Skip to content

Commit

Permalink
feat: Add OAUTH integration for custom clients (#2908)
Browse files Browse the repository at this point in the history 
Changes:
- Added a new resource
- `oauth_client_rsa_public_key` and `oauth_client_rsa_public_key_2` are
strange fields because they don't have any value returned by the SHOW or
DESC, so the only diff is applied by the TF (because those fields are
not set in the read operation). Currently, tests show they work, so I
left them this way.
- Added a deprecation message in the old one
- Added acceptance tests for the new resource
- Added one commented section where I thought the plan would be
different than the actual outcome (no update planned, but it was run)

---------

Co-authored-by: Jakub Michalak <[email protected]>
  • Loading branch information
@sfc-gh-jcieslak @sfc-gh-jmichalak
sfc-gh-jcieslak and sfc-gh-jmichalak authored Jul 9, 2024
1 parent 91788e5 commit d9b557f
Show file tree
Hide file tree
Showing 25 changed files with 2,017 additions and 6 deletions.
8 changes: 8 additions & 0 deletions MIGRATION_GUIDE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,14 @@ Added new api authentication resources, i.e.:

See reference [doc](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-api-auth).

### *(new feature)* snowflake_oauth_integration_for_custom_clients and snowflake_oauth_integration_for_partner_applications resources

To enhance clarity and functionality, the new resources `snowflake_oauth_integration_for_custom_clients` and `snowflake_oauth_integration_for_partner_applications` have been introduced
to replace the previous `snowflake_oauth_integration`. Recognizing that the old resource carried multiple responsibilities within a single entity, we opted to divide it into two more specialized resources.
The newly introduced resources are aligned with the latest Snowflake documentation at the time of implementation, and adhere to our [new conventions](#general-changes).
This segregation was based on the `oauth_client` attribute, where `CUSTOM` corresponds to `snowflake_oauth_integration_for_custom_clients`,
while other attributes align with `snowflake_oauth_integration_for_partner_applications`.

### *(new feature)* snowflake_security_integrations datasource
Added a new datasource enabling querying and filtering all types of security integrations. Notes:
- all results are stored in `security_integrations` field.
Expand Down
1 change: 1 addition & 0 deletions docs/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,7 @@ The Snowflake provider will use the following order of precedence when determini
## Currently deprecated resources

- [snowflake_database_old](./docs/resources/database_old)
- [snowflake_oauth_integration](./docs/resources/oauth_integration)
- [snowflake_saml_integration](./docs/resources/saml_integration) - use [snowflake_saml2_integration](./docs/resources/saml2_integration) instead
- [snowflake_unsafe_execute](./docs/resources/unsafe_execute)

Expand Down
2 changes: 1 addition & 1 deletion docs/resources/oauth_integration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ description: |-

# snowflake_oauth_integration (Resource)


~> **Deprecation** This resource is deprecated and will be removed in a future major version release. Please use snowflake_oauth_integration_for_custom_clients or snowflake_oauth_integration_for_partner_applications instead. <deprecation>

## Example Usage

Expand Down
328 changes: 328 additions & 0 deletions docs/resources/oauth_integration_for_custom_clients.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,328 @@
---
page_title: "snowflake_oauth_integration_for_custom_clients Resource - terraform-provider-snowflake"
subcategory: ""
description: |-
---

!> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it.

