fix: Make blocked_roles_field optional in OAuth security integrations

MIGRATION_GUIDE.md

@@ -9,14 +9,27 @@ across different versions.
 
 ## v0.99.0 ➞ v0.100.0
 
+### snowflake_oauth_integration_for_partner_applications and snowflake_oauth_integration_for_custom_clients resource changes
+#### *(behavior change)* `blocked_roles_list` field is no longer required
+
+Previously, `blocked_roles_list` field was required to handle default account roles like `ACCOUNTADMIN`, `ORGADMIN`, and `SECURITYADMIN`.
+
+Now, it is optional, because of using the value of `OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST` parameter (read more below).
+
+No changes in the configuration are necessary.
+
+#### *(behavior change)* new field `related_parameters`
+
+To handle `blocked_roles_list` field properly in both of the resources, we introduce `related_parameters` field. This field is a list of parameters related to OAuth integrations. It is a computed-only field containing value of `OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST` account parameter (see [docs](https://docs.snowflake.com/en/sql-reference/parameters#oauth-add-privileged-roles-to-blocked-list)).
+
 ### snowflake_account resource changes
 
 Changes:
 - `admin_user_type` is now supported. No action required during the migration.
 - `grace_period_in_days` is now required. The field should be explicitly set in the following versions.
 - Account renaming is now supported.
 - `is_org_admin` is a settable field (previously it was read-only field). Changing its value is also supported.
-- `must_change_password` and `is_org_admin` type was changed from `bool` to bool-string (more on that [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/CHANGES_BEFORE_V1.md#empty-values)). No action required during the migration. 
+- `must_change_password` and `is_org_admin` type was changed from `bool` to bool-string (more on that [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/CHANGES_BEFORE_V1.md#empty-values)). No action required during the migration.
 - The underlying resource identifier was changed from `<account_locator>` to `<organization_name>.<account_name>`. Migration will be done automatically. Notice this introduces changes in how `snowflake_account` resource is imported.
 - New `show_output` field was added (see [raw Snowflake output](./v1-preparations/CHANGES_BEFORE_V1.md#raw-snowflake-output)).
 

docs/resources/external_oauth_integration.md

@@ -92,7 +92,7 @@ resource "snowflake_external_oauth_integration" "test" {
 - `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATIONS` for the given security integration. (see [below for nested schema](#nestedatt--describe_output))
 - `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
 - `id` (String) The ID of this resource.
-- `related_parameters` (List of Object) Paramteres related to this security integration. (see [below for nested schema](#nestedatt--related_parameters))
+- `related_parameters` (List of Object) Parameters related to this security integration. (see [below for nested schema](#nestedatt--related_parameters))
 - `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATIONS` for the given security integration. (see [below for nested schema](#nestedatt--show_output))
 
 <a id="nestedatt--describe_output"></a>

docs/resources/oauth_integration_for_custom_clients.md

@@ -23,7 +23,6 @@ resource "snowflake_oauth_integration_for_custom_clients" "basic" {
   name               = "integration"
   oauth_client_type  = "CONFIDENTIAL"
   oauth_redirect_uri = "https://example.com"
-  blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"]
 }
 
 # resource with all fields set
@@ -53,13 +52,13 @@ resource "snowflake_oauth_integration_for_custom_clients" "complete" {
 
 ### Required
 
-- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. For more information about this resource, see [docs](./account_role).
 - `name` (String) Specifies the name of the OAuth integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account. Due to technical limitations (read more [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `"`.
 - `oauth_client_type` (String) Specifies the type of client being registered. Snowflake supports both confidential and public clients. Valid options are: `PUBLIC` | `CONFIDENTIAL`.
 - `oauth_redirect_uri` (String) Specifies the client URI. After a user is authenticated, the web browser is redirected to this URI.
 
 ### Optional
 
+- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. By default, this list includes the ACCOUNTADMIN, ORGADMIN and SECURITYADMIN roles. To remove these privileged roles from the list, use the ALTER ACCOUNT command to set the OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST account parameter to FALSE. For more information about this resource, see [docs](./account_role).
 - `comment` (String) Specifies a comment for the OAuth integration.
 - `enabled` (String) Specifies whether this OAuth integration is enabled or disabled. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
 - `network_policy` (String) Specifies an existing network policy. This network policy controls network traffic that is attempting to exchange an authorization code for an access or refresh token or to use a refresh token to obtain a new access token. For more information about this resource, see [docs](./network_policy).
@@ -77,6 +76,7 @@ resource "snowflake_oauth_integration_for_custom_clients" "complete" {
 - `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--describe_output))
 - `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
 - `id` (String) The ID of this resource.
+- `related_parameters` (List of Object) Parameters related to this security integration. (see [below for nested schema](#nestedatt--related_parameters))
 - `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--show_output))
 
