From 7197b57c5dd75be34fc77eb82aabbd091074b809 Mon Sep 17 00:00:00 2001 From: Jakub Michalak Date: Thu, 12 Dec 2024 14:15:06 +0100 Subject: [PATCH] fix: Make blocked_roles_field optional in OAuth security integrations (#3267) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - make the `blocked_roles_field` optional in OAuth security integrations - when tried to use `NormalizeAndCompareIdentifiersInSet`, the diff was suppressed in step 2 of the new tests, resulting in the role not being removed - this will be fixed next ## Test Plan * [x] acceptance tests * [ ] … ## References #3171 ## TODO - use `NormalizeAndCompareIdentifiersInSet` in this field; also in external oauth resource --- MIGRATION_GUIDE.md | 15 +- docs/resources/external_oauth_integration.md | 2 +- .../oauth_integration_for_custom_clients.md | 24 +- ...th_integration_for_partner_applications.md | 24 +- .../resource.tf | 1 - .../resource.tf | 1 - .../resourceassert/gen/resource_schema_def.go | 8 + ...gration_for_custom_clients_resource_gen.go | 197 ++++++++++++++++ ...n_for_partner_applications_resource_gen.go | 147 ++++++++++++ ...ntegration_for_custom_clients_model_ext.go | 15 ++ ...ntegration_for_custom_clients_model_gen.go | 222 ++++++++++++++++++ ...tion_for_partner_applications_model_ext.go | 15 ++ ...tion_for_partner_applications_model_gen.go | 163 +++++++++++++ pkg/resources/external_oauth_integration.go | 14 +- .../oauth_integration_for_custom_clients.go | 58 +++-- ...tion_for_custom_clients_acceptance_test.go | 76 +++++- ...th_integration_for_partner_applications.go | 61 +++-- ...or_partner_applications_acceptance_test.go | 78 +++++- pkg/resources/show_and_describe_handlers.go | 2 +- .../basic/test.tf | 1 - .../basic/variables.tf | 3 - .../basic/test.tf | 1 - .../basic/variables.tf | 3 - .../oauth_integration_for_custom_clients.go | 14 ++ ...ty_integration_for_partner_applications.go | 14 ++ 25 files changed, 1096 insertions(+), 63 deletions(-) create mode 100644 pkg/acceptance/bettertestspoc/assert/resourceassert/oauth_integration_for_custom_clients_resource_gen.go create mode 100644 pkg/acceptance/bettertestspoc/assert/resourceassert/oauth_integration_for_partner_applications_resource_gen.go create mode 100644 pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_custom_clients_model_ext.go create mode 100644 pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_custom_clients_model_gen.go create mode 100644 pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_partner_applications_model_ext.go create mode 100644 pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_partner_applications_model_gen.go diff --git a/MIGRATION_GUIDE.md b/MIGRATION_GUIDE.md index fde9268c6c..d9bc0f050d 100644 --- a/MIGRATION_GUIDE.md +++ b/MIGRATION_GUIDE.md @@ -9,6 +9,19 @@ across different versions. ## v0.99.0 ➞ v0.100.0 +### snowflake_oauth_integration_for_partner_applications and snowflake_oauth_integration_for_custom_clients resource changes +#### *(behavior change)* `blocked_roles_list` field is no longer required + +Previously, `blocked_roles_list` field was required to handle default account roles like `ACCOUNTADMIN`, `ORGADMIN`, and `SECURITYADMIN`. + +Now, it is optional, because of using the value of `OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST` parameter (read more below). + +No changes in the configuration are necessary. + +#### *(behavior change)* new field `related_parameters` + +To handle `blocked_roles_list` field properly in both of the resources, we introduce `related_parameters` field. This field is a list of parameters related to OAuth integrations. It is a computed-only field containing value of `OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST` account parameter (see [docs](https://docs.snowflake.com/en/sql-reference/parameters#oauth-add-privileged-roles-to-blocked-list)). + ### snowflake_account resource changes Changes: @@ -16,7 +29,7 @@ Changes: - `grace_period_in_days` is now required. The field should be explicitly set in the following versions. - Account renaming is now supported. - `is_org_admin` is a settable field (previously it was read-only field). Changing its value is also supported. -- `must_change_password` and `is_org_admin` type was changed from `bool` to bool-string (more on that [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/CHANGES_BEFORE_V1.md#empty-values)). No action required during the migration. +- `must_change_password` and `is_org_admin` type was changed from `bool` to bool-string (more on that [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/CHANGES_BEFORE_V1.md#empty-values)). No action required during the migration. - The underlying resource identifier was changed from `` to `.`. Migration will be done automatically. Notice this introduces changes in how `snowflake_account` resource is imported. - New `show_output` field was added (see [raw Snowflake output](./v1-preparations/CHANGES_BEFORE_V1.md#raw-snowflake-output)). diff --git a/docs/resources/external_oauth_integration.md b/docs/resources/external_oauth_integration.md index 37550af92e..2bcb6b2dc7 100644 --- a/docs/resources/external_oauth_integration.md +++ b/docs/resources/external_oauth_integration.md @@ -92,7 +92,7 @@ resource "snowflake_external_oauth_integration" "test" { - `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATIONS` for the given security integration. (see [below for nested schema](#nestedatt--describe_output)) - `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution). - `id` (String) The ID of this resource. -- `related_parameters` (List of Object) Paramteres related to this security integration. (see [below for nested schema](#nestedatt--related_parameters)) +- `related_parameters` (List of Object) Parameters related to this security integration. (see [below for nested schema](#nestedatt--related_parameters)) - `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATIONS` for the given security integration. (see [below for nested schema](#nestedatt--show_output)) diff --git a/docs/resources/oauth_integration_for_custom_clients.md b/docs/resources/oauth_integration_for_custom_clients.md index 8a5182a45d..6765f52861 100644 --- a/docs/resources/oauth_integration_for_custom_clients.md +++ b/docs/resources/oauth_integration_for_custom_clients.md @@ -23,7 +23,6 @@ resource "snowflake_oauth_integration_for_custom_clients" "basic" { name = "integration" oauth_client_type = "CONFIDENTIAL" oauth_redirect_uri = "https://example.com" - blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"] } # resource with all fields set @@ -53,13 +52,13 @@ resource "snowflake_oauth_integration_for_custom_clients" "complete" { ### Required -- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. For more information about this resource, see [docs](./account_role). - `name` (String) Specifies the name of the OAuth integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account. Due to technical limitations (read more [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `"`. - `oauth_client_type` (String) Specifies the type of client being registered. Snowflake supports both confidential and public clients. Valid options are: `PUBLIC` | `CONFIDENTIAL`. - `oauth_redirect_uri` (String) Specifies the client URI. After a user is authenticated, the web browser is redirected to this URI. ### Optional +- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. By default, this list includes the ACCOUNTADMIN, ORGADMIN and SECURITYADMIN roles. To remove these privileged roles from the list, use the ALTER ACCOUNT command to set the OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST account parameter to FALSE. For more information about this resource, see [docs](./account_role). - `comment` (String) Specifies a comment for the OAuth integration. - `enabled` (String) Specifies whether this OAuth integration is enabled or disabled. