From 771a9dab74fc39cfaae47fb49a2dccfcca16e2b9 Mon Sep 17 00:00:00 2001 From: Jakub Michalak Date: Fri, 19 Jul 2024 15:57:31 +0200 Subject: [PATCH] Fix sync password --- ...tegration_with_authorization_code_grant.md | 4 +- ...ion_integration_with_client_credentials.md | 4 +- ...hentication_integration_with_jwt_bearer.md | 4 +- docs/resources/external_oauth_integration.md | 4 +- .../oauth_integration_for_custom_clients.md | 8 +- ...th_integration_for_partner_applications.md | 8 +- docs/resources/saml2_integration.md | 8 +- docs/resources/scim_integration.md | 10 +- ...tegration_with_authorization_code_grant.go | 2 + ...ion_integration_with_client_credentials.go | 4 +- ...hentication_integration_with_jwt_bearer.go | 4 +- pkg/resources/doc_helpers.go | 2 +- pkg/resources/external_oauth_integration.go | 5 +- .../oauth_integration_for_custom_clients.go | 5 +- ...th_integration_for_partner_applications.go | 5 +- pkg/resources/saml2_integration.go | 5 +- pkg/resources/scim_integration.go | 72 +++++++-- .../scim_integration_acceptance_test.go | 142 ++++++++++++++++-- .../scim_integration_state_upgraders.go | 15 ++ 19 files changed, 250 insertions(+), 61 deletions(-) diff --git a/docs/resources/api_authentication_integration_with_authorization_code_grant.md b/docs/resources/api_authentication_integration_with_authorization_code_grant.md index d011430f6a0..ea13b5071ac 100644 --- a/docs/resources/api_authentication_integration_with_authorization_code_grant.md +++ b/docs/resources/api_authentication_integration_with_authorization_code_grant.md @@ -2,14 +2,14 @@ page_title: "snowflake_api_authentication_integration_with_authorization_code_grant Resource - terraform-provider-snowflake" subcategory: "" description: |- - + Resource used to manage api authentication security integration objects with authorization code grant. For more information, check security integrations documentation https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth. --- !> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it. # snowflake_api_authentication_integration_with_authorization_code_grant (Resource) - +Resource used to manage api authentication security integration objects with authorization code grant. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth). ## Example Usage diff --git a/docs/resources/api_authentication_integration_with_client_credentials.md b/docs/resources/api_authentication_integration_with_client_credentials.md index cb6a466a94e..00ae798573f 100644 --- a/docs/resources/api_authentication_integration_with_client_credentials.md +++ b/docs/resources/api_authentication_integration_with_client_credentials.md @@ -2,14 +2,14 @@ page_title: "snowflake_api_authentication_integration_with_client_credentials Resource - terraform-provider-snowflake" subcategory: "" description: |- - + Resource used to manage api authentication security integration objects with client credentials. For more information, check security integrations documentation https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth. --- !> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it. # snowflake_api_authentication_integration_with_client_credentials (Resource) - +Resource used to manage api authentication security integration objects with client credentials. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth). ## Example Usage diff --git a/docs/resources/api_authentication_integration_with_jwt_bearer.md b/docs/resources/api_authentication_integration_with_jwt_bearer.md index be734aab195..b58db4dd9f8 100644 --- a/docs/resources/api_authentication_integration_with_jwt_bearer.md +++ b/docs/resources/api_authentication_integration_with_jwt_bearer.md @@ -2,14 +2,14 @@ page_title: "snowflake_api_authentication_integration_with_jwt_bearer Resource - terraform-provider-snowflake" subcategory: "" description: |- - + Resource used to manage api authentication security integration objects with jwt bearer. For more information, check security integrations documentation https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth. --- !> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it. # snowflake_api_authentication_integration_with_jwt_bearer (Resource) - +Resource used to manage api authentication security integration objects with jwt bearer. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth). ## Example Usage diff --git a/docs/resources/external_oauth_integration.md b/docs/resources/external_oauth_integration.md index bb4bf25f1fe..616a6c71a66 100644 --- a/docs/resources/external_oauth_integration.md +++ b/docs/resources/external_oauth_integration.md @@ -2,14 +2,14 @@ page_title: "snowflake_external_oauth_integration Resource - terraform-provider-snowflake" subcategory: "" description: |- - Resource used to manage external oauth security integrations. For more information, check documentation https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-external. + Resource used to manage external oauth security integration objects. For more information, check security integrations documentation https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-external. --- !> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it. # snowflake_external_oauth_integration (Resource) -Resource used to manage external oauth security integrations. For more information, check [documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-external). +Resource used to manage external oauth security integration objects. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-external). ## Example Usage diff --git a/docs/resources/oauth_integration_for_custom_clients.md b/docs/resources/oauth_integration_for_custom_clients.md index 020b62a8296..857fed4f11f 100644 --- a/docs/resources/oauth_integration_for_custom_clients.md +++ b/docs/resources/oauth_integration_for_custom_clients.md @@ -2,14 +2,14 @@ page_title: "snowflake_oauth_integration_for_custom_clients Resource - terraform-provider-snowflake" subcategory: "" description: |- - + Resource used to manage oauth security integration for custom clients objects. For more information, check security integrations documentation https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-snowflake. --- !> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it. # snowflake_oauth_integration_for_custom_clients (Resource) - +Resource used to manage oauth security integration for custom clients objects. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-snowflake). ## Example Usage @@ -49,7 +49,7 @@ resource "snowflake_oauth_integration_for_custom_clients" "complete" { - `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. - `name` (String) Specifies the name of the OAuth integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account. -- `oauth_client_type` (String) Specifies the type of client being registered. Snowflake supports both confidential and public clients. Valid options are: [PUBLIC CONFIDENTIAL] +- `oauth_client_type` (String) Specifies the type of client being registered. Snowflake supports both confidential and public clients. Valid options are: `PUBLIC` | `CONFIDENTIAL`. - `oauth_redirect_uri` (String) Specifies the client URI. After a user is authenticated, the web browser is redirected to this URI. ### Optional @@ -63,7 +63,7 @@ resource "snowflake_oauth_integration_for_custom_clients" "complete" { - `oauth_enforce_pkce` (String) Boolean that specifies whether Proof Key for Code Exchange (PKCE) should be required for the integration. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. - `oauth_issue_refresh_tokens` (String) Specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. - `oauth_refresh_token_validity` (Number) Specifies how long refresh tokens should be valid (in seconds). OAUTH_ISSUE_REFRESH_TOKENS must be set to TRUE. -- `oauth_use_secondary_roles` (String) Specifies whether default secondary roles set in the user properties are activated by default in the session being opened. Valid options are: [IMPLICIT NONE] +- `oauth_use_secondary_roles` (String) Specifies whether default secondary roles set in the user properties are activated by default in the session being opened. Valid options are: `IMPLICIT` | `NONE`. - `pre_authorized_roles_list` (Set of String) A set of Snowflake roles that a user does not need to explicitly consent to using after authenticating. ### Read-Only diff --git a/docs/resources/oauth_integration_for_partner_applications.md b/docs/resources/oauth_integration_for_partner_applications.md index cc772195cd5..9ebac00ebeb 100644 --- a/docs/resources/oauth_integration_for_partner_applications.md +++ b/docs/resources/oauth_integration_for_partner_applications.md @@ -2,14 +2,14 @@ page_title: "snowflake_oauth_integration_for_partner_applications Resource - terraform-provider-snowflake" subcategory: "" description: |- - + Resource used to manage oauth security integration for partner applications objects. For more information, check security integrations documentation https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-snowflake. --- !> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it. # snowflake_oauth_integration_for_partner_applications (Resource) - +Resource used to manage oauth security integration for partner applications objects. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-snowflake). ## Example Usage @@ -42,7 +42,7 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" { - `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. - `name` (String) Specifies the name of the OAuth integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account. -- `oauth_client` (String) Creates an OAuth interface between Snowflake and a partner application. Valid options are: [LOOKER TABLEAU_DESKTOP TABLEAU_SERVER] +- `oauth_client` (String) Creates an OAuth interface between Snowflake and a partner application. Valid options are: `LOOKER` | `TABLEAU_DESKTOP` | `TABLEAU_SERVER`. ### Optional @@ -51,7 +51,7 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" { - `oauth_issue_refresh_tokens` (String) Specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. - `oauth_redirect_uri` (String) Specifies the client URI. After a user is authenticated, the web browser is redirected to this URI. The field should be only set when OAUTH_CLIENT = LOOKER. In any other case the field should be left out empty. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource manually using "terraform taint". - `oauth_refresh_token_validity` (Number) Specifies how long refresh tokens should be valid (in seconds). OAUTH_ISSUE_REFRESH_TOKENS must be set to TRUE. -- `oauth_use_secondary_roles` (String) Specifies whether default secondary roles set in the user properties are activated by default in the session being opened. Valid options are: [IMPLICIT NONE] +- `oauth_use_secondary_roles` (String) Specifies whether default secondary roles set in the user properties are activated by default in the session being opened. Valid options are: `IMPLICIT` | `NONE`. ### Read-Only diff --git a/docs/resources/saml2_integration.md b/docs/resources/saml2_integration.md index 7f3456d1249..fc9c4d91241 100644 --- a/docs/resources/saml2_integration.md +++ b/docs/resources/saml2_integration.md @@ -2,14 +2,14 @@ page_title: "snowflake_saml2_integration Resource - terraform-provider-snowflake" subcategory: "" description: |- - + Resource used to manage saml2 security integration objects. For more information, check security integrations documentation https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-saml2. --- !> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it. # snowflake_saml2_integration (Resource) - +Resource used to manage saml2 security integration objects. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-saml2). ## Example Usage @@ -53,7 +53,7 @@ resource "snowflake_saml2_integration" "test" { - `name` (String) Specifies the name of the SAML2 integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account. - `saml2_issuer` (String) The string containing the IdP EntityID / Issuer. -- `saml2_provider` (String) The string describing the IdP. Valid options are: [OKTA ADFS CUSTOM]. +- `saml2_provider` (String) The string describing the IdP. Valid options are: `OKTA` | `ADFS` | `CUSTOM`. - `saml2_sso_url` (String) The string containing the IdP SSO URL, where the user should be redirected by Snowflake (the Service Provider) with a SAML AuthnRequest message. - `saml2_x509_cert` (String) The Base64 encoded IdP signing certificate on a single line without the leading -----BEGIN CERTIFICATE----- and ending -----END CERTIFICATE----- markers. @@ -66,7 +66,7 @@ resource "snowflake_saml2_integration" "test" { - `saml2_enable_sp_initiated` (String) The Boolean indicating if the Log In With button will be shown on the login page. TRUE: displays the Log in With button on the login page. FALSE: does not display the Log in With button on the login page. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. - `saml2_force_authn` (String) The Boolean indicating whether users, during the initial authentication flow, are forced to authenticate again to access Snowflake. When set to TRUE, Snowflake sets the ForceAuthn SAML parameter to TRUE in the outgoing request from Snowflake to the identity provider. TRUE: forces users to authenticate again to access Snowflake, even if a valid session with the identity provider exists. FALSE: does not force users to authenticate again to access Snowflake. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. - `saml2_post_logout_redirect_url` (String) The endpoint to which Snowflake redirects users after clicking the Log Out button in the classic Snowflake web interface. Snowflake terminates the Snowflake session upon redirecting to the specified endpoint. -- `saml2_requested_nameid_format` (String) The SAML NameID format allows Snowflake to set an expectation of the identifying attribute of the user (i.e. SAML Subject) in the SAML assertion from the IdP to ensure a valid authentication to Snowflake. Valid options are: [urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:2.0:nameid-format:transient] +- `saml2_requested_nameid_format` (String) The SAML NameID format allows Snowflake to set an expectation of the identifying attribute of the user (i.e. SAML Subject) in the SAML assertion from the IdP to ensure a valid authentication to Snowflake. Valid options are: `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` | `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` | `urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName` | `urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName` | `urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos` | `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` | `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. - `saml2_sign_request` (String) The Boolean indicating whether SAML requests are signed. TRUE: allows SAML requests to be signed. FALSE: does not allow SAML requests to be signed. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. - `saml2_snowflake_acs_url` (String) The string containing the Snowflake Assertion Consumer Service URL to which the IdP will send its SAML authentication response back to Snowflake. This property will be set in the SAML authentication request generated by Snowflake when initiating a SAML SSO operation with the IdP. If an incorrect value is specified, Snowflake returns an error message indicating the acceptable values to use. - `saml2_snowflake_issuer_url` (String) The string containing the EntityID / Issuer for the Snowflake service provider. If an incorrect value is specified, Snowflake returns an error message indicating the acceptable values to use. diff --git a/docs/resources/scim_integration.md b/docs/resources/scim_integration.md index 43278d71f0e..bfa47bf5377 100644 --- a/docs/resources/scim_integration.md +++ b/docs/resources/scim_integration.md @@ -2,14 +2,14 @@ page_title: "snowflake_scim_integration Resource - terraform-provider-snowflake" subcategory: "" description: |- - + Resource used to manage scim security integration objects. For more information, check security integrations documentation https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-scim. --- !> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it. # snowflake_scim_integration (Resource) - +Resource used to manage scim security integration objects. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-scim). ## Example Usage @@ -40,14 +40,14 @@ resource "snowflake_scim_integration" "test" { - `enabled` (Boolean) Specify whether the security integration is enabled. - `name` (String) String that specifies the identifier (i.e. name) for the integration; must be unique in your account. -- `run_as_role` (String) Specify the SCIM role in Snowflake that owns any users and roles that are imported from the identity provider into Snowflake using SCIM. Provider assumes that the specified role is already provided. Valid options are: [OKTA_PROVISIONER AAD_PROVISIONER GENERIC_SCIM_PROVISIONER]. -- `scim_client` (String) Specifies the client type for the scim integration. Valid options are: [OKTA AZURE GENERIC]. +- `run_as_role` (String) Specify the SCIM role in Snowflake that owns any users and roles that are imported from the identity provider into Snowflake using SCIM. Provider assumes that the specified role is already provided. Valid options are: `OKTA_PROVISIONER` | `AAD_PROVISIONER` | `GENERIC_SCIM_PROVISIONER`. +- `scim_client` (String) Specifies the client type for the scim integration. Valid options are: `OKTA` | `AZURE` | `GENERIC`. ### Optional - `comment` (String) Specifies a comment for the integration. - `network_policy` (String) Specifies an existing network policy that controls SCIM network traffic. -- `sync_password` (String) Specifies whether to enable or disable the synchronization of a user password from an Okta SCIM client as part of the API request to Snowflake. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. +- `sync_password` (String) Specifies whether to enable or disable the synchronization of a user password from an Okta SCIM client as part of the API request to Snowflake. This property is not supported for Azure SCIM. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. ### Read-Only diff --git a/pkg/resources/api_authentication_integration_with_authorization_code_grant.go b/pkg/resources/api_authentication_integration_with_authorization_code_grant.go index 9f320e33c51..9c8b0cc03fd 100644 --- a/pkg/resources/api_authentication_integration_with_authorization_code_grant.go +++ b/pkg/resources/api_authentication_integration_with_authorization_code_grant.go @@ -40,6 +40,8 @@ func ApiAuthenticationIntegrationWithAuthorizationCodeGrant() *schema.Resource { ReadContext: ReadContextApiAuthenticationIntegrationWithAuthorizationCodeGrant(true), UpdateContext: UpdateContextApiAuthenticationIntegrationWithAuthorizationCodeGrant, DeleteContext: DeleteContextApiAuthenticationIntegrationWithAuthorizationCodeGrant, + Description: "Resource used to manage api authentication security integration objects with authorization code grant. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth).", + CustomizeDiff: customdiff.All( ForceNewIfChangeToEmptyString("oauth_token_endpoint"), ForceNewIfChangeToEmptyString("oauth_authorization_endpoint"), diff --git a/pkg/resources/api_authentication_integration_with_client_credentials.go b/pkg/resources/api_authentication_integration_with_client_credentials.go index 40e3736f7f8..45e25ca0cd8 100644 --- a/pkg/resources/api_authentication_integration_with_client_credentials.go +++ b/pkg/resources/api_authentication_integration_with_client_credentials.go @@ -35,7 +35,9 @@ func ApiAuthenticationIntegrationWithClientCredentials() *schema.Resource { ReadContext: ReadContextApiAuthenticationIntegrationWithClientCredentials(true), UpdateContext: UpdateContextApiAuthenticationIntegrationWithClientCredentials, DeleteContext: DeleteContextApiAuthenticationIntegrationWithClientCredentials, - Schema: apiAuthClientCredentialsSchema, + Description: "Resource used to manage api authentication security integration objects with client credentials. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth).", + + Schema: apiAuthClientCredentialsSchema, CustomizeDiff: customdiff.All( ForceNewIfChangeToEmptyString("oauth_token_endpoint"), ForceNewIfChangeToEmptyString("oauth_client_auth_method"), diff --git a/pkg/resources/api_authentication_integration_with_jwt_bearer.go b/pkg/resources/api_authentication_integration_with_jwt_bearer.go index 73252185d56..df54815f894 100644 --- a/pkg/resources/api_authentication_integration_with_jwt_bearer.go +++ b/pkg/resources/api_authentication_integration_with_jwt_bearer.go @@ -38,7 +38,9 @@ func ApiAuthenticationIntegrationWithJwtBearer() *schema.Resource { ReadContext: ReadContextApiAuthenticationIntegrationWithJwtBearer(true), UpdateContext: UpdateContextApiAuthenticationIntegrationWithJwtBearer, DeleteContext: DeleteContextApiAuthenticationIntegrationWithJwtBearer, - Schema: apiAuthJwtBearerSchema, + Description: "Resource used to manage api authentication security integration objects with jwt bearer. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth).", + + Schema: apiAuthJwtBearerSchema, CustomizeDiff: customdiff.All( ForceNewIfChangeToEmptyString("oauth_token_endpoint"), ForceNewIfChangeToEmptyString("oauth_authorization_endpoint"), diff --git a/pkg/resources/doc_helpers.go b/pkg/resources/doc_helpers.go index eb966707d3f..020f70ce463 100644 --- a/pkg/resources/doc_helpers.go +++ b/pkg/resources/doc_helpers.go @@ -5,7 +5,7 @@ import ( "strings" ) -func possibleValuesListed(values []string) string { +func possibleValuesListed[T ~string](values []T) string { valuesWrapped := make([]string, len(values)) for i, value := range values { valuesWrapped[i] = fmt.Sprintf("`%s`", value) diff --git a/pkg/resources/external_oauth_integration.go b/pkg/resources/external_oauth_integration.go index 8e9804acdb1..2434dc284c6 100644 --- a/pkg/resources/external_oauth_integration.go +++ b/pkg/resources/external_oauth_integration.go @@ -157,7 +157,9 @@ func ExternalOauthIntegration() *schema.Resource { ReadContext: ReadContextExternalOauthIntegration(true), UpdateContext: UpdateContextExternalOauthIntegration, DeleteContext: DeleteContextExternalOauthIntegration, - Schema: oauthExternalIntegrationSchema, + Description: "Resource used to manage external oauth security integration objects. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-external).", + + Schema: oauthExternalIntegrationSchema, CustomizeDiff: customdiff.All( ForceNewIfChangeToEmptyString("external_oauth_rsa_public_key"), ForceNewIfChangeToEmptyString("external_oauth_rsa_public_key_2"), @@ -173,7 +175,6 @@ func ExternalOauthIntegration() *schema.Resource { Importer: &schema.ResourceImporter{ StateContext: ImportExternalOauthIntegration, }, - Description: "Resource used to manage external oauth security integrations. For more information, check [documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-external).", StateUpgraders: []schema.StateUpgrader{ { diff --git a/pkg/resources/oauth_integration_for_custom_clients.go b/pkg/resources/oauth_integration_for_custom_clients.go index edd3aa9161b..c7b549f3a16 100644 --- a/pkg/resources/oauth_integration_for_custom_clients.go +++ b/pkg/resources/oauth_integration_for_custom_clients.go @@ -33,7 +33,7 @@ var oauthIntegrationForCustomClientsSchema = map[string]*schema.Schema{ ForceNew: true, ValidateDiagFunc: sdkValidation(sdk.ToOauthSecurityIntegrationClientTypeOption), DiffSuppressFunc: NormalizeAndCompare(sdk.ToOauthSecurityIntegrationClientTypeOption), - Description: fmt.Sprintf("Specifies the type of client being registered. Snowflake supports both confidential and public clients. Valid options are: %v", sdk.AllOauthSecurityIntegrationClientTypes), + Description: fmt.Sprintf("Specifies the type of client being registered. Snowflake supports both confidential and public clients. Valid options are: %v.", possibleValuesListed(sdk.AllOauthSecurityIntegrationClientTypes)), }, "oauth_redirect_uri": { Type: schema.TypeString, @@ -69,7 +69,7 @@ var oauthIntegrationForCustomClientsSchema = map[string]*schema.Schema{ Optional: true, ValidateDiagFunc: sdkValidation(sdk.ToOauthSecurityIntegrationUseSecondaryRolesOption), DiffSuppressFunc: NormalizeAndCompare(sdk.ToOauthSecurityIntegrationUseSecondaryRolesOption), - Description: fmt.Sprintf("Specifies whether default secondary roles set in the user properties are activated by default in the session being opened. Valid options are: %v", sdk.AllOauthSecurityIntegrationUseSecondaryRoles), + Description: fmt.Sprintf("Specifies whether default secondary roles set in the user properties are activated by default in the session being opened. Valid options are: %v.", possibleValuesListed(sdk.AllOauthSecurityIntegrationUseSecondaryRoles)), }, "pre_authorized_roles_list": { Type: schema.TypeSet, @@ -154,6 +154,7 @@ func OauthIntegrationForCustomClients() *schema.Resource { ReadContext: ReadContextOauthIntegrationForCustomClients(true), UpdateContext: UpdateContextOauthIntegrationForCustomClients, DeleteContext: DeleteContextOauthIntegrationForCustomClients, + Description: "Resource used to manage oauth security integration for custom clients objects. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-snowflake).", CustomizeDiff: customdiff.All( ComputedIfAnyAttributeChanged( diff --git a/pkg/resources/oauth_integration_for_partner_applications.go b/pkg/resources/oauth_integration_for_partner_applications.go index b8299d9bf39..285e8b1b16a 100644 --- a/pkg/resources/oauth_integration_for_partner_applications.go +++ b/pkg/resources/oauth_integration_for_partner_applications.go @@ -32,7 +32,7 @@ var oauthIntegrationForPartnerApplicationsSchema = map[string]*schema.Schema{ Type: schema.TypeString, Required: true, ForceNew: true, - Description: fmt.Sprintf("Creates an OAuth interface between Snowflake and a partner application. Valid options are: %v", sdk.AllOauthSecurityIntegrationClients), + Description: fmt.Sprintf("Creates an OAuth interface between Snowflake and a partner application. Valid options are: %v.", possibleValuesListed(sdk.AllOauthSecurityIntegrationClients)), ValidateDiagFunc: sdkValidation(sdk.ToOauthSecurityIntegrationClientOption), DiffSuppressFunc: NormalizeAndCompare(sdk.ToOauthSecurityIntegrationClientOption), }, @@ -68,7 +68,7 @@ var oauthIntegrationForPartnerApplicationsSchema = map[string]*schema.Schema{ "oauth_use_secondary_roles": { Type: schema.TypeString, Optional: true, - Description: fmt.Sprintf("Specifies whether default secondary roles set in the user properties are activated by default in the session being opened. Valid options are: %v", sdk.AllOauthSecurityIntegrationUseSecondaryRoles), + Description: fmt.Sprintf("Specifies whether default secondary roles set in the user properties are activated by default in the session being opened. Valid options are: %v.", possibleValuesListed(sdk.AllOauthSecurityIntegrationUseSecondaryRoles)), ValidateDiagFunc: sdkValidation(sdk.ToOauthSecurityIntegrationUseSecondaryRolesOption), DiffSuppressFunc: SuppressIfAny(NormalizeAndCompare(sdk.ToOauthSecurityIntegrationUseSecondaryRolesOption), IgnoreChangeToCurrentSnowflakeValueInDescribe("oauth_use_secondary_roles")), }, @@ -115,6 +115,7 @@ func OauthIntegrationForPartnerApplications() *schema.Resource { ReadContext: ReadContextOauthIntegrationForPartnerApplications(true), UpdateContext: UpdateContextOauthIntegrationForPartnerApplications, DeleteContext: DeleteContextSecurityIntegration, + Description: "Resource used to manage oauth security integration for partner applications objects. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-snowflake).", CustomizeDiff: customdiff.All( ComputedIfAnyAttributeChanged( diff --git a/pkg/resources/saml2_integration.go b/pkg/resources/saml2_integration.go index b483e453300..98142d372af 100644 --- a/pkg/resources/saml2_integration.go +++ b/pkg/resources/saml2_integration.go @@ -49,7 +49,7 @@ var saml2IntegrationSchema = map[string]*schema.Schema{ Required: true, ValidateDiagFunc: sdkValidation(sdk.ToSaml2SecurityIntegrationSaml2ProviderOption), DiffSuppressFunc: NormalizeAndCompare(sdk.ToSaml2SecurityIntegrationSaml2ProviderOption), - Description: fmt.Sprintf("The string describing the IdP. Valid options are: %v.", sdk.AllSaml2SecurityIntegrationSaml2Providers), + Description: fmt.Sprintf("The string describing the IdP. Valid options are: %v.", possibleValuesListed(sdk.AllSaml2SecurityIntegrationSaml2Providers)), }, "saml2_x509_cert": { Type: schema.TypeString, @@ -83,7 +83,7 @@ var saml2IntegrationSchema = map[string]*schema.Schema{ Optional: true, ValidateDiagFunc: sdkValidation(sdk.ToSaml2SecurityIntegrationSaml2RequestedNameidFormatOption), DiffSuppressFunc: SuppressIfAny(NormalizeAndCompare(sdk.ToSaml2SecurityIntegrationSaml2RequestedNameidFormatOption), IgnoreChangeToCurrentSnowflakeValueInDescribe("saml2_requested_nameid_format")), - Description: fmt.Sprintf("The SAML NameID format allows Snowflake to set an expectation