 <a id="nestedatt--describe_output"></a>
@@ -314,6 +314,26 @@ Read-Only:
 
 
 
+<a id="nestedatt--related_parameters"></a>
+### Nested Schema for `related_parameters`
+
+Read-Only:
+
+- `oauth_add_privileged_roles_to_blocked_list` (List of Object) (see [below for nested schema](#nestedobjatt--related_parameters--oauth_add_privileged_roles_to_blocked_list))
+
+<a id="nestedobjatt--related_parameters--oauth_add_privileged_roles_to_blocked_list"></a>
+### Nested Schema for `related_parameters.oauth_add_privileged_roles_to_blocked_list`
+
+Read-Only:
+
+- `default` (String)
+- `description` (String)
+- `key` (String)
+- `level` (String)
+- `value` (String)
+
+
+
 <a id="nestedatt--show_output"></a>
 ### Nested Schema for `show_output`
 

docs/resources/oauth_integration_for_partner_applications.md

@@ -21,7 +21,6 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" {
   name               = "example"
   oauth_client       = "LOOKER"
   oauth_redirect_uri = "http://example.com"
-  blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"]
 }
 
 # resource with all fields set
@@ -44,12 +43,12 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" {
 
 ### Required
 
-- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. For more information about this resource, see [docs](./account_role).
 - `name` (String) Specifies the name of the OAuth integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account. Due to technical limitations (read more [here](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `"`.
 - `oauth_client` (String) Creates an OAuth interface between Snowflake and a partner application. Valid options are: `LOOKER` | `TABLEAU_DESKTOP` | `TABLEAU_SERVER`.
 
 ### Optional
 
+- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. By default, this list includes the ACCOUNTADMIN, ORGADMIN and SECURITYADMIN roles. To remove these privileged roles from the list, use the ALTER ACCOUNT command to set the OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST account parameter to FALSE. For more information about this resource, see [docs](./account_role).
 - `comment` (String) Specifies a comment for the OAuth integration.
 - `enabled` (String) Specifies whether this OAuth integration is enabled or disabled. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
 - `oauth_issue_refresh_tokens` (String) Specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
@@ -62,6 +61,7 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" {
 - `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--describe_output))
 - `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
 - `id` (String) The ID of this resource.
+- `related_parameters` (List of Object) Parameters related to this security integration. (see [below for nested schema](#nestedatt--related_parameters))
 - `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--show_output))
 
 <a id="nestedatt--describe_output"></a>
@@ -299,6 +299,26 @@ Read-Only:
 
 
 
+<a id="nestedatt--related_parameters"></a>
+### Nested Schema for `related_parameters`
+
+Read-Only:
+
+- `oauth_add_privileged_roles_to_blocked_list` (List of Object) (see [below for nested schema](#nestedobjatt--related_parameters--oauth_add_privileged_roles_to_blocked_list))
+
+<a id="nestedobjatt--related_parameters--oauth_add_privileged_roles_to_blocked_list"></a>
+### Nested Schema for `related_parameters.oauth_add_privileged_roles_to_blocked_list`
+
+Read-Only:
+
+- `default` (String)
+- `description` (String)
+- `key` (String)
+- `level` (String)
+- `value` (String)
+
+
+
 <a id="nestedatt--show_output"></a>
 ### Nested Schema for `show_output`
 

examples/resources/snowflake_oauth_integration_for_custom_clients/resource.tf

@@ -3,7 +3,6 @@ resource "snowflake_oauth_integration_for_custom_clients" "basic" {
   name               = "integration"
   oauth_client_type  = "CONFIDENTIAL"
   oauth_redirect_uri = "https://example.com"
-  blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"]
 }
 
 # resource with all fields set

examples/resources/snowflake_oauth_integration_for_partner_applications/resource.tf

@@ -3,7 +3,6 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" {
   name               = "example"
   oauth_client       = "LOOKER"
   oauth_redirect_uri = "http://example.com"
-  blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"]
 }
 
 # resource with all fields set

pkg/acceptance/bettertestspoc/assert/resourceassert/gen/resource_schema_def.go

@@ -121,6 +121,14 @@ var allResourceSchemaDefs = []ResourceSchemaDef{
 		name:   "Account",
 		schema: resources.Account().Schema,
 	},
+	{
+		name:   "OauthIntegrationForCustomClients",
+		schema: resources.OauthIntegrationForCustomClients().Schema,
+	},
+	{
+		name:   "OauthIntegrationForPartnerApplications",
+		schema: resources.OauthIntegrationForPartnerApplications().Schema,
+	},
 	{
 		name:   "FunctionJava",
 		schema: resources.FunctionJava().Schema,