Skip to content

Commit

Permalink
feat: API Authentication integration v1 readiness (#2898)
Browse files Browse the repository at this point in the history 
<!-- Feel free to delete comments as you fill this in -->
Add new resources covering three flows of API Authentication
integration. Tests for jwt bearer flow are skipped due to errors in
creating integrations. This will be addressed in SNOW-1452191. Also,
there are minor fixes in SDK to match actual behavior of Snowflake.

## Test Plan
<!-- detail ways in which this PR has been tested or needs to be tested
-->
* [x] acceptance tests
<!-- add more below if you think they are relevant -->

## References
<!-- issues documentation links, etc  -->

https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth
  • Loading branch information
@sfc-gh-jmichalak
sfc-gh-jmichalak authored Jul 9, 2024
1 parent d0c136d commit 91931da
Show file tree
Hide file tree
Showing 55 changed files with 3,119 additions and 135 deletions.
16 changes: 12 additions & 4 deletions MIGRATION_GUIDE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,14 @@ They are all described in short in the [changes before v1 doc](./v1-preparations
### old grant resources removal
Following the [announcement](https://github.com/Snowflake-Labs/terraform-provider-snowflake/discussions/2736) we have removed the old grant resources. The two resources [snowflake_role_ownership_grant](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_ownership_grant) and [snowflake_user_ownership_grant](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/user_ownership_grant) were not listed in the announcement, but they were also marked as deprecated ones. We are removing them too to conclude the grants redesign saga.

### *(new feature)* Api authentication resources
Added new api authentication resources, i.e.:
- `snowflake_api_authentication_integration_with_authorization_code_grant`
- `snowflake_api_authentication_integration_with_client_credentials`
- `snowflake_api_authentication_integration_with_jwt_bearer`

See reference [doc](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth).

### *(new feature)* snowflake_security_integrations datasource
Added a new datasource enabling querying and filtering all types of security integrations. Notes:
- all results are stored in `security_integrations` field.
Expand Down Expand Up @@ -129,10 +137,10 @@ All the field changes in comparison to the previous database resource are:
- removed: the field is removed from `snowflake_shared_database` as it doesn't have any effect on shared databases.
- `from_database` - database cloning was entirely removed and is not possible by any of the new database resources.
- `from_share` - the parameter was moved to the dedicated resource for databases created from shares `snowflake_shared_database`. Right now, it's a text field instead of a map. Additionally, instead of legacy account identifier format we're expecting the new one that with share looks like this: `<organization_name>.<account_name>.<share_name>`. For more information on account identifiers, visit the [official documentation](https://docs.snowflake.com/en/user-guide/admin-account-identifier).
- p,
- p,
- `from_replication` - the parameter was moved to the dedicated resource for databases created from primary databases `snowflake_secondary_database`
- `replication_configuration` - renamed: was renamed to `configuration` and is only available in the `snowflake_database`. Its internal schema changed that instead of list of accounts, we expect a list of nested objects with accounts for which replication (and optionally failover) should be enabled. More information about converting between both versions [here](#resource-renamed-snowflake_database---snowflake_database_old). Additionally, instead of legacy account identifier format we're expecting the new one that looks like this: `<organization_name>.<account_name>` (it will be automatically migrated to the recommended format by the state upgrader). For more information on account identifiers, visit the [official documentation](https://docs.snowflake.com/en/user-guide/admin-account-identifier).
- `data_retention_time_in_days`
- `data_retention_time_in_days`
- in `snowflake_shared_database`
- removed: the field is removed from `snowflake_shared_database` as it doesn't have any effect on shared databases.
- in `snowflake_database` and `snowflake_secondary_database`
Expand Down Expand Up @@ -213,7 +221,7 @@ The only difference would be that instead of writing/generating new configuratio
- `pattern` was replaced by `like` field.
- Additional filtering options added (`limit`).
- Added missing fields returned by SHOW DATABASES and enclosed its output in `show_output` field.
- Added outputs from **DESC DATABASE** and **SHOW PARAMETERS IN DATABASE** (they can be turned off by declaring `with_describe = false` and `with_parameters = false`, **they're turned on by default**).
- Added outputs from **DESC DATABASE** and **SHOW PARAMETERS IN DATABASE** (they can be turned off by declaring `with_describe = false` and `with_parameters = false`, **they're turned on by default**).
The additional parameters call **DESC DATABASE** (with `with_describe` turned on) and **SHOW PARAMETERS IN DATABASE** (with `with_parameters` turned on) **per database** returned by **SHOW DATABASES**.
The outputs of both commands are held in `databases` entry, where **DESC DATABASE** is saved in the `describe_output` field, and **SHOW PARAMETERS IN DATABASE** in the `parameters` field.
It's important to limit the records and calls to Snowflake to the minimum. That's why we recommend assessing which information you need from the data source and then providing strong filters and turning off additional fields for better plan performance.
Expand All @@ -237,7 +245,7 @@ resource "snowflake_tag_masking_policy_association" "name" {
masking_policy_id = snowflake_masking_policy.example_masking_policy.id
}
```

After
```terraform
resource "snowflake_tag_masking_policy_association" "name" {
Expand Down
235 changes: 235 additions & 0 deletions docs/resources/api_authentication_integration_with_authorization_code_grant.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,235 @@
---
page_title: "snowflake_api_authentication_integration_with_authorization_code_grant Resource - terraform-provider-snowflake"
subcategory: ""
description: |-
---

!> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it.