of the identifying attribute of the user (i.e. SAML Subject) in the SAML assertion from the IdP to ensure a valid authentication to Snowflake. Valid options are: %v", sdk.AllSaml2SecurityIntegrationSaml2RequestedNameidFormats), + Description: fmt.Sprintf("The SAML NameID format allows Snowflake to set an expectation of the identifying attribute of the user (i.e. SAML Subject) in the SAML assertion from the IdP to ensure a valid authentication to Snowflake. Valid options are: %v.", possibleValuesListed(sdk.AllSaml2SecurityIntegrationSaml2RequestedNameidFormats)), }, "saml2_post_logout_redirect_url": { Type: schema.TypeString, @@ -156,6 +156,7 @@ func SAML2Integration() *schema.Resource { ReadContext: ReadContextSAML2Integration(true), UpdateContext: UpdateContextSAML2Integration, DeleteContext: DeleteContextSAM2LIntegration, + Description: "Resource used to manage saml2 security integration objects. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-saml2).", Schema: saml2IntegrationSchema, Importer: &schema.ResourceImporter{ diff --git a/pkg/resources/scim_integration.go b/pkg/resources/scim_integration.go index 845077b20e1..2eaa44e985d 100644 --- a/pkg/resources/scim_integration.go +++ b/pkg/resources/scim_integration.go @@ -36,7 +36,7 @@ var scimIntegrationSchema = map[string]*schema.Schema{ Type: schema.TypeString, Required: true, ForceNew: true, - Description: fmt.Sprintf("Specifies the client type for the scim integration. Valid options are: %v.", sdk.AsStringList(sdk.AllScimSecurityIntegrationScimClients)), + Description: fmt.Sprintf("Specifies the client type for the scim integration. Valid options are: %v.", possibleValuesListed(sdk.AllScimSecurityIntegrationScimClients)), ValidateDiagFunc: StringInSlice(sdk.AsStringList(sdk.AllScimSecurityIntegrationScimClients), true), DiffSuppressFunc: ignoreCaseAndTrimSpaceSuppressFunc, }, @@ -45,7 +45,7 @@ var scimIntegrationSchema = map[string]*schema.Schema{ Required: true, ForceNew: true, Description: fmt.Sprintf("Specify the SCIM role in Snowflake that owns any users and roles that are imported from the identity provider into Snowflake using SCIM."+ - " Provider assumes that the specified role is already provided. Valid options are: %v.", sdk.AllScimSecurityIntegrationRunAsRoles), + " Provider assumes that the specified role is already provided. Valid options are: %v.", possibleValuesListed(sdk.AllScimSecurityIntegrationRunAsRoles)), ValidateDiagFunc: StringInSlice(sdk.AsStringList(sdk.AllScimSecurityIntegrationRunAsRoles), true), DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool { normalize := func(s string) string { @@ -67,7 +67,7 @@ var scimIntegrationSchema = map[string]*schema.Schema{ Default: BooleanDefault, ValidateDiagFunc: validateBooleanString, DiffSuppressFunc: IgnoreChangeToCurrentSnowflakeValueInDescribe("sync_password"), - Description: booleanStringFieldDescription("Specifies whether to enable or disable the synchronization of a user password from an Okta SCIM client as part of the API request to Snowflake."), + Description: booleanStringFieldDescription("Specifies whether to enable or disable the synchronization of a user password from an Okta SCIM client as part of the API request to Snowflake. This property is not supported for Azure SCIM."), }, "comment": { Type: schema.TypeString, @@ -94,12 +94,13 @@ var scimIntegrationSchema = map[string]*schema.Schema{ func SCIMIntegration() *schema.Resource { return &schema.Resource{ - SchemaVersion: 1, + SchemaVersion: 2, CreateContext: CreateContextSCIMIntegration, ReadContext: ReadContextSCIMIntegration(true), UpdateContext: UpdateContextSCIMIntegration, DeleteContext: DeleteContextSCIMIntegration, + Description: "Resource used to manage scim security integration objects. For more information, check [security integrations documentation](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-scim).", Schema: scimIntegrationSchema, Importer: &schema.ResourceImporter{ @@ -118,6 +119,12 @@ func SCIMIntegration() *schema.Resource { Type: cty.EmptyObject, Upgrade: v092ScimIntegrationStateUpgrader, }, + { + Version: 1, + // setting type to cty.EmptyObject is a bit hacky here but following https://developer.hashicorp.com/terraform/plugin/framework/migrating/resources/state-upgrade#sdkv2-1 would require lots of repetitive code; this should work with cty.EmptyObject + Type: cty.EmptyObject, + Upgrade: v093ScimIntegrationStateUpgrader, + }, }, } } @@ -143,10 +150,12 @@ func ImportScimIntegration(ctx context.Context, d *schema.ResourceData, meta any if err = d.Set("enabled", integration.Enabled); err != nil { return nil, err } - if scimClient, err := integration.SubType(); err == nil { - if err = d.Set("scim_client", scimClient); err != nil { - return nil, err - } + scimClient, err := integration.SubType() + if err != nil { + return nil, err + } + if err = d.Set("scim_client", scimClient); err != nil { + return nil, err } if runAsRoleProperty, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { return property.Name == "RUN_AS_ROLE" }); err == nil { if err = d.Set("run_as_role", runAsRoleProperty.Value); err != nil { @@ -158,10 +167,16 @@ func ImportScimIntegration(ctx context.Context, d *schema.ResourceData, meta any return nil, err } } - if syncPasswordProperty, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { return property.Name == "SYNC_PASSWORD" }); err == nil { - if err = d.Set("sync_password", syncPasswordProperty.Value); err != nil { + if scimClient == string(sdk.ScimSecurityIntegrationScimClientAzure) { + if err = d.Set("sync_password", BooleanDefault); err != nil { return nil, err } + } else { + if syncPasswordProperty, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { return property.Name == "SYNC_PASSWORD" }); err == nil { + if err = d.Set("sync_password", syncPasswordProperty.Value); err != nil { + return nil, err + } + } } if err = d.Set("comment", integration.Comment); err != nil { return nil, err @@ -192,6 +207,15 @@ func CreateContextSCIMIntegration(ctx context.Context, d *schema.ResourceData, m } if v := d.Get("sync_password").