Skip to content

Commit

Permalink
feat: Secret resource (#3110)
Browse files Browse the repository at this point in the history 
<!-- Feel free to delete comments as you fill this in -->
## Changes
- add `snowflake_secret_with_client_credentials` resource
- add `snowflake_secret_with_authorization_code_grant` resource
- add `snowflake_secret_with_basic_authentication` resource
- add `snowflake_secret_with_generic_string` resource
- fix parsing oauth_scopes list with `ParseCommaSeparatedStringArray()`
<!-- summary of changes -->

## Test Plan
<!-- detail ways in which this PR has been tested or needs to be tested
-->
* [x] acceptance tests
<!-- add more below if you think they are relevant -->

## References
<!-- issues documentation links, etc  -->
https://docs.snowflake.com/en/sql-reference/sql/create-secret

## TODO
- datasource
- tests for externally changed secret type
  • Loading branch information
@sfc-gh-fbudzynski
sfc-gh-fbudzynski authored Oct 17, 2024
1 parent ca90fde commit 16a812d
Show file tree
Hide file tree
Showing 48 changed files with 3,846 additions and 21 deletions.
14 changes: 14 additions & 0 deletions MIGRATION_GUIDE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,20 @@ across different versions.
> [!TIP]
> We highly recommend upgrading the versions one by one instead of bulk upgrades.
## v0.97.0 ➞ v0.98.0

### *(new feature)* Secret resources
Added a new secrets resources for managing secrets.
We decided to split each secret flow into individual resources.
This segregation was based on the secret flows in CREATE SECRET. i.e.:
- `snowflake_secret_with_client_credentials`
- `snowflake_secret_with_authorization_code_grant`
- `snowflake_secret_with_basic_authentication`
- `snowflake_secret_with_generic_string`


See reference [docs](https://docs.snowflake.com/en/sql-reference/sql/create-secret).

## v0.96.0 ➞ v0.97.0

### *(new feature)* snowflake_stream_on_table, snowflake_stream_on_external_table resource
Expand Down
104 changes: 104 additions & 0 deletions docs/resources/secret_with_authorization_code_grant.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
---
page_title: "snowflake_secret_with_authorization_code_grant Resource - terraform-provider-snowflake"
subcategory: ""
description: |-
Resource used to manage secret objects with OAuth Authorization Code Grant. For more information, check secret documentation https://docs.snowflake.com/en/sql-reference/sql/create-secret.
---

!> **V1 release candidate** This resource is a release candidate for the V1. It is on the list of remaining GA objects for V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0970--v0980) to use it.

# snowflake_secret_with_authorization_code_grant (Resource)

Resource used to manage secret objects with OAuth Authorization Code Grant. For more information, check [secret documentation](https://docs.snowflake.com/en/sql-reference/sql/create-secret).

## Example Usage

```terraform
# basic resource
resource "snowflake_secret_with_authorization_code_grant" "test" {
name = "EXAMPLE_SECRET"
database = "EXAMPLE_DB"
schema = "EXAMPLE_SCHEMA"
api_authentication = "EXAMPLE_SECURITY_INTEGRATION_NAME"
oauth_refresh_token = "EXAMPLE_TOKEN"
oauth_refresh_token_expiry_time = "2025-01-02 15:04:01"
}
# resource with all fields set
resource "snowflake_secret_with_authorization_code_grant" "test" {
name = "EXAMPLE_SECRET"
database = "EXAMPLE_DB"
schema = "EXAMPLE_SCHEMA"
api_authentication = "EXAMPLE_SECURITY_INTEGRATION_NAME"
oauth_refresh_token = "EXAMPLE_TOKEN"
oauth_refresh_token_expiry_time = "2025-01-02 15:04:01"
comment = "EXAMPLE_COMMENT"
}
```
-> **Note** Instead of using fully_qualified_name, you can reference objects managed outside Terraform by constructing a correct ID, consult [identifiers guide](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/guides/identifiers#new-computed-fully-qualified-name-field-in-resources).
<!-- TODO(SNOW-1634854): include an example showing both methods-->

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `api_authentication` (String) Specifies the name value of the Snowflake security integration that connects Snowflake to an external service.
- `database` (String) The database in which to create the secret Due to technical limitations (read more [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `(`, `)`, `"`
- `name` (String) String that specifies the identifier (i.e. name) for the secret, must be unique in your schema. Due to technical limitations (read more [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `(`, `)`, `"`
- `oauth_refresh_token` (String, Sensitive) Specifies the token as a string that is used to obtain a new access token from the OAuth authorization server when the access token expires. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource manually using "terraform taint".
- `oauth_refresh_token_expiry_time` (String) Specifies the timestamp as a string when the OAuth refresh token expires. Accepted string formats: YYYY-MM-DD, YYYY-MM-DD HH:MI, YYYY-MM-DD HH:MI:SS, YYYY-MM-DD HH:MI <timezone>
- `schema` (String) The schema in which to create the secret. Due to technical limitations (read more [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `(`, `)`, `"`

### Optional

- `comment` (String) Specifies a comment for the secret.