# snowflake_oauth_integration_for_custom_clients (Resource)



## Example Usage

```terraform
# basic resource
resource "snowflake_oauth_integration_for_custom_clients" "basic" {
name = "saml_integration"
oauth_client_type = "CONFIDENTIAL"
oauth_redirect_uri = "https://example.com"
blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"]
}
# resource with all fields set
resource "snowflake_oauth_integration_for_custom_clients" "complete" {
name = "saml_integration"
oauth_client_type = "CONFIDENTIAL"
oauth_redirect_uri = "https://example.com"
enabled = "true"
oauth_allow_non_tls_redirect_uri = "true"
oauth_enforce_pkce = "true"
oauth_use_secondary_roles = "NONE"
pre_authorized_roles_list = ["role_id1", "role_id2"]
blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN", "role_id1", "role_id2"]
oauth_issue_refresh_tokens = "true"
oauth_refresh_token_validity = 87600
network_policy = "network_policy_id"
oauth_client_rsa_public_key = file("rsa.pub")
oauth_client_rsa_public_key_2 = file("rsa2.pub")
comment = "my oauth integration"
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating.
- `name` (String) Specifies the name of the OAuth integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account.
- `oauth_client_type` (String) Specifies the type of client being registered. Snowflake supports both confidential and public clients. Valid options are: [PUBLIC CONFIDENTIAL]
- `oauth_redirect_uri` (String) Specifies the client URI. After a user is authenticated, the web browser is redirected to this URI.

### Optional

- `comment` (String) Specifies a comment for the OAuth integration.
- `enabled` (String) Specifies whether this OAuth integration is enabled or disabled. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
- `network_policy` (String) Specifies an existing network policy. This network policy controls network traffic that is attempting to exchange an authorization code for an access or refresh token or to use a refresh token to obtain a new access token.
- `oauth_allow_non_tls_redirect_uri` (String) If true, allows setting oauth_redirect_uri to a URI not protected by TLS. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
- `oauth_client_rsa_public_key` (String) Specifies a Base64-encoded RSA public key, without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource using `terraform taint`.
- `oauth_client_rsa_public_key_2` (String) Specifies a Base64-encoded RSA public key, without the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource using `terraform taint`.
- `oauth_enforce_pkce` (String) Boolean that specifies whether Proof Key for Code Exchange (PKCE) should be required for the integration. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
- `oauth_issue_refresh_tokens` (String) Specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
- `oauth_refresh_token_validity` (Number) Specifies how long refresh tokens should be valid (in seconds). OAUTH_ISSUE_REFRESH_TOKENS must be set to TRUE.
- `oauth_use_secondary_roles` (String) Specifies whether default secondary roles set in the user properties are activated by default in the session being opened. Valid options are: [IMPLICIT NONE]
- `pre_authorized_roles_list` (Set of String) A set of Snowflake roles that a user does not need to explicitly consent to using after authenticating.

### Read-Only

- `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--describe_output))
- `id` (String) The ID of this resource.
- `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--show_output))

<a id="nestedatt--describe_output"></a>
### Nested Schema for `describe_output`

Read-Only:

- `blocked_roles_list` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--blocked_roles_list))
- `comment` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--comment))
- `enabled` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--enabled))
- `network_policy` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--network_policy))
- `oauth_allow_non_tls_redirect_uri` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_allow_non_tls_redirect_uri))
- `oauth_allowed_authorization_endpoints` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_allowed_authorization_endpoints))
- `oauth_allowed_token_endpoints` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_allowed_token_endpoints))
- `oauth_authorization_endpoint` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_authorization_endpoint))
- `oauth_client_id` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_client_id))
- `oauth_client_rsa_public_key_2_fp` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_client_rsa_public_key_2_fp))
- `oauth_client_rsa_public_key_fp` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_client_rsa_public_key_fp))
- `oauth_client_type` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_client_type))
- `oauth_enforce_pkce` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_enforce_pkce))
- `oauth_issue_refresh_tokens` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_issue_refresh_tokens))
- `oauth_redirect_uri` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_redirect_uri))
- `oauth_refresh_token_validity` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_refresh_token_validity))
- `oauth_token_endpoint` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_token_endpoint))
- `oauth_use_secondary_roles` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--oauth_use_secondary_roles))
- `pre_authorized_roles_list` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--pre_authorized_roles_list))

<a id="nestedobjatt--describe_output--blocked_roles_list"></a>
### Nested Schema for `describe_output.blocked_roles_list`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--comment"></a>
### Nested Schema for `describe_output.comment`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--enabled"></a>
### Nested Schema for `describe_output.enabled`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--network_policy"></a>
### Nested Schema for `describe_output.network_policy`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_allow_non_tls_redirect_uri"></a>
### Nested Schema for `describe_output.oauth_allow_non_tls_redirect_uri`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_allowed_authorization_endpoints"></a>
### Nested Schema for `describe_output.oauth_allowed_authorization_endpoints`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_allowed_token_endpoints"></a>
### Nested Schema for `describe_output.oauth_allowed_token_endpoints`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_authorization_endpoint"></a>
### Nested Schema for `describe_output.oauth_authorization_endpoint`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_client_id"></a>
### Nested Schema for `describe_output.oauth_client_id`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_client_rsa_public_key_2_fp"></a>
### Nested Schema for `describe_output.oauth_client_rsa_public_key_2_fp`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_client_rsa_public_key_fp"></a>
### Nested Schema for `describe_output.oauth_client_rsa_public_key_fp`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_client_type"></a>
### Nested Schema for `describe_output.oauth_client_type`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_enforce_pkce"></a>
### Nested Schema for `describe_output.oauth_enforce_pkce`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_issue_refresh_tokens"></a>
### Nested Schema for `describe_output.oauth_issue_refresh_tokens`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_redirect_uri"></a>
### Nested Schema for `describe_output.oauth_redirect_uri`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_refresh_token_validity"></a>
### Nested Schema for `describe_output.oauth_refresh_token_validity`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_token_endpoint"></a>
### Nested Schema for `describe_output.oauth_token_endpoint`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--oauth_use_secondary_roles"></a>
### Nested Schema for `describe_output.oauth_use_secondary_roles`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)


<a id="nestedobjatt--describe_output--pre_authorized_roles_list"></a>
### Nested Schema for `describe_output.pre_authorized_roles_list`

Read-Only:

- `default` (String)
- `name` (String)
- `type` (String)
- `value` (String)



<a id="nestedatt--show_output"></a>
### Nested Schema for `show_output`

Read-Only:

- `category` (String)
- `comment` (String)
- `created_on` (String)
- `enabled` (Boolean)
- `integration_type` (String)
- `name` (String)

## Import

Import is supported using the following syntax:

```shell
terraform import snowflake_oauth_integration_for_custom_clients.example "name"
```
2 changes: 2 additions & 0 deletions docs/resources/saml2_integration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ description: |-
---

!> **V1 release candidate** This resource was reworked and is a release candidate for the V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0920--v0930) to use it.

# snowflake_saml2_integration (Resource)


Expand Down
1 change: 1 addition & 0 deletions examples/additional/deprecated_resources.MD
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
## Currently deprecated resources

- [snowflake_database_old](./docs/resources/database_old)
- [snowflake_oauth_integration](./docs/resources/oauth_integration)
- [snowflake_saml_integration](./docs/resources/saml_integration) - use [snowflake_saml2_integration](./docs/resources/saml2_integration) instead
- [snowflake_unsafe_execute](./docs/resources/unsafe_execute)
1 change: 1 addition & 0 deletions examples/resources/snowflake_oauth_integration_for_custom_clients/import.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
terraform import snowflake_oauth_integration_for_custom_clients.example "name"
Loading

0 comments on commit d9b557f

Please sign in to comment.