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. - `network_policy` (String) Specifies an existing network policy. This network policy controls network traffic that is attempting to exchange an authorization code for an access or refresh token or to use a refresh token to obtain a new access token. For more information about this resource, see [docs](./network_policy). @@ -77,6 +76,7 @@ resource "snowflake_oauth_integration_for_custom_clients" "complete" { - `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--describe_output)) - `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution). - `id` (String) The ID of this resource. +- `related_parameters` (List of Object) Parameters related to this security integration. (see [below for nested schema](#nestedatt--related_parameters)) - `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--show_output)) @@ -314,6 +314,26 @@ Read-Only: + +### Nested Schema for `related_parameters` + +Read-Only: + +- `oauth_add_privileged_roles_to_blocked_list` (List of Object) (see [below for nested schema](#nestedobjatt--related_parameters--oauth_add_privileged_roles_to_blocked_list)) + + +### Nested Schema for `related_parameters.oauth_add_privileged_roles_to_blocked_list` + +Read-Only: + +- `default` (String) +- `description` (String) +- `key` (String) +- `level` (String) +- `value` (String) + + + ### Nested Schema for `show_output` diff --git a/docs/resources/oauth_integration_for_partner_applications.md b/docs/resources/oauth_integration_for_partner_applications.md index 48311dbca2..0188afb102 100644 --- a/docs/resources/oauth_integration_for_partner_applications.md +++ b/docs/resources/oauth_integration_for_partner_applications.md @@ -21,7 +21,6 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" { name = "example" oauth_client = "LOOKER" oauth_redirect_uri = "http://example.com" - blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"] } # resource with all fields set @@ -44,12 +43,12 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" { ### Required -- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. For more information about this resource, see [docs](./account_role). - `name` (String) Specifies the name of the OAuth integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account. Due to technical limitations (read more [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `"`. - `oauth_client` (String) Creates an OAuth interface between Snowflake and a partner application. Valid options are: `LOOKER` | `TABLEAU_DESKTOP` | `TABLEAU_SERVER`. ### Optional +- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. By default, this list includes the ACCOUNTADMIN, ORGADMIN and SECURITYADMIN roles. To remove these privileged roles from the list, use the ALTER ACCOUNT command to set the OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST account parameter to FALSE. For more information about this resource, see [docs](./account_role). - `comment` (String) Specifies a comment for the OAuth integration. - `enabled` (String) Specifies whether this OAuth integration is enabled or disabled. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. - `oauth_issue_refresh_tokens` (String) Specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value. @@ -62,6 +61,7 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" { - `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--describe_output)) - `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution). - `id` (String) The ID of this resource. +- `related_parameters` (List of Object) Parameters related to this security integration. (see [below for nested schema](#nestedatt--related_parameters)) - `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--show_output)) @@ -299,6 +299,26 @@ Read-Only: + +### Nested Schema for `related_parameters` + +Read-Only: + +- `oauth_add_privileged_roles_to_blocked_list` (List of Object) (see [below for nested schema](#nestedobjatt--related_parameters--oauth_add_privileged_roles_to_blocked_list)) + + +### Nested Schema for `related_parameters.oauth_add_privileged_roles_to_blocked_list` + +Read-Only: + +- `default` (String) +- `description` (String) +- `key` (String) +- `level` (String) +- `value` (String) + + + ### Nested Schema for `show_output` diff --git a/examples/resources/snowflake_oauth_integration_for_custom_clients/resource.tf b/examples/resources/snowflake_oauth_integration_for_custom_clients/resource.tf index c48c536a33..16e54b5f4d 100644 --- a/examples/resources/snowflake_oauth_integration_for_custom_clients/resource.tf +++ b/examples/resources/snowflake_oauth_integration_for_custom_clients/resource.tf @@ -3,7 +3,6 @@ resource "snowflake_oauth_integration_for_custom_clients" "basic" { name = "integration" oauth_client_type = "CONFIDENTIAL" oauth_redirect_uri = "https://example.com" - blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"] } # resource with all fields set diff --git a/examples/resources/snowflake_oauth_integration_for_partner_applications/resource.tf b/examples/resources/snowflake_oauth_integration_for_partner_applications/resource.tf index 1c8a7830c2..f961c2a766 100644 --- a/examples/resources/snowflake_oauth_integration_for_partner_applications/resource.tf +++ b/examples/resources/snowflake_oauth_integration_for_partner_applications/resource.tf @@ -3,7 +3,6 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" { name = "example" oauth_client = "LOOKER" oauth_redirect_uri = "http://example.com" - blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"] } # resource with all fields set diff --git a/pkg/acceptance/bettertestspoc/assert/resourceassert/gen/resource_schema_def.go b/pkg/acceptance/bettertestspoc/assert/resourceassert/gen/resource_schema_def.go index 23d5e9d5d9..e39d6f0533 100644 --- a/pkg/acceptance/bettertestspoc/assert/resourceassert/gen/resource_schema_def.go +++ b/pkg/acceptance/bettertestspoc/assert/resourceassert/gen/resource_schema_def.go @@ -121,6 +121,14 @@ var allResourceSchemaDefs = []ResourceSchemaDef{ name: "Account", schema: resources.Account().Schema, }, + { + name: "OauthIntegrationForCustomClients", + schema: resources.OauthIntegrationForCustomClients().Schema, + }, + { + name: "OauthIntegrationForPartnerApplications", + schema: resources.OauthIntegrationForPartnerApplications().Schema, + }, { name: "FunctionJava", schema: resources.FunctionJava().Schema, diff --git a/pkg/acceptance/bettertestspoc/assert/resourceassert/oauth_integration_for_custom_clients_resource_gen.go b/pkg/acceptance/bettertestspoc/assert/resourceassert/oauth_integration_for_custom_clients_resource_gen.go new file mode 100644 index 0000000000..d1ef7b4754 --- /dev/null +++ b/pkg/acceptance/bettertestspoc/assert/resourceassert/oauth_integration_for_custom_clients_resource_gen.go @@ -0,0 +1,197 @@ +// Code generated by assertions generator; DO NOT EDIT. + +package resourceassert + +import ( + "testing" + + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/bettertestspoc/assert" +) + +type OauthIntegrationForCustomClientsResourceAssert struct { + *assert.ResourceAssert +} + +func OauthIntegrationForCustomClientsResource(t *testing.T, name string) *OauthIntegrationForCustomClientsResourceAssert { + t.Helper() + + return &OauthIntegrationForCustomClientsResourceAssert{ + ResourceAssert: assert.NewResourceAssert(name, "resource"), + } +} + +func ImportedOauthIntegrationForCustomClientsResource(t *testing.T, id string) *OauthIntegrationForCustomClientsResourceAssert { + t.Helper() + + return &OauthIntegrationForCustomClientsResourceAssert{ + ResourceAssert: assert.NewImportedResourceAssert(id, "imported resource"), + } +} + +/////////////////////////////////// +// Attribute value string checks // +/////////////////////////////////// + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasBlockedRolesListString(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("blocked_roles_list", expected)) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasCommentString(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("comment", expected)) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasEnabledString(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("enabled", expected)) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasFullyQualifiedNameString(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("fully_qualified_name", expected)) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNameString(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("name", expected)) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNetworkPolicyString(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("network_policy", expected)) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasOauthAllowNonTlsRedirectUriString(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("oauth_allow_non_tls_redirect_uri", expected)) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasOauthClientRsaPublicKeyString(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("oauth_client_rsa_public_key", expected)) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasOauthClientRsaPublicKey2String(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("oauth_client_rsa_public_key_2", expected)) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasOauthClientTypeString(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("oauth_client_type", expected)) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasOauthEnforcePkceString(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("oauth_enforce_pkce", expected)) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasOauthIssueRefreshTokensString(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("oauth_issue_refresh_tokens", expected)) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasOauthRedirectUriString(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("oauth_redirect_uri", expected)) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasOauthRefreshTokenValidityString(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("oauth_refresh_token_validity", expected)) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasOauthUseSecondaryRolesString(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("oauth_use_secondary_roles", expected)) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasPreAuthorizedRolesListString(expected string) *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueSet("pre_authorized_roles_list", expected)) + return o +} + +//////////////////////////// +// Attribute empty checks // +//////////////////////////// + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoBlockedRolesList() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("blocked_roles_list")) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoComment() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("comment")) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoEnabled() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("enabled")) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoFullyQualifiedName() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("fully_qualified_name")) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoName() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("name")) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoNetworkPolicy() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("network_policy")) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoOauthAllowNonTlsRedirectUri() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("oauth_allow_non_tls_redirect_uri")) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoOauthClientRsaPublicKey() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("oauth_client_rsa_public_key")) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoOauthClientRsaPublicKey2() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("oauth_client_rsa_public_key_2")) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoOauthClientType() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("oauth_client_type")) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoOauthEnforcePkce() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("oauth_enforce_pkce")) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoOauthIssueRefreshTokens() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("oauth_issue_refresh_tokens")) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoOauthRedirectUri() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("oauth_redirect_uri")) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoOauthRefreshTokenValidity() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("oauth_refresh_token_validity")) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoOauthUseSecondaryRoles() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("oauth_use_secondary_roles")) + return o +} + +func (o *OauthIntegrationForCustomClientsResourceAssert) HasNoPreAuthorizedRolesList() *OauthIntegrationForCustomClientsResourceAssert { + o.AddAssertion(assert.ValueNotSet("pre_authorized_roles_list")) + return o +} diff --git a/pkg/acceptance/bettertestspoc/assert/resourceassert/oauth_integration_for_partner_applications_resource_gen.go b/pkg/acceptance/bettertestspoc/assert/resourceassert/oauth_integration_for_partner_applications_resource_gen.go new file mode 100644 index 0000000000..3d1be060d2 --- /dev/null +++ b/pkg/acceptance/bettertestspoc/assert/resourceassert/oauth_integration_for_partner_applications_resource_gen.go @@ -0,0 +1,147 @@ +// Code generated by assertions generator; DO NOT EDIT. + +package resourceassert + +import ( + "testing" + + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/bettertestspoc/assert" +) + +type OauthIntegrationForPartnerApplicationsResourceAssert struct { + *assert.ResourceAssert +} + +func OauthIntegrationForPartnerApplicationsResource(t *testing.T, name string) *OauthIntegrationForPartnerApplicationsResourceAssert { + t.Helper() + + return &OauthIntegrationForPartnerApplicationsResourceAssert{ + ResourceAssert: assert.NewResourceAssert(name, "resource"), + } +} + +func ImportedOauthIntegrationForPartnerApplicationsResource(t *testing.T, id string) *OauthIntegrationForPartnerApplicationsResourceAssert { + t.Helper() + + return &OauthIntegrationForPartnerApplicationsResourceAssert{ + ResourceAssert: assert.NewImportedResourceAssert(id, "imported resource"), + } +} + +/////////////////////////////////// +// Attribute value string checks // +/////////////////////////////////// + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasBlockedRolesListString(expected string) *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueSet("blocked_roles_list", expected)) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasCommentString(expected string) *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueSet("comment", expected)) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasEnabledString(expected string) *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueSet("enabled", expected)) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasFullyQualifiedNameString(expected string) *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueSet("fully_qualified_name", expected)) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasNameString(expected string) *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueSet("name", expected)) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasOauthClientString(expected string) *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueSet("oauth_client", expected)) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasOauthIssueRefreshTokensString(expected string) *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueSet("oauth_issue_refresh_tokens", expected)) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasOauthRedirectUriString(expected string) *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueSet("oauth_redirect_uri", expected)) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasOauthRefreshTokenValidityString(expected string) *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueSet("oauth_refresh_token_validity", expected)) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasOauthUseSecondaryRolesString(expected string) *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueSet("oauth_use_secondary_roles", expected)) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasRelatedParametersString(expected string) *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueSet("related_parameters", expected)) + return o +} + +//////////////////////////// +// Attribute empty checks // +//////////////////////////// + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasNoBlockedRolesList() *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueNotSet("blocked_roles_list")) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasNoComment() *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueNotSet("comment")) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasNoEnabled() *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueNotSet("enabled")) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasNoFullyQualifiedName() *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueNotSet("fully_qualified_name")) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasNoName() *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueNotSet("name")) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasNoOauthClient() *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueNotSet("oauth_client")) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasNoOauthIssueRefreshTokens() *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueNotSet("oauth_issue_refresh_tokens")) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasNoOauthRedirectUri() *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueNotSet("oauth_redirect_uri")) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasNoOauthRefreshTokenValidity() *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueNotSet("oauth_refresh_token_validity")) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasNoOauthUseSecondaryRoles() *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueNotSet("oauth_use_secondary_roles")) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsResourceAssert) HasNoRelatedParameters() *OauthIntegrationForPartnerApplicationsResourceAssert { + o.AddAssertion(assert.ValueNotSet("related_parameters")) + return o +} diff --git a/pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_custom_clients_model_ext.go b/pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_custom_clients_model_ext.go new file mode 100644 index 0000000000..3d3605ca78 --- /dev/null +++ b/pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_custom_clients_model_ext.go @@ -0,0 +1,15 @@ +package model + +import ( + tfconfig "github.com/hashicorp/terraform-plugin-testing/config" +) + +func (t *OauthIntegrationForCustomClientsModel) WithBlockedRolesList(blockedRoles ...string) *OauthIntegrationForCustomClientsModel { + blockedRolesListStringVariables := make([]tfconfig.Variable, len(blockedRoles)) + for i, v := range blockedRoles { + blockedRolesListStringVariables[i] = tfconfig.StringVariable(v) + } + + t.BlockedRolesList = tfconfig.SetVariable(blockedRolesListStringVariables...) + return t +} diff --git a/pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_custom_clients_model_gen.go b/pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_custom_clients_model_gen.go new file mode 100644 index 0000000000..db5cf93efc --- /dev/null +++ b/pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_custom_clients_model_gen.go @@ -0,0 +1,222 @@ +// Code generated by config model builder generator; DO NOT EDIT. + +package model + +import ( + tfconfig "github.com/hashicorp/terraform-plugin-testing/config" + + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/bettertestspoc/config" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/provider/resources" +) + +type OauthIntegrationForCustomClientsModel struct { + BlockedRolesList tfconfig.Variable `json:"blocked_roles_list,omitempty"` + Comment tfconfig.Variable `json:"comment,omitempty"` + Enabled tfconfig.Variable `json:"enabled,omitempty"` + FullyQualifiedName tfconfig.Variable `json:"fully_qualified_name,omitempty"` + Name tfconfig.Variable `json:"name,omitempty"` + NetworkPolicy tfconfig.Variable `json:"network_policy,omitempty"` + OauthAllowNonTlsRedirectUri tfconfig.Variable `json:"oauth_allow_non_tls_redirect_uri,omitempty"` + OauthClientRsaPublicKey tfconfig.Variable `json:"oauth_client_rsa_public_key,omitempty"` + OauthClientRsaPublicKey2 tfconfig.Variable `json:"oauth_client_rsa_public_key_2,omitempty"` + OauthClientType tfconfig.Variable `json:"oauth_client_type,omitempty"` + OauthEnforcePkce tfconfig.Variable `json:"oauth_enforce_pkce,omitempty"` + OauthIssueRefreshTokens tfconfig.Variable `json:"oauth_issue_refresh_tokens,omitempty"` + OauthRedirectUri tfconfig.Variable `json:"oauth_redirect_uri,omitempty"` + OauthRefreshTokenValidity tfconfig.Variable `json:"oauth_refresh_token_validity,omitempty"` + OauthUseSecondaryRoles tfconfig.Variable `json:"oauth_use_secondary_roles,omitempty"` + PreAuthorizedRolesList tfconfig.Variable `json:"pre_authorized_roles_list,omitempty"` + + *config.ResourceModelMeta +} + +///////////////////////////////////////////////// +// Basic builders (resource name and required) // +///////////////////////////////////////////////// + +func OauthIntegrationForCustomClients( + resourceName string, + name string, + oauthClientType string, + oauthRedirectUri string, +) *OauthIntegrationForCustomClientsModel { + o := &OauthIntegrationForCustomClientsModel{ResourceModelMeta: config.Meta(resourceName, resources.OauthIntegrationForCustomClients)} + o.WithName(name) + o.WithOauthClientType(oauthClientType) + o.WithOauthRedirectUri(oauthRedirectUri) + return o +} + +func OauthIntegrationForCustomClientsWithDefaultMeta( + name string, + oauthClientType string, + oauthRedirectUri string, +) *OauthIntegrationForCustomClientsModel { + o := &OauthIntegrationForCustomClientsModel{ResourceModelMeta: config.DefaultMeta(resources.OauthIntegrationForCustomClients)} + o.WithName(name) + o.WithOauthClientType(oauthClientType) + o.WithOauthRedirectUri(oauthRedirectUri) + return o +} + +///////////////////////////////// +// below all the proper values // +///////////////////////////////// + +// blocked_roles_list attribute type is not yet supported, so WithBlockedRolesList can't be generated + +func (o *OauthIntegrationForCustomClientsModel) WithComment(comment string) *OauthIntegrationForCustomClientsModel { + o.Comment = tfconfig.StringVariable(comment) + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithEnabled(enabled string) *OauthIntegrationForCustomClientsModel { + o.Enabled = tfconfig.StringVariable(enabled) + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithFullyQualifiedName(fullyQualifiedName string) *OauthIntegrationForCustomClientsModel { + o.FullyQualifiedName = tfconfig.StringVariable(fullyQualifiedName) + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithName(name string) *OauthIntegrationForCustomClientsModel { + o.Name = tfconfig.StringVariable(name) + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithNetworkPolicy(networkPolicy string) *OauthIntegrationForCustomClientsModel { + o.NetworkPolicy = tfconfig.StringVariable(networkPolicy) + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthAllowNonTlsRedirectUri(oauthAllowNonTlsRedirectUri string) *OauthIntegrationForCustomClientsModel { + o.OauthAllowNonTlsRedirectUri = tfconfig.StringVariable(oauthAllowNonTlsRedirectUri) + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthClientRsaPublicKey(oauthClientRsaPublicKey string) *OauthIntegrationForCustomClientsModel { + o.OauthClientRsaPublicKey = tfconfig.StringVariable(oauthClientRsaPublicKey) + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthClientRsaPublicKey2(oauthClientRsaPublicKey2 string) *OauthIntegrationForCustomClientsModel { + o.OauthClientRsaPublicKey2 = tfconfig.StringVariable(oauthClientRsaPublicKey2) + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthClientType(oauthClientType string) *OauthIntegrationForCustomClientsModel { + o.OauthClientType = tfconfig.StringVariable(oauthClientType) + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthEnforcePkce(oauthEnforcePkce string) *OauthIntegrationForCustomClientsModel { + o.OauthEnforcePkce = tfconfig.StringVariable(oauthEnforcePkce) + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthIssueRefreshTokens(oauthIssueRefreshTokens string) *OauthIntegrationForCustomClientsModel { + o.OauthIssueRefreshTokens = tfconfig.StringVariable(oauthIssueRefreshTokens) + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthRedirectUri(oauthRedirectUri string) *OauthIntegrationForCustomClientsModel { + o.OauthRedirectUri = tfconfig.StringVariable(oauthRedirectUri) + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthRefreshTokenValidity(oauthRefreshTokenValidity int) *OauthIntegrationForCustomClientsModel { + o.OauthRefreshTokenValidity = tfconfig.IntegerVariable(oauthRefreshTokenValidity) + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthUseSecondaryRoles(oauthUseSecondaryRoles string) *OauthIntegrationForCustomClientsModel { + o.OauthUseSecondaryRoles = tfconfig.StringVariable(oauthUseSecondaryRoles) + return o +} + +// pre_authorized_roles_list attribute type is not yet supported, so WithPreAuthorizedRolesList can't be generated + +////////////////////////////////////////// +// below it's possible to set any value // +////////////////////////////////////////// + +func (o *OauthIntegrationForCustomClientsModel) WithBlockedRolesListValue(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.BlockedRolesList = value + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithCommentValue(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.Comment = value + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithEnabledValue(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.Enabled = value + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithFullyQualifiedNameValue(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.FullyQualifiedName = value + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithNameValue(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.Name = value + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithNetworkPolicyValue(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.NetworkPolicy = value + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthAllowNonTlsRedirectUriValue(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.OauthAllowNonTlsRedirectUri = value + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthClientRsaPublicKeyValue(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.OauthClientRsaPublicKey = value + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthClientRsaPublicKey2Value(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.OauthClientRsaPublicKey2 = value + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthClientTypeValue(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.OauthClientType = value + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthEnforcePkceValue(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.OauthEnforcePkce = value + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthIssueRefreshTokensValue(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.OauthIssueRefreshTokens = value + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthRedirectUriValue(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.OauthRedirectUri = value + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthRefreshTokenValidityValue(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.OauthRefreshTokenValidity = value + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithOauthUseSecondaryRolesValue(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.OauthUseSecondaryRoles = value + return o +} + +func (o *OauthIntegrationForCustomClientsModel) WithPreAuthorizedRolesListValue(value tfconfig.Variable) *OauthIntegrationForCustomClientsModel { + o.PreAuthorizedRolesList = value + return o +} diff --git a/pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_partner_applications_model_ext.go b/pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_partner_applications_model_ext.go new file mode 100644 index 0000000000..a19b31b0ad --- /dev/null +++ b/pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_partner_applications_model_ext.go @@ -0,0 +1,15 @@ +package model + +import ( + tfconfig "github.com/hashicorp/terraform-plugin-testing/config" +) + +func (t *OauthIntegrationForPartnerApplicationsModel) WithBlockedRolesList(blockedRoles ...string) *OauthIntegrationForPartnerApplicationsModel { + blockedRolesListStringVariables := make([]tfconfig.Variable, len(blockedRoles)) + for i, v := range blockedRoles { + blockedRolesListStringVariables[i] = tfconfig.StringVariable(v) + } + + t.BlockedRolesList = tfconfig.SetVariable(blockedRolesListStringVariables...) + return t +} diff --git a/pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_partner_applications_model_gen.go b/pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_partner_applications_model_gen.go new file mode 100644 index 0000000000..b433aaee4c --- /dev/null +++ b/pkg/acceptance/bettertestspoc/config/model/oauth_integration_for_partner_applications_model_gen.go @@ -0,0 +1,163 @@ +// Code generated by config model builder generator; DO NOT EDIT. + +package model + +import ( + tfconfig "github.com/hashicorp/terraform-plugin-testing/config" + + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/bettertestspoc/config" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/provider/resources" +) + +type OauthIntegrationForPartnerApplicationsModel struct { + BlockedRolesList tfconfig.Variable `json:"blocked_roles_list,omitempty"` + Comment tfconfig.Variable `json:"comment,omitempty"` + Enabled tfconfig.Variable `json:"enabled,omitempty"` + FullyQualifiedName tfconfig.Variable `json:"fully_qualified_name,omitempty"` + Name tfconfig.Variable `json:"name,omitempty"` + OauthClient tfconfig.Variable `json:"oauth_client,omitempty"` + OauthIssueRefreshTokens tfconfig.Variable `json:"oauth_issue_refresh_tokens,omitempty"` + OauthRedirectUri tfconfig.Variable `json:"oauth_redirect_uri,omitempty"` + OauthRefreshTokenValidity tfconfig.Variable `json:"oauth_refresh_token_validity,omitempty"` + OauthUseSecondaryRoles tfconfig.Variable `json:"oauth_use_secondary_roles,omitempty"` + RelatedParameters tfconfig.Variable `json:"related_parameters,omitempty"` + + *config.ResourceModelMeta +} + +///////////////////////////////////////////////// +// Basic builders (resource name and required) // +///////////////////////////////////////////////// + +func OauthIntegrationForPartnerApplications( + resourceName string, + name string, + oauthClient string, +) *OauthIntegrationForPartnerApplicationsModel { + o := &OauthIntegrationForPartnerApplicationsModel{ResourceModelMeta: config.Meta(resourceName, resources.OauthIntegrationForPartnerApplications)} + o.WithName(name) + o.WithOauthClient(oauthClient) + return o +} + +func OauthIntegrationForPartnerApplicationsWithDefaultMeta( + name string, + oauthClient string, +) *OauthIntegrationForPartnerApplicationsModel { + o := &OauthIntegrationForPartnerApplicationsModel{ResourceModelMeta: config.DefaultMeta(resources.OauthIntegrationForPartnerApplications)} + o.WithName(name) + o.WithOauthClient(oauthClient) + return o +} + +///////////////////////////////// +// below all the proper values // +///////////////////////////////// + +// blocked_roles_list attribute type is not yet supported, so WithBlockedRolesList can't be generated + +func (o *OauthIntegrationForPartnerApplicationsModel) WithComment(comment string) *OauthIntegrationForPartnerApplicationsModel { + o.Comment = tfconfig.StringVariable(comment) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithEnabled(enabled string) *OauthIntegrationForPartnerApplicationsModel { + o.Enabled = tfconfig.StringVariable(enabled) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithFullyQualifiedName(fullyQualifiedName string) *OauthIntegrationForPartnerApplicationsModel { + o.FullyQualifiedName = tfconfig.StringVariable(fullyQualifiedName) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithName(name string) *OauthIntegrationForPartnerApplicationsModel { + o.Name = tfconfig.StringVariable(name) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithOauthClient(oauthClient string) *OauthIntegrationForPartnerApplicationsModel { + o.OauthClient = tfconfig.StringVariable(oauthClient) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithOauthIssueRefreshTokens(oauthIssueRefreshTokens string) *OauthIntegrationForPartnerApplicationsModel { + o.OauthIssueRefreshTokens = tfconfig.StringVariable(oauthIssueRefreshTokens) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithOauthRedirectUri(oauthRedirectUri string) *OauthIntegrationForPartnerApplicationsModel { + o.OauthRedirectUri = tfconfig.StringVariable(oauthRedirectUri) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithOauthRefreshTokenValidity(oauthRefreshTokenValidity int) *OauthIntegrationForPartnerApplicationsModel { + o.OauthRefreshTokenValidity = tfconfig.IntegerVariable(oauthRefreshTokenValidity) + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithOauthUseSecondaryRoles(oauthUseSecondaryRoles string) *OauthIntegrationForPartnerApplicationsModel { + o.OauthUseSecondaryRoles = tfconfig.StringVariable(oauthUseSecondaryRoles) + return o +} + +// related_parameters attribute type is not yet supported, so WithRelatedParameters can't be generated + +////////////////////////////////////////// +// below it's possible to set any value // +////////////////////////////////////////// + +func (o *OauthIntegrationForPartnerApplicationsModel) WithBlockedRolesListValue(value tfconfig.Variable) *OauthIntegrationForPartnerApplicationsModel { + o.BlockedRolesList = value + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithCommentValue(value tfconfig.Variable) *OauthIntegrationForPartnerApplicationsModel { + o.Comment = value + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithEnabledValue(value tfconfig.Variable) *OauthIntegrationForPartnerApplicationsModel { + o.Enabled = value + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithFullyQualifiedNameValue(value tfconfig.Variable) *OauthIntegrationForPartnerApplicationsModel { + o.FullyQualifiedName = value + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithNameValue(value tfconfig.Variable) *OauthIntegrationForPartnerApplicationsModel { + o.Name = value + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithOauthClientValue(value tfconfig.Variable) *OauthIntegrationForPartnerApplicationsModel { + o.OauthClient = value + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithOauthIssueRefreshTokensValue(value tfconfig.Variable) *OauthIntegrationForPartnerApplicationsModel { + o.OauthIssueRefreshTokens = value + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithOauthRedirectUriValue(value tfconfig.Variable) *OauthIntegrationForPartnerApplicationsModel { + o.OauthRedirectUri = value + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithOauthRefreshTokenValidityValue(value tfconfig.Variable) *OauthIntegrationForPartnerApplicationsModel { + o.OauthRefreshTokenValidity = value + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithOauthUseSecondaryRolesValue(value tfconfig.Variable) *OauthIntegrationForPartnerApplicationsModel { + o.OauthUseSecondaryRoles = value + return o +} + +func (o *OauthIntegrationForPartnerApplicationsModel) WithRelatedParametersValue(value tfconfig.Variable) *OauthIntegrationForPartnerApplicationsModel { + o.RelatedParameters = value + return o +} diff --git a/pkg/resources/external_oauth_integration.go b/pkg/resources/external_oauth_integration.go index 785efca961..5f1caccd13 100644 --- a/pkg/resources/external_oauth_integration.go +++ b/pkg/resources/external_oauth_integration.go @@ -93,10 +93,14 @@ var externalOauthIntegrationSchema = map[string]*schema.Schema{ ConflictsWith: []string{"external_oauth_allowed_roles_list"}, }, "external_oauth_allowed_roles_list": { - Type: schema.TypeSet, - Elem: &schema.Schema{Type: schema.TypeString}, - Optional: true, - Description: relatedResourceDescription("Specifies the list of roles that the client can set as the primary role.", resources.AccountRole), + Type: schema.TypeSet, + Elem: &schema.Schema{Type: schema.TypeString}, + Optional: true, + Description: relatedResourceDescription("Specifies the list of roles that the client can set as the primary role.", resources.AccountRole), + DiffSuppressFunc: SuppressIfAny( + // TODO(SNOW-1517937): uncomment + // NormalizeAndCompareIdentifiersInSet("external_oauth_allowed_roles_list"), + ), ConflictsWith: []string{"external_oauth_blocked_roles_list"}, }, "external_oauth_audience_list": { @@ -146,7 +150,7 @@ var externalOauthIntegrationSchema = map[string]*schema.Schema{ RelatedParametersAttributeName: { Type: schema.TypeList, Computed: true, - Description: "Paramteres related to this security integration.", + Description: "Parameters related to this security integration.", Elem: &schema.Resource{ Schema: schemas.ShowExternalOauthParametersSchema, }, diff --git a/pkg/resources/oauth_integration_for_custom_clients.go b/pkg/resources/oauth_integration_for_custom_clients.go index 0d3b6e6040..1c9a1d8d07 100644 --- a/pkg/resources/oauth_integration_for_custom_clients.go +++ b/pkg/resources/oauth_integration_for_custom_clients.go @@ -89,9 +89,14 @@ var oauthIntegrationForCustomClientsSchema = map[string]*schema.Schema{ Type: schema.TypeString, ValidateDiagFunc: IsValidIdentifier[sdk.AccountObjectIdentifier](), }, - // TODO(SNOW-1517937): Check if can make optional - Required: true, - Description: relatedResourceDescription("A set of Snowflake roles that a user cannot explicitly consent to using after authenticating.", resources.AccountRole), + Optional: true, + Description: relatedResourceDescription(withPrivilegedRolesDescription("A set of Snowflake roles that a user cannot explicitly consent to using after