# snowflake_api_authentication_integration_with_authorization_code_grant (Resource)



## Example Usage

```terraform
# basic resource
resource "snowflake_api_authentication_integration_with_authorization_code_grant" "test" {
enabled = true
name = "test"
oauth_client_id = "sn-oauth-134o9erqfedlc"
oauth_client_secret = "eb9vaXsrcEvrFdfcvCaoijhilj4fc"
}
# resource with all fields set
resource "snowflake_api_authentication_integration_with_authorization_code_grant" "test" {
comment = "comment"
enabled = true
name = "test"
oauth_access_token_validity = 42
oauth_allowed_scopes = ["useraccount"]
oauth_authorization_endpoint = "https://example.com"
oauth_client_auth_method = "CLIENT_SECRET_POST"
oauth_client_id = "sn-oauth-134o9erqfedlc"
oauth_client_secret = "eb9vaXsrcEvrFdfcvCaoijhilj4fc"
oauth_refresh_token_validity = 42
oauth_token_endpoint = "https://example.com"
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `enabled` (Boolean) Specifies whether this security integration is enabled or disabled.
- `name` (String) Specifies the identifier (i.e. name) for the integration. This value must be unique in your account.
- `oauth_client_id` (String) Specifies the client ID for the OAuth application in the external service.
- `oauth_client_secret` (String) Specifies the client secret for the OAuth application in the ServiceNow instance from the previous step. The connector uses this to request an access token from the ServiceNow instance.

### Optional

- `comment` (String) Specifies a comment for the integration.
- `oauth_access_token_validity` (Number) Specifies the default lifetime of the OAuth access token (in seconds) issued by an OAuth server.
- `oauth_allowed_scopes` (Set of String) Specifies a list of scopes to use when making a request from the OAuth by a role with USAGE on the integration during the OAuth client credentials flow.
- `oauth_authorization_endpoint` (String) Specifies the URL for authenticating to the external service. If removed from the config, the resource is recreated.
- `oauth_client_auth_method` (String) Specifies that POST is used as the authentication method to the external service. If removed from the config, the resource is recreated. Valid values are (case-insensitive): `CLIENT_SECRET_POST`.
- `oauth_refresh_token_validity` (Number) Specifies the value to determine the validity of the refresh token obtained from the OAuth server.
- `oauth_token_endpoint` (String) Specifies the token endpoint used by the client to obtain an access token by presenting its authorization grant or refresh token. The token endpoint is used with every authorization grant except for the implicit grant type (since an access token is issued directly). If removed from the config, the resource is recreated.

### Read-Only

- `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATIONS` for the given security integration. (see [below for nested schema](#nestedatt--describe_output))
- `id` (String) The ID of this resource.
- `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATIONS` for the given security integration. (see [below for nested schema](#nestedatt--show_output))

<a id="nestedatt--describe_output"></a>
### Nested Schema for `describe_output`

Read-Only:

- `auth_type` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--auth_type))
- `comment` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--comment))
- `enabled` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--enabled))
- `oauth_access_token_validity` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_access_token_validity))
- `oauth_allowed_scopes` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_allowed_scopes))
- `oauth_authorization_endpoint` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_authorization_endpoint))
- `oauth_client_auth_method` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_client_auth_method))
- `oauth_client_id` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_client_id))
- `oauth_grant` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_grant))
- `oauth_refresh_token_validity` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_refresh_token_validity))
- `oauth_token_endpoint` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_token_endpoint))
- `parent_integration` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--parent_integration))

<a id="nestedobjatt--describe_output--auth_type"></a>
### Nested Schema for `describe_output.auth_type`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--comment"></a>
### Nested Schema for `describe_output.comment`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--enabled"></a>
### Nested Schema for `describe_output.enabled`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_access_token_validity"></a>
### Nested Schema for `describe_output.oauth_access_token_validity`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_allowed_scopes"></a>
### Nested Schema for `describe_output.oauth_allowed_scopes`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_authorization_endpoint"></a>
### Nested Schema for `describe_output.oauth_authorization_endpoint`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_client_auth_method"></a>
### Nested Schema for `describe_output.oauth_client_auth_method`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_client_id"></a>
### Nested Schema for `describe_output.oauth_client_id`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_grant"></a>
### Nested Schema for `describe_output.oauth_grant`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_refresh_token_validity"></a>
### Nested Schema for `describe_output.oauth_refresh_token_validity`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_token_endpoint"></a>
### Nested Schema for `describe_output.oauth_token_endpoint`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--parent_integration"></a>
### Nested Schema for `describe_output.parent_integration`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)



<a id="nestedatt--show_output"></a>
### Nested Schema for `show_output`

Read-Only:

- `category` (String)
- `comment` (String)
- `created_on` (String)
- `enabled` (Boolean)
- `integration_type` (String)
- `name` (String)

## Import

Import is supported using the following syntax:

```shell
terraform import snowflake_api_authentication_integration_with_authorization_code_grant.example "name"
```
Loading

0 comments on commit 91931da

Please sign in to comment.