(string); v != BooleanDefault { + if scimClient := d.Get("scim_client").(string); scimClient == string(sdk.ScimSecurityIntegrationScimClientAzure) { + return diag.Diagnostics{ + { + Severity: diag.Error, + Summary: "field `sync_password` is not supported for scim_client = \"AZURE\"", + Detail: "can not CREATE scim integration with field `sync_password` for scim_client = \"AZURE\"", + }, + } + } parsed, err := strconv.ParseBool(v) if err != nil { return diag.FromErr(err) @@ -288,17 +312,24 @@ func ReadContextSCIMIntegration(withExternalChangesMarking bool) schema.ReadCont return diag.FromErr(err) } - syncPasswordProperty, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { return property.Name == "SYNC_PASSWORD" }) - if err != nil { - return diag.FromErr(err) - } - if err = handleExternalChangesToObjectInDescribe(d, describeMapping{"network_policy", "network_policy", networkPolicyProperty.Value, networkPolicyProperty.Value, nil}, - describeMapping{"sync_password", "sync_password", syncPasswordProperty.Value, syncPasswordProperty.Value, nil}, ); err != nil { return diag.FromErr(err) } + + if scimClient != string(sdk.ScimSecurityIntegrationScimClientAzure) { + syncPasswordProperty, err := collections.FindOne(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { return property.Name == "SYNC_PASSWORD" }) + if err != nil { + return diag.FromErr(err) + } + if err = handleExternalChangesToObjectInDescribe(d, + describeMapping{"sync_password", "sync_password", syncPasswordProperty.Value, syncPasswordProperty.Value, nil}, + ); err != nil { + return diag.FromErr(err) + } + + } } // These are all identity sets, needed for the case where: @@ -347,6 +378,15 @@ func UpdateContextSCIMIntegration(ctx context.Context, d *schema.ResourceData, m } if d.HasChange("sync_password") { + if scimClient := d.Get("scim_client").(string); scimClient == string(sdk.ScimSecurityIntegrationScimClientAzure) { + return diag.Diagnostics{ + { + Severity: diag.Error, + Summary: "field `sync_password` is not supported for scim_client = \"AZURE\"", + Detail: "can not SET and UNSET field `sync_password` for scim_client = \"AZURE\"", + }, + } + } if v := d.Get("sync_password").(string); v != BooleanDefault { parsed, err := strconv.ParseBool(v) if err != nil { diff --git a/pkg/resources/scim_integration_acceptance_test.go b/pkg/resources/scim_integration_acceptance_test.go index 4c3708b7721..c818d2a6728 100644 --- a/pkg/resources/scim_integration_acceptance_test.go +++ b/pkg/resources/scim_integration_acceptance_test.go @@ -292,7 +292,77 @@ func TestAcc_ScimIntegration_InvalidIncomplete(t *testing.T) { }) } -func TestAcc_ScimIntegration_migrateFromVersion093EnabledTrue(t *testing.T) { +func TestAcc_ScimIntegration_InvalidCreateWithSyncPasswordWithAzure(t *testing.T) { + id := acc.TestClient().Ids.RandomAccountObjectIdentifier() + m := func() map[string]config.Variable { + return map[string]config.Variable{ + "name": config.StringVariable(id.Name()), + "scim_client": config.StringVariable(string(sdk.ScimSecurityIntegrationScimClientAzure)), + "run_as_role": config.StringVariable(snowflakeroles.AadProvisioner.Name()), + "enabled": config.BoolVariable(true), + "sync_password": config.BoolVariable(false), + "network_policy_name": config.StringVariable(""), + "comment": config.StringVariable("foo"), + } + } + resource.Test(t, resource.TestCase{ + ProtoV6ProviderFactories: acc.TestAccProtoV6ProviderFactories, + PreCheck: func() { acc.TestAccPreCheck(t) }, + TerraformVersionChecks: []tfversion.TerraformVersionCheck{ + tfversion.RequireAbove(tfversion.Version1_5_0), + }, + ErrorCheck: helpers.AssertErrorContainsPartsFunc(t, []string{ + "can not CREATE scim integration with field `sync_password` for scim_client = \"AZURE\"", + }), + Steps: []resource.TestStep{ + { + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_ScimIntegration/complete"), + ConfigVariables: m(), + }, + }, + }) +} + +func TestAcc_ScimIntegration_InvalidUpdateWithSyncPasswordWithAzure(t *testing.T) { + id := acc.TestClient().Ids.RandomAccountObjectIdentifier() + m := func(complete bool) map[string]config.Variable { + c := map[string]config.Variable{ + "name": config.StringVariable(id.Name()), + "scim_client": config.StringVariable(string(sdk.ScimSecurityIntegrationScimClientAzure)), + "run_as_role": config.StringVariable(snowflakeroles.AadProvisioner.Name()), + "enabled": config.BoolVariable(true), + } + if complete { + c["sync_password"] = config.BoolVariable(true) + c["network_policy_name"] = config.StringVariable("") + c["comment"] = config.StringVariable("foo") + } + return c + } + + resource.Test(t, resource.TestCase{ + ProtoV6ProviderFactories: acc.TestAccProtoV6ProviderFactories, + PreCheck: func() { acc.TestAccPreCheck(t) }, + TerraformVersionChecks: []tfversion.TerraformVersionCheck{ + tfversion.RequireAbove(tfversion.Version1_5_0), + }, + ErrorCheck: helpers.AssertErrorContainsPartsFunc(t, []string{ + "can not SET and UNSET field `sync_password` for scim_client = \"AZURE\"", + }), + Steps: []resource.TestStep{ + { + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_ScimIntegration/basic"), + ConfigVariables: m(false), + }, + { + ConfigDirectory: acc.ConfigurationDirectory("TestAcc_ScimIntegration/complete"), + ConfigVariables: m(true), + }, + }, + }) +} + +func TestAcc_ScimIntegration_migrateFromVersion092EnabledTrue(t *testing.T) { id := acc.TestClient().Ids.RandomAccountObjectIdentifier() role := snowflakeroles.GenericScimProvisioner resourceName := "snowflake_scim_integration.test" @@ -310,7 +380,7 @@ func TestAcc_ScimIntegration_migrateFromVersion093EnabledTrue(t *testing.T) { Source: "Snowflake-Labs/snowflake", }, }, - Config: scimIntegrationv092(id.Name(), role.Name()), + Config: scimIntegrationv092(id.Name(), role.Name(), sdk.ScimSecurityIntegrationScimClientGeneric), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "name", id.Name()), resource.TestCheckResourceAttr(resourceName, "provisioner_role", role.Name()), @@ -318,7 +388,7 @@ func TestAcc_ScimIntegration_migrateFromVersion093EnabledTrue(t *testing.T) { }, { ProtoV6ProviderFactories: acc.TestAccProtoV6ProviderFactories, - Config: scimIntegrationv093(id.Name(), role.Name(), true), + Config: scimIntegrationv093(id.Name(), role.Name(), true, sdk.ScimSecurityIntegrationScimClientGeneric), ConfigPlanChecks: resource.ConfigPlanChecks{ PreApply: []plancheck.PlanCheck{ planchecks.ExpectChange("snowflake_scim_integration.test", "name", tfjson.ActionUpdate, sdk.String(id.Name()), sdk.String(id.Name())), @@ -358,7 +428,7 @@ func TestAcc_ScimIntegration_migrateFromVersion092EnabledFalse(t *testing.T) { Source: "Snowflake-Labs/snowflake", }, }, - Config: scimIntegrationv092(id.Name(), role.Name()), + Config: scimIntegrationv092(id.Name(), role.Name(), sdk.ScimSecurityIntegrationScimClientGeneric), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(resourceName, "name", id.Name()), resource.TestCheckResourceAttr(resourceName, "provisioner_role", role.Name()), @@ -366,7 +436,7 @@ func TestAcc_ScimIntegration_migrateFromVersion092EnabledFalse(t *testing.T) { }, { ProtoV6ProviderFactories: acc.TestAccProtoV6ProviderFactories, - Config: scimIntegrationv093(id.Name(), role.Name(), false), + Config: scimIntegrationv093(id.Name(), role.Name(), false, sdk.ScimSecurityIntegrationScimClientGeneric), ConfigPlanChecks: resource.ConfigPlanChecks{ PreApply: []plancheck.PlanCheck{plancheck.ExpectNonEmptyPlan()}, }, @@ -380,7 +450,61 @@ func TestAcc_ScimIntegration_migrateFromVersion092EnabledFalse(t *testing.T) { }) } -func scimIntegrationv092(name, roleName string) string { +func TestAcc_ScimIntegration_migrateFromVersion093HandleSyncPassword(t *testing.T) { + id := acc.TestClient().Ids.RandomAccountObjectIdentifier() + role := snowflakeroles.AadProvisioner + resourceName := "snowflake_scim_integration.test" + resource.Test(t, resource.TestCase{ + PreCheck: func() { acc.TestAccPreCheck(t) }, + TerraformVersionChecks: []tfversion.TerraformVersionCheck{ + tfversion.RequireAbove(tfversion.Version1_5_0), + }, + + Steps: []resource.TestStep{ + { + ExternalProviders: map[string]resource.ExternalProvider{ + "snowflake": { + VersionConstraint: "=0.92.0", + Source: "Snowflake-Labs/snowflake", + }, + }, + Config: scimIntegrationv092(id.Name(), role.Name(), sdk.ScimSecurityIntegrationScimClientAzure), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "name", id.Name()), + ), + }, + { + ExternalProviders: map[string]resource.ExternalProvider{ + "snowflake": { + VersionConstraint: "=0.93.0", + Source: "Snowflake-Labs/snowflake", + }, + }, + ConfigPlanChecks: resource.ConfigPlanChecks{ + PreApply: []plancheck.PlanCheck{plancheck.ExpectNonEmptyPlan()}, + }, + Config: scimIntegrationv093(id.Name(), role.Name(), true, sdk.ScimSecurityIntegrationScimClientAzure), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "name", id.Name()), + ), + ExpectError: regexp.MustCompile("invalid property 'SYNC_PASSWORD' for 'INTEGRATION"), + }, + { + ProtoV6ProviderFactories: acc.TestAccProtoV6ProviderFactories, + Config: scimIntegrationv093(id.Name(), role.Name(), true, sdk.ScimSecurityIntegrationScimClientAzure), + ConfigPlanChecks: resource.ConfigPlanChecks{ + PreApply: []plancheck.PlanCheck{plancheck.ExpectEmptyPlan()}, + }, + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(resourceName, "name", id.Name()), + resource.TestCheckResourceAttr(resourceName, "sync_password", r.BooleanDefault), + ), + }, + }, + }) +} + +func scimIntegrationv092(name, roleName string, scimClient sdk.ScimSecurityIntegrationScimClientOption) string { s := ` resource "snowflake_scim_integration" "test" { name = "%s" @@ -388,10 +512,10 @@ resource "snowflake_scim_integration" "test" { provisioner_role = "%s" } ` - return fmt.Sprintf(s, name, sdk.ScimSecurityIntegrationScimClientGeneric, roleName) + return fmt.Sprintf(s, name, scimClient, roleName) } -func scimIntegrationv093(name, roleName string, enabled bool) string { +func scimIntegrationv093(name, roleName string, enabled bool, scimClient sdk.ScimSecurityIntegrationScimClientOption) string { s := ` resource "snowflake_scim_integration" "test" { name = "%s" @@ -400,5 +524,5 @@ resource "snowflake_scim_integration" "test" { run_as_role = "%s" } ` - return fmt.Sprintf(s, name, enabled, sdk.ScimSecurityIntegrationScimClientGeneric, roleName) + return fmt.Sprintf(s, name, enabled, scimClient, roleName) } diff --git a/pkg/resources/scim_integration_state_upgraders.go b/pkg/resources/scim_integration_state_upgraders.go index 9e4c2db70e4..4fb1dc942b5 100644 --- a/pkg/resources/scim_integration_state_upgraders.go +++ b/pkg/resources/scim_integration_state_upgraders.go @@ -3,6 +3,9 @@ package resources import ( "context" "strconv" + "strings" + + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk" ) func v092ScimIntegrationStateUpgrader(ctx context.Context, rawState map[string]any, meta any) (map[string]any, error) { @@ -19,3 +22,15 @@ func v092ScimIntegrationStateUpgrader(ctx context.Context, rawState map[string]a return rawState, nil } + +func v093ScimIntegrationStateUpgrader(ctx context.Context, rawState map[string]any, meta any) (map[string]any, error) { + if rawState == nil { + return rawState, nil + } + + if v, ok := rawState["scim_client"]; ok && strings.EqualFold(strings.TrimSpace(v.(string)), string(sdk.ScimSecurityIntegrationScimClientAzure)) { + rawState["sync_password"] = BooleanDefault + } + + return rawState, nil +}