authenticating.", string(sdk.AccountParameterOAuthAddPrivilegedRolesToBlockedList)), resources.AccountRole), + DiffSuppressFunc: SuppressIfAny( + IgnoreChangeToCurrentSnowflakeListValueInDescribe("blocked_roles_list"), + IgnoreValuesFromSetIfParamSet("blocked_roles_list", string(sdk.AccountParameterOAuthAddPrivilegedRolesToBlockedList), privilegedRoles), + // TODO(SNOW-1517937): uncomment + // NormalizeAndCompareIdentifiersInSet("blocked_roles_list"), + ), }, "oauth_issue_refresh_tokens": { Type: schema.TypeString, @@ -148,6 +153,14 @@ var oauthIntegrationForCustomClientsSchema = map[string]*schema.Schema{ Schema: schemas.DescribeOauthIntegrationForCustomClients, }, }, + RelatedParametersAttributeName: { + Type: schema.TypeList, + Computed: true, + Description: "Parameters related to this security integration.", + Elem: &schema.Resource{ + Schema: schemas.ShowOauthForCustomClientsParametersSchema, + }, + }, FullyQualifiedNameAttributeName: schemas.FullyQualifiedNameSchema, } @@ -256,6 +269,15 @@ func ImportOauthForCustomClientsIntegration(ctx context.Context, d *schema.Resou } } + if prop, err := collections.FindFirst(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "BLOCKED_ROLES_LIST" + }); err == nil { + roles := sdk.ParseCommaSeparatedStringArray(prop.Value, false) + if err = d.Set("blocked_roles_list", roles); err != nil { + return nil, err + } + } + return []*schema.ResourceData{d}, nil } @@ -432,20 +454,6 @@ func ReadContextOauthIntegrationForCustomClients(withExternalChangesMarking bool return diag.FromErr(err) } - blockedRolesList, err := collections.FindFirst(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { - return property.Name == "BLOCKED_ROLES_LIST" - }) - if err != nil { - return diag.FromErr(fmt.Errorf("failed to find pre authorized roles list, err = %w", err)) - } - var blockedRoles []string - if len(blockedRolesList.Value) > 0 { - blockedRoles = strings.Split(blockedRolesList.Value, ",") - } - if err := d.Set("blocked_roles_list", blockedRoles); err != nil { - return diag.FromErr(err) - } - networkPolicy, err := collections.FindFirst(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { return property.Name == "NETWORK_POLICY" }) @@ -498,12 +506,20 @@ func ReadContextOauthIntegrationForCustomClients(withExternalChangesMarking bool return diag.FromErr(err) } + blockedRolesList, err := collections.FindFirst(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "BLOCKED_ROLES_LIST" + }) + if err != nil { + return diag.FromErr(err) + } + if err = handleExternalChangesToObjectInDescribe(d, describeMapping{"oauth_allow_non_tls_redirect_uri", "oauth_allow_non_tls_redirect_uri", oauthAllowNonTlsRedirectUri.Value, oauthAllowNonTlsRedirectUri.Value, nil}, describeMapping{"oauth_enforce_pkce", "oauth_enforce_pkce", oauthEnforcePkce.Value, oauthEnforcePkce.Value, nil}, describeMapping{"oauth_use_secondary_roles", "oauth_use_secondary_roles", oauthUseSecondaryRoles.Value, oauthUseSecondaryRoles.Value, nil}, describeMapping{"oauth_issue_refresh_tokens", "oauth_issue_refresh_tokens", oauthIssueRefreshTokens.Value, oauthIssueRefreshTokens.Value, nil}, describeMapping{"oauth_refresh_token_validity", "oauth_refresh_token_validity", oauthRefreshTokenValidity.Value, oauthRefreshTokenValidity.Value, nil}, + describeMapping{"blocked_roles_list", "blocked_roles_list", blockedRolesList.Value, sdk.ParseCommaSeparatedStringArray(blockedRolesList.Value, false), nil}, ); err != nil { return diag.FromErr(err) } @@ -516,6 +532,7 @@ func ReadContextOauthIntegrationForCustomClients(withExternalChangesMarking bool "oauth_use_secondary_roles", "oauth_issue_refresh_tokens", "oauth_refresh_token_validity", + "blocked_roles_list", }); err != nil { return diag.FromErr(err) } @@ -527,6 +544,13 @@ func ReadContextOauthIntegrationForCustomClients(withExternalChangesMarking bool if err = d.Set(DescribeOutputAttributeName, []map[string]any{schemas.DescribeOauthIntegrationForCustomClientsToSchema(integrationProperties)}); err != nil { return diag.FromErr(err) } + param, err := client.Parameters.ShowAccountParameter(ctx, sdk.AccountParameterOAuthAddPrivilegedRolesToBlockedList) + if err != nil { + return diag.FromErr(err) + } + if err = d.Set(RelatedParametersAttributeName, []map[string]any{schemas.OauthForCustomClientsParametersToSchema([]*sdk.Parameter{param})}); err != nil { + return diag.FromErr(err) + } return nil } diff --git a/pkg/resources/oauth_integration_for_custom_clients_acceptance_test.go b/pkg/resources/oauth_integration_for_custom_clients_acceptance_test.go index be88ceab7c..a6ffa8205b 100644 --- a/pkg/resources/oauth_integration_for_custom_clients_acceptance_test.go +++ b/pkg/resources/oauth_integration_for_custom_clients_acceptance_test.go @@ -3,12 +3,16 @@ package resources_test import ( "fmt" "regexp" + "strings" "testing" resourcehelpers "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/helpers" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/internal/snowflakeroles" tfjson "github.com/hashicorp/terraform-json" + accconfig "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/bettertestspoc/config" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/bettertestspoc/config/model" "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/importchecks" "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/planchecks" resourcenames "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/provider/resources" @@ -43,7 +47,6 @@ func TestAcc_OauthIntegrationForCustomClients_Basic(t *testing.T) { "name": config.StringVariable(id.Name()), "oauth_client_type": config.StringVariable(string(sdk.OauthSecurityIntegrationClientTypeConfidential)), "oauth_redirect_uri": config.StringVariable(validUrl), - "blocked_roles_list": config.SetVariable(config.StringVariable("ACCOUNTADMIN"), config.StringVariable("SECURITYADMIN")), } if complete { c["blocked_roles_list"] = config.SetVariable(config.StringVariable("ACCOUNTADMIN"), config.StringVariable("SECURITYADMIN"), config.StringVariable(blockedRole.ID().Name())) @@ -85,7 +88,6 @@ func TestAcc_OauthIntegrationForCustomClients_Basic(t *testing.T) { resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_enforce_pkce", resources.BooleanDefault), resource.TestCheckNoResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_use_secondary_roles"), resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "pre_authorized_roles_list.#", "0"), - resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "blocked_roles_list.#", "2"), resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_issue_refresh_tokens", resources.BooleanDefault), resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "oauth_refresh_token_validity", "-1"), resource.TestCheckResourceAttr("snowflake_oauth_integration_for_custom_clients.test", "network_policy", ""), @@ -763,3 +765,73 @@ resource "snowflake_oauth_integration_for_custom_clients" "test" { } `, name) } + +func TestAcc_OauthIntegrationForCustomClients_WithPrivilegedRolesBlockedList(t *testing.T) { + id := acc.TestClient().Ids.RandomAccountObjectIdentifier() + // Use an identifier with this prefix to have this role in the end. + roleId := acc.TestClient().Ids.RandomAccountObjectIdentifierWithPrefix("Z") + role, roleCleanup := acc.TestClient().Role.CreateRoleWithIdentifier(t, roleId) + t.Cleanup(roleCleanup) + allRoles := []string{snowflakeroles.Accountadmin.Name(), snowflakeroles.SecurityAdmin.Name(), role.ID().Name()} + onlyPrivilegedRoles := []string{snowflakeroles.Accountadmin.Name(), snowflakeroles.SecurityAdmin.Name()} + customRoles := []string{role.ID().Name()} + + paramCleanup := acc.TestClient().Parameter.UpdateAccountParameterTemporarily(t, sdk.AccountParameterOAuthAddPrivilegedRolesToBlockedList, "true") + t.Cleanup(paramCleanup) + + modelWithoutBlockedRole := model.OauthIntegrationForCustomClients("test", id.Name(), string(sdk.OauthSecurityIntegrationClientTypePublic), "https://example.com") + modelWithBlockedRole := model.OauthIntegrationForCustomClients("test", id.Name(), string(sdk.OauthSecurityIntegrationClientTypePublic), "https://example.com"). + WithBlockedRolesList(role.ID().Name()) + + resource.Test(t, resource.TestCase{ + ProtoV6ProviderFactories: acc.TestAccProtoV6ProviderFactories, + PreCheck: func() { acc.TestAccPreCheck(t) }, + TerraformVersionChecks: []tfversion.TerraformVersionCheck{ + tfversion.RequireAbove(tfversion.Version1_5_0), + }, + Steps: []resource.TestStep{ + { + Config: accconfig.FromModel(t, modelWithBlockedRole), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr(modelWithBlockedRole.ResourceReference(), "blocked_roles_list.#", "1"), + resource.TestCheckTypeSetElemAttr(modelWithBlockedRole.ResourceReference(), "blocked_roles_list.*", role.ID().Name()), + resource.TestCheckResourceAttr(modelWithBlockedRole.ResourceReference(), "name", id.Name()), + + resource.TestCheckResourceAttr(modelWithBlockedRole.ResourceReference(), "describe_output.0.blocked_roles_list.0.value", strings.Join(allRoles, ",")), + ), + }, + { + Config: accconfig.FromModel(t, modelWithoutBlockedRole), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr(modelWithoutBlockedRole.ResourceReference(), "blocked_roles_list.