
+  - `first_name`
+  - `middle_name`
+  - `last_name`
+  - `must_change_password`
+  - `mins_to_bypass_mfa`
+  - `disable_mfa`
+- `snowflake_legacy_service_user` does not contain the following fields (because they are not supported for the user of type `LEGACY_SERVICE` in Snowflake):
+  - `first_name`
+  - `middle_name`
+  - `last_name`
+  - `mins_to_bypass_mfa`
+  - `disable_mfa`
+
+`snowflake_users` datasource was adjusted to handle different user types and `type` field was added to the `describe_output`.
+
+If you used to manage service or legacy service users through `snowflake_user` resource (e.g. using `lifecycle.ignore_changes`) or `snowflake_unsafe_execute`, please migrate to the new resources following [our guidelines on resource migration](docs/technical-documentation/resource_migration.md).
+
+Connected issues: [#2951](https://github.com/Snowflake-Labs/terraform-provider-snowflake/issues/2951)
+
 ## v0.95.0 ➞ v0.96.0
 
 ### snowflake_masking_policies data source changes

docs/data-sources/users.md

@@ -162,6 +162,7 @@ Read-Only:
 - `rsa_public_key_fp` (String)
 - `snowflake_lock` (Boolean)
 - `snowflake_support` (Boolean)
+- `type` (String)
 
 
 <a id="nestedobjatt--users--parameters"></a>

docs/resources/user.md

@@ -11,7 +11,7 @@ description: |-
 
 -> **Note** Attaching user policies will be handled in the following versions of the provider which may still affect this resource.
 
--> **Note** `service` and `legacy_service` user types are currently not supported. They will be supported in the following versions as separate resources (namely `snowflake_service_user` and `snowflake_legacy_service_user`).
+-> **Note** Other two user types are handled in separate resources: `snowflake_service_user` for user type `service` and `snowflake_legacy_service_user` for user type `legacy_service`.
 
 -> **Note** External changes to `days_to_expiry`, `mins_to_unlock`, and `mins_to_bypass_mfa` are not currently handled by the provider (because the value changes continuously on Snowflake side after setting it).
 

examples/resources/snowflake_legacy_service_user/import.sh

@@ -0,0 +1 @@
+terraform import snowflake_legacy_service_user.example userName

examples/resources/snowflake_legacy_service_user/resource.tf

@@ -0,0 +1,18 @@
+resource "snowflake_legacy_service_user" "user" {
+  name         = "Snowflake Legacy Service User"
+  login_name   = "legacy_service_user"
+  comment      = "A legacy service user of snowflake."
+  password     = "secret"
+  disabled     = false
+  display_name = "Snowflake Legacy Service User"
+  email        = "[email protected]"
+
+  default_warehouse       = "warehouse"
+  default_secondary_roles = "ALL"
+  default_role            = "role1"
+
+  rsa_public_key   = "..."
+  rsa_public_key_2 = "..."
+
+  must_change_password = true
+}

examples/resources/snowflake_service_user/import.sh

@@ -0,0 +1 @@
+terraform import snowflake_service_user.example userName

examples/resources/snowflake_service_user/resource.tf

@@ -0,0 +1,15 @@
+resource "snowflake_service_user" "service_user" {
+  name         = "Snowflake Service User"
+  login_name   = "service_user"
+  comment      = "A service user of snowflake."
+  disabled     = false
+  display_name = "Snowflake Service User"
+  email        = "[email protected]"
+
+  default_warehouse       = "warehouse"
+  default_secondary_roles = "ALL"
+  default_role            = "role1"
+
+  rsa_public_key   = "..."
+  rsa_public_key_2 = "..."
+}

pkg/acceptance/bettertestspoc/assert/resourceassert/gen/resource_schema_def.go

@@ -29,6 +29,14 @@ var allResourceSchemaDefs = []ResourceSchemaDef{
 		name:   "User",
 		schema: resources.User().Schema,
 	},
+	{
+		name:   "ServiceUser",
+		schema: resources.ServiceUser().Schema,
+	},
+	{
+		name:   "LegacyServiceUser",
+		schema: resources.LegacyServiceUser().Schema,
+	},
 	{
 		name:   "View",
 		schema: resources.View().Schema,

pkg/acceptance/bettertestspoc/assert/resourceassert/legacy_service_user_resource_ext.go

@@ -0,0 +1,22 @@
+package resourceassert
+
+import (
+	"strconv"
+
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/bettertestspoc/assert"
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk"
+)
+
+func (u *LegacyServiceUserResourceAssert) HasDisabled(expected bool) *LegacyServiceUserResourceAssert {
+	u.AddAssertion(assert.ValueSet("disabled", strconv.FormatBool(expected)))
+	return u
+}
+
+func (u *LegacyServiceUserResourceAssert) HasMustChangePassword(expected bool) *LegacyServiceUserResourceAssert {
+	u.AddAssertion(assert.ValueSet("must_change_password", strconv.FormatBool(expected)))
+	return u
+}
+
+func (u *LegacyServiceUserResourceAssert) HasDefaultSecondaryRolesOption(expected sdk.SecondaryRolesOption) *LegacyServiceUserResourceAssert {
+	return u.HasDefaultSecondaryRolesOptionString(string(expected))
+}