Skip to content

Commit

Permalink
changes after review
Browse files Browse the repository at this point in the history
  • Loading branch information
@sfc-gh-jcieslak
sfc-gh-jcieslak committed Jul 5, 2024
1 parent 9be505a commit a9bc700
Show file tree
Hide file tree
Showing 13 changed files with 199 additions and 89 deletions.
8 changes: 8 additions & 0 deletions MIGRATION_GUIDE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,14 @@ They are all described in short in the [changes before v1 doc](./v1-preparations
### old grant resources removal
Following the [announcement](https://github.com/Snowflake-Labs/terraform-provider-snowflake/discussions/2736) we have removed the old grant resources. The two resources [snowflake_role_ownership_grant](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/role_ownership_grant) and [snowflake_user_ownership_grant](https://registry.terraform.io/providers/Snowflake-Labs/snowflake/latest/docs/resources/user_ownership_grant) were not listed in the announcement, but they were also marked as deprecated ones. We are removing them too to conclude the grants redesign saga.

### *(new feature)* snowflake_oauth_integration_for_custom_clients and snowflake_oauth_integration_for_partner_applications resources

To enhance clarity and functionality, the new resources `snowflake_oauth_integration_for_custom_clients` and `snowflake_oauth_integration_for_partner_applications` have been introduced
to replace the previous `snowflake_oauth_integration`. Recognizing that the old resource carried multiple responsibilities within a single entity, we opted to divide it into two more specialized resources.
The newly introduced resources are aligned with the latest Snowflake documentation at the time of implementation, and adhere to our [new conventions](#general-changes).
This segregation was based on the `oauth_client` attribute, where `CUSTOM` corresponds to `snowflake_oauth_integration_for_custom_clients`,
while other attributes align with `snowflake_oauth_integration_for_partner_applications`.

### *(new feature)* snowflake_security_integrations datasource
Added a new datasource enabling querying and filtering all types of security integrations. Notes:
- all results are stored in `security_integrations` field.
Expand Down
1 change: 1 addition & 0 deletions docs/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,7 @@ The Snowflake provider will use the following order of precedence when determini
## Currently deprecated resources

- [snowflake_database_old](./docs/resources/database_old)
- [snowflake_oauth_integration](./docs/resources/oauth_integration)
- [snowflake_saml_integration](./docs/resources/saml_integration) - use [snowflake_saml2_integration](./docs/resources/saml2_integration) instead
- [snowflake_unsafe_execute](./docs/resources/unsafe_execute)

Expand Down
49 changes: 44 additions & 5 deletions docs/resources/oauth_integration_for_custom_clients.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,49 @@ description: |-
---