#", "0"), + resource.TestCheckResourceAttr(modelWithoutBlockedRole.ResourceReference(), "name", id.Name()), + + resource.TestCheckResourceAttr(modelWithoutBlockedRole.ResourceReference(), "describe_output.0.blocked_roles_list.0.value", strings.Join(onlyPrivilegedRoles, ",")), + ), + }, + { + PreConfig: func() { + // Do not revert, because the revert is setup above. + acc.TestClient().Parameter.UpdateAccountParameterTemporarily(t, sdk.AccountParameterOAuthAddPrivilegedRolesToBlockedList, "false") + }, + Config: accconfig.FromModel(t, modelWithBlockedRole), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr(modelWithBlockedRole.ResourceReference(), "blocked_roles_list.#", "1"), + resource.TestCheckTypeSetElemAttr(modelWithBlockedRole.ResourceReference(), "blocked_roles_list.*", role.ID().Name()), + resource.TestCheckResourceAttr(modelWithBlockedRole.ResourceReference(), "name", id.Name()), + + resource.TestCheckResourceAttr(modelWithBlockedRole.ResourceReference(), "describe_output.0.blocked_roles_list.0.value", strings.Join(customRoles, ",")), + ), + }, + { + Config: accconfig.FromModel(t, modelWithoutBlockedRole), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr(modelWithoutBlockedRole.ResourceReference(), "blocked_roles_list.#", "0"), + resource.TestCheckResourceAttr(modelWithoutBlockedRole.ResourceReference(), "name", id.Name()), + + resource.TestCheckResourceAttr(modelWithoutBlockedRole.ResourceReference(), "describe_output.0.blocked_roles_list.0.value", ""), + ), + }, + }, + }) +} diff --git a/pkg/resources/oauth_integration_for_partner_applications.go b/pkg/resources/oauth_integration_for_partner_applications.go index 7781c1973f..0074b3a3f5 100644 --- a/pkg/resources/oauth_integration_for_partner_applications.go +++ b/pkg/resources/oauth_integration_for_partner_applications.go @@ -6,7 +6,6 @@ import ( "fmt" "reflect" "strconv" - "strings" "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/provider/resources" @@ -81,10 +80,14 @@ var oauthIntegrationForPartnerApplicationsSchema = map[string]*schema.Schema{ Type: schema.TypeString, ValidateDiagFunc: IsValidIdentifier[sdk.AccountObjectIdentifier](), }, - // TODO(SNOW-1517937): Check if can make optional - Required: true, - Description: relatedResourceDescription("A set of Snowflake roles that a user cannot explicitly consent to using after authenticating.", resources.AccountRole), - DiffSuppressFunc: IgnoreChangeToCurrentSnowflakeListValueInDescribe("blocked_roles_list"), + Optional: true, + Description: relatedResourceDescription(withPrivilegedRolesDescription("A set of Snowflake roles that a user cannot explicitly consent to using after authenticating.", string(sdk.AccountParameterOAuthAddPrivilegedRolesToBlockedList)), resources.AccountRole), + DiffSuppressFunc: SuppressIfAny( + IgnoreChangeToCurrentSnowflakeListValueInDescribe("blocked_roles_list"), + IgnoreValuesFromSetIfParamSet("blocked_roles_list", string(sdk.AccountParameterOAuthAddPrivilegedRolesToBlockedList), privilegedRoles), + // TODO(SNOW-1517937): uncomment + // NormalizeAndCompareIdentifiersInSet("blocked_roles_list"), + ), }, "comment": { Type: schema.TypeString, @@ -108,6 +111,14 @@ var oauthIntegrationForPartnerApplicationsSchema = map[string]*schema.Schema{ Schema: schemas.DescribeOauthIntegrationForPartnerApplications, }, }, + RelatedParametersAttributeName: { + Type: schema.TypeList, + Computed: true, + Description: "Parameters related to this security integration.", + Elem: &schema.Resource{ + Schema: schemas.ShowOauthForPartnerApplicationsParametersSchema, + }, + }, FullyQualifiedNameAttributeName: schemas.FullyQualifiedNameSchema, } @@ -205,6 +216,15 @@ func ImportOauthForPartnerApplicationIntegration(ctx context.Context, d *schema. } } + if prop, err := collections.FindFirst(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "BLOCKED_ROLES_LIST" + }); err == nil { + roles := sdk.ParseCommaSeparatedStringArray(prop.Value, false) + if err = d.Set("blocked_roles_list", roles); err != nil { + return nil, err + } + } + return []*schema.ResourceData{d}, nil } @@ -322,20 +342,6 @@ func ReadContextOauthIntegrationForPartnerApplications(withExternalChangesMarkin return diag.FromErr(err) } - blockedRolesList, err := collections.FindFirst(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { - return property.Name == "BLOCKED_ROLES_LIST" - }) - if err != nil { - return diag.FromErr(fmt.Errorf("failed to find pre authorized roles list, err = %w", err)) - } - var blockedRoles []string - if len(blockedRolesList.Value) > 0 { - blockedRoles = strings.Split(blockedRolesList.Value, ",") - } - if err := d.Set("blocked_roles_list", blockedRoles); err != nil { - return diag.FromErr(err) - } - if withExternalChangesMarking { if err = handleExternalChangesToObjectInShow(d, outputMapping{"enabled", "enabled", integration.Enabled, booleanStringFromBool(integration.Enabled), nil}, @@ -368,10 +374,18 @@ func ReadContextOauthIntegrationForPartnerApplications(withExternalChangesMarkin return diag.FromErr(err) } + blockedRolesList, err := collections.FindFirst(integrationProperties, func(property sdk.SecurityIntegrationProperty) bool { + return property.Name == "BLOCKED_ROLES_LIST" + }) + if err != nil { + return diag.FromErr(err) + } + if err = handleExternalChangesToObjectInDescribe(d, describeMapping{"oauth_issue_refresh_tokens", "oauth_issue_refresh_tokens", oauthIssueRefreshTokens.Value, oauthIssueRefreshTokens.Value, nil}, describeMapping{"oauth_refresh_token_validity", "oauth_refresh_token_validity", oauthRefreshTokenValidity.Value, oauthRefreshTokenValidityValue, nil}, describeMapping{"oauth_use_secondary_roles", "oauth_use_secondary_roles", oauthUseSecondaryRoles.Value, oauthUseSecondaryRoles.Value, nil}, + describeMapping{"blocked_roles_list", "blocked_roles_list", blockedRolesList.Value, sdk.ParseCommaSeparatedStringArray(blockedRolesList.Value, false), nil}, ); err != nil { return diag.FromErr(err) } @@ -382,6 +396,7 @@ func ReadContextOauthIntegrationForPartnerApplications(withExternalChangesMarkin "oauth_issue_refresh_tokens", "oauth_refresh_token_validity", "oauth_use_secondary_roles", + "blocked_roles_list", }); err != nil { return diag.FromErr(err) } @@ -393,7 +408,13 @@ func ReadContextOauthIntegrationForPartnerApplications(withExternalChangesMarkin if err = d.Set(DescribeOutputAttributeName, []map[string]any{schemas.DescribeOauthIntegrationForPartnerApplicationsToSchema(integrationProperties)}); err != nil { return diag.FromErr(err) } - + param, err := client.Parameters.ShowAccountParameter(ctx, sdk.AccountParameterOAuthAddPrivilegedRolesToBlockedList) + if err != nil { + return diag.FromErr(err) + } + if err = d.Set(RelatedParametersAttributeName, []map[string]any{schemas.OauthForPartnerApplicationsParametersToSchema([]*sdk.Parameter{param})}); err != nil { + return diag.FromErr(err) + } return nil } } diff --git a/pkg/resources/oauth_integration_for_partner_applications_acceptance_test.go b/pkg/resources/oauth_integration_for_partner_applications_acceptance_test.go index 0eccde347c..975b47b7b7 100644 --- a/pkg/resources/oauth_integration_for_partner_applications_acceptance_test.go +++ b/pkg/resources/oauth_integration_for_partner_applications_acceptance_test.go @@ -3,10 +3,14 @@ package resources_test import ( "fmt" "regexp" + "strings" "testing" resourcehelpers "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/helpers" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/internal/snowflakeroles" + accconfig "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/bettertestspoc/config" + "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/bettertestspoc/config/model" "github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/acceptance/planchecks" tfjson "github.com/hashicorp/terraform-json" @@ -32,11 +36,11 @@ func TestAcc_OauthIntegrationForPartnerApplications_Basic(t *testing.T) { values := config.Variables{ "name": config.StringVariable(id.Name()), "oauth_client": config.StringVariable(string(sdk.OauthSecurityIntegrationClientLooker)), - "blocked_roles_list": config.SetVariable(config.StringVariable("ACCOUNTADMIN"), config.StringVariable("SECURITYADMIN")), "oauth_redirect_uri": config.StringVariable(validUrl), } if complete { values["enabled"] = config.BoolVariable(true) + values["blocked_roles_list"] = config.SetVariable(config.StringVariable("ACCOUNTADMIN"), config.StringVariable("SECURITYADMIN")) values["oauth_issue_refresh_tokens"] = config.BoolVariable(false) values["oauth_refresh_token_validity"] = config.IntegerVariable(86400) values["oauth_use_secondary_roles"] = config.StringVariable(string(sdk.OauthSecurityIntegrationUseSecondaryRolesImplicit)) @@ -65,7 +69,7 @@ func TestAcc_OauthIntegrationForPartnerApplications_Basic(t *testing.T) { resource.TestCheckResourceAttr("snowflake_oauth_integration_for_partner_applications.test", "oauth_issue_refresh_tokens", "default"), resource.TestCheckResourceAttr("snowflake_oauth_integration_for_partner_applications.test", "oauth_refresh_token_validity", "-1"), resource.TestCheckNoResourceAttr("snowflake_oauth_integration_for_partner_applications.test", "oauth_use_secondary_roles"), - resource.TestCheckResourceAttr("snowflake_oauth_integration_for_partner_applications.test", "blocked_roles_list.