feat: Add OAUTH integration for custom clients

docs/index.md

@@ -230,6 +230,7 @@ The Snowflake provider will use the following order of precedence when determini
 ## Currently deprecated resources
 
 - [snowflake_database_old](./docs/resources/database_old)
+- [snowflake_oauth_integration](./docs/resources/oauth_integration)
 - [snowflake_unsafe_execute](./docs/resources/unsafe_execute)
 
 ## Currently deprecated datasources

docs/resources/oauth_integration.md

@@ -7,7 +7,7 @@ description: |-
 
 # snowflake_oauth_integration (Resource)
 
-
+~> **Deprecation** This resource is deprecated and will be removed in a future major version release. Please use snowflake_oauth_integration_for_custom_clients or snowflake_oauth_integration_for_partner_applications instead. <deprecation>
 
 ## Example Usage
 

docs/resources/oauth_integration_for_custom_clients.md

@@ -0,0 +1,289 @@
+---
+page_title: "snowflake_oauth_integration_for_custom_clients Resource - terraform-provider-snowflake"
+subcategory: ""
+description: |-
+
+---
+
+# snowflake_oauth_integration_for_custom_clients (Resource)
+
+
+
+
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `blocked_roles_list` (Set of String) Comma-separated list of Snowflake roles that a user cannot explicitly consent to using after authenticating.
+- `name` (String) Specifies the name of the OAuth integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account.
+- `oauth_client_type` (String) Specifies the type of client being registered. Snowflake supports both confidential and public clients. Valid options are: [PUBLIC CONFIDENTIAL]
+- `oauth_redirect_uri` (String) Specifies the client URI. After a user is authenticated, the web browser is redirected to this URI.
+
+### Optional
+
+- `comment` (String) Specifies a comment for the OAuth integration.
+- `enabled` (String) Specifies whether this OAuth integration is enabled or disabled. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
+- `network_policy` (String) Specifies an existing network policy. This network policy controls network traffic that is attempting to exchange an authorization code for an access or refresh token or to use a refresh token to obtain a new access token.
+- `oauth_allow_non_tls_redirect_uri` (String) If true, allows setting oauth_redirect_uri to a URI not protected by TLS. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
+- `oauth_client_rsa_public_key` (String) Hash of `oauth_client_rsa_public_key` returned from Snowflake.
+- `oauth_client_rsa_public_key_2` (String) Hash of `oauth_client_rsa_public_key` returned from Snowflake.
+- `oauth_enforce_pkce` (String) Boolean that specifies whether Proof Key for Code Exchange (PKCE) should be required for the integration. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
+- `oauth_issue_refresh_tokens` (String) Specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
+- `oauth_refresh_token_validity` (Number) Specifies how long refresh tokens should be valid (in seconds). OAUTH_ISSUE_REFRESH_TOKENS must be set to TRUE.
+- `oauth_use_secondary_roles` (String) Specifies whether default secondary roles set in the user properties are activated by default in the session being opened. Valid options are: [IMPLICIT NONE]
+- `pre_authorized_roles_list` (Set of String) Comma-separated list of Snowflake roles that a user does not need to explicitly consent to using after authenticating.
+
+### Read-Only
+
+- `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--describe_output))
+- `id` (String) The ID of this resource.
+- `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--show_output))
+
+<a id="nestedatt--describe_output"></a>
+### Nested Schema for `describe_output`
+
+Read-Only:
+
+- `blocked_roles_list` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--blocked_roles_list))
+- `comment` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--comment))
+- `enabled` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--enabled))
+- `network_policy` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--network_policy))
+- `oauth_allow_non_tls_redirect_uri` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_allow_non_tls_redirect_uri))
+- `oauth_allowed_authorization_endpoints` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_allowed_authorization_endpoints))
+- `oauth_allowed_token_endpoints` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_allowed_token_endpoints))
+- `oauth_authorization_endpoint` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_authorization_endpoint))
+- `oauth_client_id` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_client_id))
+- `oauth_client_rsa_public_key_2_fp` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_client_rsa_public_key_2_fp))
+- `oauth_client_rsa_public_key_fp` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_client_rsa_public_key_fp))
+- `oauth_client_type` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_client_type))
+- `oauth_enforce_pkce` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_enforce_pkce))
+- `oauth_issue_refresh_tokens` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_issue_refresh_tokens))
+- `oauth_redirect_uri` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_redirect_uri))
+- `oauth_refresh_token_validity` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_refresh_token_validity))
+- `oauth_token_endpoint` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_token_endpoint))
+- `oauth_use_secondary_roles` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_use_secondary_roles))
+- `pre_authorized_roles_list` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--pre_authorized_roles_list))
+
+<a id="nestedobjatt--describe_output--blocked_roles_list"></a>
+### Nested Schema for `describe_output.blocked_roles_list`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--comment"></a>
+### Nested Schema for `describe_output.comment`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--enabled"></a>
+### Nested Schema for `describe_output.enabled`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--network_policy"></a>
+### Nested Schema for `describe_output.network_policy`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--oauth_allow_non_tls_redirect_uri"></a>
+### Nested Schema for `describe_output.oauth_allow_non_tls_redirect_uri`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--oauth_allowed_authorization_endpoints"></a>
+### Nested Schema for `describe_output.oauth_allowed_authorization_endpoints`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--oauth_allowed_token_endpoints"></a>
+### Nested Schema for `describe_output.oauth_allowed_token_endpoints`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--oauth_authorization_endpoint"></a>
+### Nested Schema for `describe_output.oauth_authorization_endpoint`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--oauth_client_id"></a>
+### Nested Schema for `describe_output.oauth_client_id`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--oauth_client_rsa_public_key_2_fp"></a>
+### Nested Schema for `describe_output.oauth_client_rsa_public_key_2_fp`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--oauth_client_rsa_public_key_fp"></a>
+### Nested Schema for `describe_output.oauth_client_rsa_public_key_fp`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--oauth_client_type"></a>
+### Nested Schema for `describe_output.oauth_client_type`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--oauth_enforce_pkce"></a>
+### Nested Schema for `describe_output.oauth_enforce_pkce`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--oauth_issue_refresh_tokens"></a>
+### Nested Schema for `describe_output.oauth_issue_refresh_tokens`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--oauth_redirect_uri"></a>
+### Nested Schema for `describe_output.oauth_redirect_uri`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--oauth_refresh_token_validity"></a>
+### Nested Schema for `describe_output.oauth_refresh_token_validity`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--oauth_token_endpoint"></a>
+### Nested Schema for `describe_output.oauth_token_endpoint`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--oauth_use_secondary_roles"></a>
+### Nested Schema for `describe_output.oauth_use_secondary_roles`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--pre_authorized_roles_list"></a>
+### Nested Schema for `describe_output.pre_authorized_roles_list`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+
+<a id="nestedatt--show_output"></a>
+### Nested Schema for `show_output`
+
+Read-Only:
+
+- `category` (String)
+- `comment` (String)
+- `created_on` (String)
+- `enabled` (Boolean)
+- `integration_type` (String)
+- `name` (String)