### Read-Only

- `describe_output` (List of Object) Outputs the result of `DESCRIBE SECRET` for the given secret. (see [below for nested schema](#nestedatt--describe_output))
- `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
- `id` (String) The ID of this resource.
- `show_output` (List of Object) Outputs the result of `SHOW SECRETS` for the given secret. (see [below for nested schema](#nestedatt--show_output))

<a id="nestedatt--describe_output"></a>
### Nested Schema for `describe_output`

Read-Only:

- `comment` (String)
- `created_on` (String)
- `database_name` (String)
- `integration_name` (String)
- `name` (String)
- `oauth_access_token_expiry_time` (String)
- `oauth_refresh_token_expiry_time` (String)
- `oauth_scopes` (Set of String)
- `owner` (String)
- `schema_name` (String)
- `secret_type` (String)
- `username` (String)


<a id="nestedatt--show_output"></a>
### Nested Schema for `show_output`

Read-Only:

- `comment` (String)
- `created_on` (String)
- `database_name` (String)
- `name` (String)
- `oauth_scopes` (Set of String)
- `owner` (String)
- `owner_role_type` (String)
- `schema_name` (String)
- `secret_type` (String)

## Import

Import is supported using the following syntax:

```shell
terraform import snowflake_secret_with_authorization_code_grant.example '"<database_name>"."<schema_name>"."<secret_name>"'
```
101 changes: 101 additions & 0 deletions docs/resources/secret_with_basic_authentication.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
---
page_title: "snowflake_secret_with_basic_authentication Resource - terraform-provider-snowflake"
subcategory: ""
description: |-
Resource used to manage secret objects with Basic Authentication. For more information, check secret documentation https://docs.snowflake.com/en/sql-reference/sql/create-secret.
---

!> **V1 release candidate** This resource is a release candidate for the V1. It is on the list of remaining GA objects for V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0970--v0980) to use it.

# snowflake_secret_with_basic_authentication (Resource)

Resource used to manage secret objects with Basic Authentication. For more information, check [secret documentation](https://docs.snowflake.com/en/sql-reference/sql/create-secret).

## Example Usage

```terraform
# basic resource
resource "snowflake_secret_with_basic_authentication" "test" {
name = "EXAMPLE_SECRET"
database = "EXAMPLE_DB"
schema = "EXAMPLE_SCHEMA"
username = "EXAMPLE_USERNAME"
password = "EXAMPLE_PASSWORD"
}
# resource with all fields set
resource "snowflake_secret_with_basic_authentication" "test" {
name = "EXAMPLE_SECRET"
database = "EXAMPLE_DB"
schema = "EXAMPLE_SCHEMA"
username = "EXAMPLE_USERNAME"
password = "EXAMPLE_PASSWORD"
comment = "EXAMPLE_COMMENT"
}
```
-> **Note** Instead of using fully_qualified_name, you can reference objects managed outside Terraform by constructing a correct ID, consult [identifiers guide](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/guides/identifiers#new-computed-fully-qualified-name-field-in-resources).
<!-- TODO(SNOW-1634854): include an example showing both methods-->

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `database` (String) The database in which to create the secret Due to technical limitations (read more [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `(`, `)`, `"`
- `name` (String) String that specifies the identifier (i.e. name) for the secret, must be unique in your schema. Due to technical limitations (read more [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `(`, `)`, `"`
- `password` (String, Sensitive) Specifies the password value to store in the secret. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource manually using "terraform taint".
- `schema` (String) The schema in which to create the secret. Due to technical limitations (read more [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `(`, `)`, `"`
- `username` (String, Sensitive) Specifies the username value to store in the secret.

### Optional

- `comment` (String) Specifies a comment for the secret.