#", "2"), + resource.TestCheckNoResourceAttr("snowflake_oauth_integration_for_partner_applications.test", "blocked_roles_list"), resource.TestCheckResourceAttr("snowflake_oauth_integration_for_partner_applications.test", "comment", ""), resource.TestCheckResourceAttr("snowflake_oauth_integration_for_partner_applications.test", "show_output.#", "1"), @@ -768,3 +772,73 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" { } `, name) } + +func TestAcc_OauthIntegrationForPartnerApplications_WithPrivilegedRolesBlockedList(t *testing.T) { + id := acc.TestClient().Ids.RandomAccountObjectIdentifier() + // Use an identifier with this prefix to have this role in the end. + roleId := acc.TestClient().Ids.RandomAccountObjectIdentifierWithPrefix("Z") + role, roleCleanup := acc.TestClient().Role.CreateRoleWithIdentifier(t, roleId) + t.Cleanup(roleCleanup) + allRoles := []string{snowflakeroles.Accountadmin.Name(), snowflakeroles.SecurityAdmin.Name(), role.ID().Name()} + onlyPrivilegedRoles := []string{snowflakeroles.Accountadmin.Name(), snowflakeroles.SecurityAdmin.Name()} + customRoles := []string{role.ID().Name()} + + paramCleanup := acc.TestClient().Parameter.UpdateAccountParameterTemporarily(t, sdk.AccountParameterOAuthAddPrivilegedRolesToBlockedList, "true") + t.Cleanup(paramCleanup) + + modelWithoutBlockedRole := model.OauthIntegrationForPartnerApplications("test", id.Name(), string(sdk.OauthSecurityIntegrationClientTableauDesktop)) + modelWithBlockedRole := model.OauthIntegrationForPartnerApplications("test", id.Name(), string(sdk.OauthSecurityIntegrationClientTableauDesktop)). + WithBlockedRolesList(role.ID().Name()) + + resource.Test(t, resource.TestCase{ + ProtoV6ProviderFactories: acc.TestAccProtoV6ProviderFactories, + PreCheck: func() { acc.TestAccPreCheck(t) }, + TerraformVersionChecks: []tfversion.TerraformVersionCheck{ + tfversion.RequireAbove(tfversion.Version1_5_0), + }, + Steps: []resource.TestStep{ + { + Config: accconfig.FromModel(t, modelWithBlockedRole), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr(modelWithBlockedRole.ResourceReference(), "blocked_roles_list.#", "1"), + resource.TestCheckTypeSetElemAttr(modelWithBlockedRole.ResourceReference(), "blocked_roles_list.*", role.ID().Name()), + resource.TestCheckResourceAttr(modelWithBlockedRole.ResourceReference(), "name", id.Name()), + + resource.TestCheckResourceAttr(modelWithBlockedRole.ResourceReference(), "describe_output.0.blocked_roles_list.0.value", strings.Join(allRoles, ",")), + ), + }, + { + Config: accconfig.FromModel(t, modelWithoutBlockedRole), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr(modelWithoutBlockedRole.ResourceReference(), "blocked_roles_list.#", "0"), + resource.TestCheckResourceAttr(modelWithoutBlockedRole.ResourceReference(), "name", id.Name()), + + resource.TestCheckResourceAttr(modelWithoutBlockedRole.ResourceReference(), "describe_output.0.blocked_roles_list.0.value", strings.Join(onlyPrivilegedRoles, ",")), + ), + }, + { + PreConfig: func() { + // Do not revert, because the revert is setup above. + acc.TestClient().Parameter.UpdateAccountParameterTemporarily(t, sdk.AccountParameterOAuthAddPrivilegedRolesToBlockedList, "false") + }, + Config: accconfig.FromModel(t, modelWithBlockedRole), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr(modelWithBlockedRole.ResourceReference(), "blocked_roles_list.#", "1"), + resource.TestCheckTypeSetElemAttr(modelWithBlockedRole.ResourceReference(), "blocked_roles_list.*", role.ID().Name()), + resource.TestCheckResourceAttr(modelWithBlockedRole.ResourceReference(), "name", id.Name()), + + resource.TestCheckResourceAttr(modelWithBlockedRole.ResourceReference(), "describe_output.0.blocked_roles_list.0.value", strings.Join(customRoles, ",")), + ), + }, + { + Config: accconfig.FromModel(t, modelWithoutBlockedRole), + Check: resource.ComposeAggregateTestCheckFunc( + resource.TestCheckResourceAttr(modelWithoutBlockedRole.ResourceReference(), "blocked_roles_list.#", "0"), + resource.TestCheckResourceAttr(modelWithoutBlockedRole.ResourceReference(), "name", id.Name()), + + resource.TestCheckResourceAttr(modelWithoutBlockedRole.ResourceReference(), "describe_output.0.blocked_roles_list.0.value", ""), + ), + }, + }, + }) +} diff --git a/pkg/resources/show_and_describe_handlers.go b/pkg/resources/show_and_describe_handlers.go index fbbf8e49ca..0fe72372b6 100644 --- a/pkg/resources/show_and_describe_handlers.go +++ b/pkg/resources/show_and_describe_handlers.go @@ -54,7 +54,7 @@ type outputMapping struct { normalizeFunc func(any) any } -// handleExternalChangesToObjectInDescribe assumes that show output is kept in DescribeOutputAttributeName attribute +// handleExternalChangesToObjectInDescribe assumes that describe output is kept in DescribeOutputAttributeName attribute func handleExternalChangesToObjectInDescribe(d *schema.ResourceData, mappings ...describeMapping) error { if describeOutput, ok := d.GetOk(DescribeOutputAttributeName); ok { describeOutputList := describeOutput.([]any) diff --git a/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/test.tf b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/test.tf index 83e0ae30b7..9f6b0f3d0d 100644 --- a/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/test.tf +++ b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/test.tf @@ -2,5 +2,4 @@ resource "snowflake_oauth_integration_for_custom_clients" "test" { name = var.name oauth_client_type = var.oauth_client_type oauth_redirect_uri = var.oauth_redirect_uri - blocked_roles_list = var.blocked_roles_list } diff --git a/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/variables.tf b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/variables.tf index eacd431fd3..202efb149e 100644 --- a/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/variables.tf +++ b/pkg/resources/testdata/TestAcc_OauthIntegrationForCustomClients/basic/variables.tf @@ -7,6 +7,3 @@ variable "oauth_client_type" { variable "oauth_redirect_uri" { type = string } -variable "blocked_roles_list" { - type = set(string) -} diff --git a/pkg/resources/testdata/TestAcc_OauthIntegrationForPartnerApplications/basic/test.tf b/pkg/resources/testdata/TestAcc_OauthIntegrationForPartnerApplications/basic/test.tf index 5bef8bad73..15fe8b9e9b 100644 --- a/pkg/resources/testdata/TestAcc_OauthIntegrationForPartnerApplications/basic/test.tf +++ b/pkg/resources/testdata/TestAcc_OauthIntegrationForPartnerApplications/basic/test.tf @@ -2,5 +2,4 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" { name = var.name oauth_client = var.oauth_client oauth_redirect_uri = var.oauth_redirect_uri - blocked_roles_list = var.blocked_roles_list } diff --git a/pkg/resources/testdata/TestAcc_OauthIntegrationForPartnerApplications/basic/variables.tf b/pkg/resources/testdata/TestAcc_OauthIntegrationForPartnerApplications/basic/variables.tf index e475d52432..7da5c54ce2 100644 --- a/pkg/resources/testdata/TestAcc_OauthIntegrationForPartnerApplications/basic/variables.tf +++ b/pkg/resources/testdata/TestAcc_OauthIntegrationForPartnerApplications/basic/variables.tf @@ -7,6 +7,3 @@ variable "oauth_client" { variable "oauth_redirect_uri" { type = string } -variable "blocked_roles_list" { - type = set(string) -} diff --git a/pkg/schemas/oauth_integration_for_custom_clients.go b/pkg/schemas/oauth_integration_for_custom_clients.go index c517f9b03b..890ad6104a 100644 --- a/pkg/schemas/oauth_integration_for_custom_clients.go +++ b/pkg/schemas/oauth_integration_for_custom_clients.go @@ -65,3 +65,17 @@ func DescribeOauthIntegrationForCustomClientsToSchema(integrationProperties []sd } return propsSchema } + +var ShowOauthForCustomClientsParametersSchema = map[string]*schema.Schema{ + strings.ToLower(string(sdk.AccountParameterOAuthAddPrivilegedRolesToBlockedList)): ParameterListSchema, +} + +func OauthForCustomClientsParametersToSchema(parameters []*sdk.Parameter) map[string]any { + schemaMap := make(map[string]any) + for _, param := range parameters { + if slices.Contains([]sdk.AccountParameter{sdk.AccountParameterOAuthAddPrivilegedRolesToBlockedList}, sdk.AccountParameter(param.Key)) { + schemaMap[strings.ToLower(param.Key)] = []map[string]any{ParameterToSchema(param)} + } + } + return schemaMap +} diff --git a/pkg/schemas/oauth_security_integration_for_partner_applications.go b/pkg/schemas/oauth_security_integration_for_partner_applications.go index 61bb3d2efc..7721e24ec0 100644 --- a/pkg/schemas/oauth_security_integration_for_partner_applications.go +++ b/pkg/schemas/oauth_security_integration_for_partner_applications.go @@ -65,3 +65,17 @@ func DescribeOauthIntegrationForPartnerApplicationsToSchema(integrationPropertie } return securityIntegrationProperties } + +var ShowOauthForPartnerApplicationsParametersSchema = map[string]*schema.Schema{ + strings.ToLower(string(sdk.AccountParameterOAuthAddPrivilegedRolesToBlockedList)): ParameterListSchema, +} + +func OauthForPartnerApplicationsParametersToSchema(parameters []*sdk.Parameter) map[string]any { + schemaMap := make(map[string]any) + for _, param := range parameters { + if slices.Contains([]sdk.AccountParameter{sdk.AccountParameterOAuthAddPrivilegedRolesToBlockedList}, sdk.AccountParameter(param.Key)) { + schemaMap[strings.ToLower(param.Key)] = []map[string]any{ParameterToSchema(param)} + } + } + return schemaMap +}