examples/additional/deprecated_resources.MD

@@ -1,4 +1,5 @@
 ## Currently deprecated resources
 
 - [snowflake_database_old](./docs/resources/database_old)
+- [snowflake_oauth_integration](./docs/resources/oauth_integration)
 - [snowflake_unsafe_execute](./docs/resources/unsafe_execute)

pkg/acceptance/helpers/random/certs.go

@@ -4,8 +4,10 @@ import (
 	"bytes"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/base64"
 	"encoding/pem"
 	"fmt"
 	"math/big"
@@ -39,15 +41,21 @@ func GenerateX509(t *testing.T) string {
 }
 
 // GenerateRSA returns an RSA public key without BEGIN and END markers.
-func GenerateRSAPublicKey(t *testing.T) string {
+func GenerateRSAPublicKey(t *testing.T) (string, string) {
 	t.Helper()
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	require.NoError(t, err)
 
 	pub := key.Public()
 	b, err := x509.MarshalPKIXPublicKey(pub.(*rsa.PublicKey))
 	require.NoError(t, err)
-	return encode(t, "RSA PUBLIC KEY", b)
+	return encode(t, "RSA PUBLIC KEY", b), fmt.Sprintf("SHA256:%s", hash(t, b))
+}
+
+func hash(t *testing.T, b []byte) string {
+	t.Helper()
+	hash := sha256.Sum256(b)
+	return base64.StdEncoding.EncodeToString(hash[:])
 }
 
 func encode(t *testing.T, pemType string, b []byte) string {

pkg/acceptance/helpers/security_integration_client.go

@@ -61,6 +61,14 @@ func (c *SecurityIntegrationClient) CreateScimWithRequest(t *testing.T, request
 	return si, c.DropSecurityIntegrationFunc(t, request.GetName())
 }
 
+func (c *SecurityIntegrationClient) UpdateOauthForClients(t *testing.T, request *sdk.AlterOauthForCustomClientsSecurityIntegrationRequest) {
+	t.Helper()
+	ctx := context.Background()
+
+	err := c.client().AlterOauthForCustomClients(ctx, request)
+	require.NoError(t, err)
+}
+
 func (c *SecurityIntegrationClient) DropSecurityIntegrationFunc(t *testing.T, id sdk.AccountObjectIdentifier) func() {
 	t.Helper()
 	ctx := context.Background()

pkg/acceptance/importchecks/import_checks.go

@@ -1,12 +1,29 @@
 package importchecks
 
 import (
+	"errors"
 	"fmt"
 
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 )
 
+// ComposeAggregateImportStateCheck does the same as ComposeImportStateCheck, but it aggregates all the occurred errors,
+// instead of returning the first encountered one.
+func ComposeAggregateImportStateCheck(fs ...resource.ImportStateCheckFunc) resource.ImportStateCheckFunc {
+	return func(s []*terraform.InstanceState) error {
+		var result []error
+
+		for i, f := range fs {
+			if err := f(s); err != nil {
+				result = append(result, fmt.Errorf("check %d/%d error: %w", i+1, len(fs), err))
+			}
+		}
+
+		return errors.Join(result...)
+	}
+}
+
 // ComposeImportStateCheck is based on unexported composeImportStateCheck from teststep_providers_test.go
 func ComposeImportStateCheck(fs ...resource.ImportStateCheckFunc) resource.ImportStateCheckFunc {
 	return func(s []*terraform.InstanceState) error {