# snowflake_oauth_integration_for_custom_clients (Resource)
!> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it.

# snowflake_oauth_integration_for_custom_clients (Resource)



## Example Usage

```terraform
# basic resource
resource "snowflake_oauth_integration_for_custom_clients" "basic" {
name = "saml_integration"
oauth_client_type = "CONFIDENTIAL"
oauth_redirect_uri = "https://example.com"
blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"]
}
# resource with all fields set
resource "snowflake_oauth_integration_for_custom_clients" "complete" {
name = "saml_integration"
oauth_client_type = "CONFIDENTIAL"
oauth_redirect_uri = "https://example.com"
enabled = "true"
oauth_allow_non_tls_redirect_uri = "true"
oauth_enforce_pkce = "true"
oauth_use_secondary_roles = "NONE"
pre_authorized_roles_list = ["role_id1", "role_id2"]
blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN", "role_id1", "role_id2"]
oauth_issue_refresh_tokens = "true"
oauth_refresh_token_validity = 87600
network_policy = "network_policy_id"
oauth_client_rsa_public_key = file("rsa.pub")
oauth_client_rsa_public_key_2 = file("rsa2.pub")
comment = "my oauth integration"
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `blocked_roles_list` (Set of String) Comma-separated list of Snowflake roles that a user cannot explicitly consent to using after authenticating.
- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating.
- `name` (String) Specifies the name of the OAuth integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account.
- `oauth_client_type` (String) Specifies the type of client being registered. Snowflake supports both confidential and public clients. Valid options are: [PUBLIC CONFIDENTIAL]
- `oauth_redirect_uri` (String) Specifies the client URI. After a user is authenticated, the web browser is redirected to this URI.
Expand All @@ -27,13 +58,13 @@ description: |-
- `enabled` (String) Specifies whether this OAuth integration is enabled or disabled. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
- `network_policy` (String) Specifies an existing network policy. This network policy controls network traffic that is attempting to exchange an authorization code for an access or refresh token or to use a refresh token to obtain a new access token.
- `oauth_allow_non_tls_redirect_uri` (String) If true, allows setting oauth_redirect_uri to a URI not protected by TLS. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
- `oauth_client_rsa_public_key` (String) Hash of `oauth_client_rsa_public_key` returned from Snowflake.
- `oauth_client_rsa_public_key_2` (String) Hash of `oauth_client_rsa_public_key` returned from Snowflake.
- `oauth_client_rsa_public_key` (String) Specifies a Base64-encoded RSA public key, without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource using `terraform taint`.
- `oauth_client_rsa_public_key_2` (String) Specifies a Base64-encoded RSA public key, without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource using `terraform taint`.
- `oauth_enforce_pkce` (String) Boolean that specifies whether Proof Key for Code Exchange (PKCE) should be required for the integration. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
- `oauth_issue_refresh_tokens` (String) Specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
- `oauth_refresh_token_validity` (Number) Specifies how long refresh tokens should be valid (in seconds). OAUTH_ISSUE_REFRESH_TOKENS must be set to TRUE.
- `oauth_use_secondary_roles` (String) Specifies whether default secondary roles set in the user properties are activated by default in the session being opened. Valid options are: [IMPLICIT NONE]
- `pre_authorized_roles_list` (Set of String) Comma-separated list of Snowflake roles that a user does not need to explicitly consent to using after authenticating.
- `pre_authorized_roles_list` (Set of String) A set of Snowflake roles that a user does not need to explicitly consent to using after authenticating.

### Read-Only

Expand Down Expand Up @@ -287,3 +318,11 @@ Read-Only:
- `enabled` (Boolean)
- `integration_type` (String)
- `name` (String)

## Import

Import is supported using the following syntax:

```shell
terraform import snowflake_oauth_integration_for_custom_clients.example "name"
```
2 changes: 2 additions & 0 deletions docs/resources/saml2_integration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ description: |-
---

!> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it.

# snowflake_saml2_integration (Resource)


Expand Down
2 changes: 1 addition & 1 deletion examples/additional/deprecated_resources.MD
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
## Currently deprecated resources

- [snowflake_database_old](./docs/resources/database_old)
- [snowflake_saml_integration](./docs/resources/saml_integration) - use [snowflake_saml2_integration](./docs/resources/saml2_integration) instead
- [snowflake_oauth_integration](./docs/resources/oauth_integration)
- [snowflake_saml_integration](./docs/resources/saml_integration) - use [snowflake_saml2_integration](./docs/resources/saml2_integration) instead
- [snowflake_unsafe_execute](./docs/resources/unsafe_execute)
32 changes: 25 additions & 7 deletions examples/resources/snowflake_oauth_integration_for_custom_clients/resource.tf
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,26 @@
resource "snowflake_oauth_integration_for_custom_clients" "tableau_desktop" {
name = "TABLEAU_DESKTOP"
oauth_client = "TABLEAU_DESKTOP"
enabled = true
oauth_issue_refresh_tokens = true
oauth_refresh_token_validity = 3600
blocked_roles_list = ["SYSADMIN"]
# basic resource
resource "snowflake_oauth_integration_for_custom_clients" "basic" {
name = "saml_integration"
oauth_client_type = "CONFIDENTIAL"
oauth_redirect_uri = "https://example.com"
blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"]
}

# resource with all fields set
resource "snowflake_oauth_integration_for_custom_clients" "complete" {
name = "saml_integration"
oauth_client_type = "CONFIDENTIAL"
oauth_redirect_uri = "https://example.com"
enabled = "true"
oauth_allow_non_tls_redirect_uri = "true"
oauth_enforce_pkce = "true"
oauth_use_secondary_roles = "NONE"
pre_authorized_roles_list = ["role_id1", "role_id2"]
blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN", "role_id1", "role_id2"]
oauth_issue_refresh_tokens = "true"
oauth_refresh_token_validity = 87600
network_policy = "network_policy_id"
oauth_client_rsa_public_key = file("rsa.pub")
oauth_client_rsa_public_key_2 = file("rsa2.pub")
comment = "my oauth integration"
}
2 changes: 1 addition & 1 deletion examples/resources/snowflake_saml_integration/import.sh
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
terraform import snowflake_saml_integration.example "name"
terraform import snowflake_saml_integration.example name
33 changes: 0 additions & 33 deletions pkg/acceptance/importchecks/import_checks.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,22 +8,6 @@ import (
"github.com/hashicorp/terraform-plugin-testing/terraform"
)

// ComposeAggregateImportStateCheck does the same as ComposeImportStateCheck, but it aggregates all the occurred errors,
// instead of returning the first encountered one.
func ComposeAggregateImportStateCheck(fs ...resource.ImportStateCheckFunc) resource.ImportStateCheckFunc {
return func(s []*terraform.InstanceState) error {
var result []error

for i, f := range fs {
if err := f(s); err != nil {
result = append(result, fmt.Errorf("check %d/%d error: %w", i+1, len(fs), err))
}
}

return errors.Join(result...)
}
}

// ComposeImportStateCheck is based on unexported composeImportStateCheck from teststep_providers_test.go
func ComposeImportStateCheck(fs ...resource.ImportStateCheckFunc) resource.ImportStateCheckFunc {
return func(s []*terraform.InstanceState) error {
Expand Down Expand Up @@ -108,20 +92,3 @@ func TestCheckResourceAttrInstanceStateSet(id string, attributeName string) reso
return fmt.Errorf("attribute %s not found in instance state", attributeName)
}
}

// TestCheckNoResourceAttrInstanceState checks if the value is present in the instatnce state and returns an error if it does.
func TestCheckNoResourceAttrInstanceState(id string, attributeName string) resource.ImportStateCheckFunc {
return func(is []*terraform.InstanceState) error {
for _, v := range is {
if v.ID != id {
continue
}

if _, ok := v.Attributes[attributeName]; ok {
return fmt.Errorf("attribute %s found in instance state, but was not expected", attributeName)
}
}

return nil
}
}
11 changes: 6 additions & 5 deletions pkg/resources/oauth_integration_for_custom_clients.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ import (
"context"
"errors"
"fmt"
"reflect"
"strconv"
"strings"

"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/helpers"
"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/internal/collections"
"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/internal/logging"
Expand All @@ -14,9 +18,6 @@ import (
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
"reflect"
"strconv"
"strings"
)

var oauthIntegrationForCustomClientsSchema = map[string]*schema.Schema{
Expand Down Expand Up @@ -114,13 +115,13 @@ var oauthIntegrationForCustomClientsSchema = map[string]*schema.Schema{
Type: schema.TypeString,
Optional: true,
DiffSuppressFunc: ignoreTrimSpaceSuppressFunc,
Description: "Specifies a Base64-encoded RSA public key, without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers.",
Description: "Specifies a Base64-encoded RSA public key, without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource using `terraform taint`.",
},
"oauth_client_rsa_public_key_2": {
Type: schema.TypeString,
Optional: true,
DiffSuppressFunc: ignoreTrimSpaceSuppressFunc,
Description: "Specifies a Base64-encoded RSA public key, without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers.",
Description: "Specifies a Base64-encoded RSA public key, without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource using `terraform taint`.",
},
"comment": {
Type: schema.TypeString,
Expand Down
Loading

0 comments on commit a9bc700

Please sign in to comment.