### Read-Only

- `describe_output` (List of Object) Outputs the result of `DESCRIBE SECRET` for the given secret. (see [below for nested schema](#nestedatt--describe_output))
- `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
- `id` (String) The ID of this resource.
- `show_output` (List of Object) Outputs the result of `SHOW SECRETS` for the given secret. (see [below for nested schema](#nestedatt--show_output))

<a id="nestedatt--describe_output"></a>
### Nested Schema for `describe_output`

Read-Only:

- `comment` (String)
- `created_on` (String)
- `database_name` (String)
- `integration_name` (String)
- `name` (String)
- `oauth_access_token_expiry_time` (String)
- `oauth_refresh_token_expiry_time` (String)
- `oauth_scopes` (Set of String)
- `owner` (String)
- `schema_name` (String)
- `secret_type` (String)
- `username` (String)


<a id="nestedatt--show_output"></a>
### Nested Schema for `show_output`

Read-Only:

- `comment` (String)
- `created_on` (String)
- `database_name` (String)
- `name` (String)
- `oauth_scopes` (Set of String)
- `owner` (String)
- `owner_role_type` (String)
- `schema_name` (String)
- `secret_type` (String)

## Import

Import is supported using the following syntax:

```shell
terraform import snowflake_secret_with_basic_authentication.example '"<database_name>"."<schema_name>"."<secret_name>"'
```
101 changes: 101 additions & 0 deletions docs/resources/secret_with_client_credentials.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
---
page_title: "snowflake_secret_with_client_credentials Resource - terraform-provider-snowflake"
subcategory: ""
description: |-
Resource used to manage secret objects with OAuth Client Credentials. For more information, check secret documentation https://docs.snowflake.com/en/sql-reference/sql/create-secret.
---

!> **V1 release candidate** This resource is a release candidate for the V1. It is on the list of remaining GA objects for V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0970--v0980) to use it.

# snowflake_secret_with_client_credentials (Resource)

Resource used to manage secret objects with OAuth Client Credentials. For more information, check [secret documentation](https://docs.snowflake.com/en/sql-reference/sql/create-secret).

## Example Usage

```terraform
# basic resource
resource "snowflake_secret_with_client_credentials" "test" {
name = "EXAMPLE_SECRET"
database = "EXAMPLE_DB"
schema = "EXAMPLE_SCHEMA"
api_authentication = "EXAMPLE_SECURITY_INTEGRATION_NAME"
oauth_scopes = ["useraccount", "testscope"]
}
# resource with all fields set
resource "snowflake_secret_with_client_credentials" "test" {
name = "EXAMPLE_SECRET"
database = "EXAMPLE_DB"
schema = "EXAMPLE_SCHEMA"
api_authentication = "EXAMPLE_SECURITY_INTEGRATION_NAME"
oauth_scopes = ["useraccount", "testscope"]
comment = "EXAMPLE_COMMENT"
}
```
-> **Note** Instead of using fully_qualified_name, you can reference objects managed outside Terraform by constructing a correct ID, consult [identifiers guide](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/guides/identifiers#new-computed-fully-qualified-name-field-in-resources).
<!-- TODO(SNOW-1634854): include an example showing both methods-->

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `api_authentication` (String) Specifies the name value of the Snowflake security integration that connects Snowflake to an external service.
- `database` (String) The database in which to create the secret Due to technical limitations (read more [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `(`, `)`, `"`
- `name` (String) String that specifies the identifier (i.e. name) for the secret, must be unique in your schema. Due to technical limitations (read more [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `(`, `)`, `"`
- `oauth_scopes` (Set of String) Specifies a list of scopes to use when making a request from the OAuth server by a role with USAGE on the integration during the OAuth client credentials flow.
- `schema` (String) The schema in which to create the secret. Due to technical limitations (read more [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `(`, `)`, `"`

### Optional

- `comment` (String) Specifies a comment for the secret.

### Read-Only

- `describe_output` (List of Object) Outputs the result of `DESCRIBE SECRET` for the given secret. (see [below for nested schema](#nestedatt--describe_output))
- `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
- `id` (String) The ID of this resource.
- `show_output` (List of Object) Outputs the result of `SHOW SECRETS` for the given secret. (see [below for nested schema](#nestedatt--show_output))

<a id="nestedatt--describe_output"></a>
### Nested Schema for `describe_output`

Read-Only:

- `comment` (String)
- `created_on` (String)
- `database_name` (String)
- `integration_name` (String)
- `name` (String)
- `oauth_access_token_expiry_time` (String)
- `oauth_refresh_token_expiry_time` (String)
- `oauth_scopes` (Set of String)
- `owner` (String)
- `schema_name` (String)
- `secret_type` (String)
- `username` (String)


<a id="nestedatt--show_output"></a>
### Nested Schema for `show_output`

Read-Only:

- `comment` (String)
- `created_on` (String)
- `database_name` (String)
- `name` (String)
- `oauth_scopes` (Set of String)
- `owner` (String)
- `owner_role_type` (String)
- `schema_name` (String)
- `secret_type` (String)

## Import

Import is supported using the following syntax:

```shell
terraform import snowflake_secret_with_client_credentials.example '"<database_name>"."<schema_name>"."<secret_name>"'
```
Loading

0 comments on commit 16a812d

Please sign in to comment.