feat: Secret resource

MIGRATION_GUIDE.md

@@ -7,6 +7,20 @@ across different versions.
 > [!TIP]
 > We highly recommend upgrading the versions one by one instead of bulk upgrades.
 
+## v0.97.0 ➞ v0.98.0
+
+### *(new feature)* Secret resources
+Added a new secrets resources for managing secrets.
+We decided to split each secret flow into individual resources. 
+This segregation was based on the secret flows in CREATE SECRET. i.e.:
+- `snowflake_secret_with_client_credentials`
+- `snowflake_secret_with_authorization_code_grant`
+- `snowflake_secret_with_basic_authentication`
+- `snowflake_secret_with_generic_string`
+
+
+See reference [docs](https://docs.snowflake.com/en/sql-reference/sql/create-secret).
+
 ## v0.96.0 ➞ v0.97.0
 
 ### *(new feature)* snowflake_stream_on_table, snowflake_stream_on_external_table resource
@@ -50,16 +64,6 @@ resource "snowflake_stream_on_table" "stream" {
 
 Then, follow our [Resource migration guide](/~https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/resource_migration.md).
 
-### *(new feature)* Secret resources
-Added a new secrets resources for managing secrets.
-We decided to split each secret flow into individual resources, i.e.:
-- `snowflake_secret_with_client_credentials`
-- `snowflake_secret_with_authorization_code_grant`
-- `snowflake_secret_with_basic_authentication`
-- `snowflake_secret_with_generic_string`
-
-See reference [docs](https://docs.snowflake.com/en/sql-reference/sql/create-secret). 
-
 ### *(new feature)* new snowflake_service_user and snowflake_legacy_service_user resources
 
 Release v0.95.0 introduced reworked `snowflake_user` resource. As [noted](#note-user-types), the new `SERVICE` and `LEGACY_SERVICE` user types were not supported.

docs/resources/secret_with_authorization_code_grant.md

@@ -5,7 +5,7 @@ description: |-
   Resource used to manage secret objects with OAuth Authorization Code Grant. For more information, check secret documentation https://docs.snowflake.com/en/sql-reference/sql/create-secret.
 ---
 
-!> **V1 release candidate** This resource is a release candidate for the V1. It is on the list of remaining GA objects for V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](/~https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0960--v0970) to use it.
+!> **V1 release candidate** This resource is a release candidate for the V1. It is on the list of remaining GA objects for V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](/~https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0970--v0980) to use it.
 
 # snowflake_secret_with_authorization_code_grant (Resource)
 

docs/resources/secret_with_basic_authentication.md

@@ -5,7 +5,7 @@ description: |-
   Resource used to manage secret objects with Basic Authentication. For more information, check secret documentation https://docs.snowflake.com/en/sql-reference/sql/create-secret.
 ---
 
-!> **V1 release candidate** This resource is a release candidate for the V1. It is on the list of remaining GA objects for V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](/~https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0960--v0970) to use it.
+!> **V1 release candidate** This resource is a release candidate for the V1. It is on the list of remaining GA objects for V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](/~https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0970--v0980) to use it.
 
 # snowflake_secret_with_basic_authentication (Resource)
 
@@ -45,7 +45,7 @@ resource "snowflake_secret_with_basic_authentication" "test" {
 - `name` (String) String that specifies the identifier (i.e. name) for the secret, must be unique in your schema. Due to technical limitations (read more [here](/~https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `(`, `)`, `"`
 - `password` (String, Sensitive) Specifies the password value to store in the secret. External changes for this field won't be detected. In case you want to apply external changes, you can re-create the resource manually using "terraform taint".
 - `schema` (String) The schema in which to create the secret. Due to technical limitations (read more [here](/~https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `(`, `)`, `"`
-- `username` (String) Specifies the username value to store in the secret.
+- `username` (String, Sensitive) Specifies the username value to store in the secret.
 
 ### Optional
 

docs/resources/secret_with_client_credentials.md

@@ -5,7 +5,7 @@ description: |-
   Resource used to manage secret objects with OAuth Client Credentials. For more information, check secret documentation https://docs.snowflake.com/en/sql-reference/sql/create-secret.
 ---
 
-!> **V1 release candidate** This resource is a release candidate for the V1. It is on the list of remaining GA objects for V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](/~https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0960--v0970) to use it.
+!> **V1 release candidate** This resource is a release candidate for the V1. It is on the list of remaining GA objects for V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](/~https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0970--v0980) to use it.
 
 # snowflake_secret_with_client_credentials (Resource)
 

docs/resources/secret_with_generic_string.md

@@ -5,7 +5,7 @@ description: |-
   Resource used to manage secret objects with Generic String. For more information, check secret documentation https://docs.snowflake.com/en/sql-reference/sql/create-secret.
 ---
 
-!> **V1 release candidate** This resource is a release candidate for the V1. It is on the list of remaining GA objects for V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](/~https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0960--v0970) to use it.
+!> **V1 release candidate** This resource is a release candidate for the V1. It is on the list of remaining GA objects for V1. We do not expect significant changes in it before the V1. We will welcome any feedback and adjust the resource if needed. Any errors reported will be resolved with a higher priority. We encourage checking this resource out before the V1 release. Please follow the [migration guide](/~https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#v0970--v0980) to use it.
 
 # snowflake_secret_with_generic_string (Resource)
 

pkg/acceptance/bettertestspoc/README.md

@@ -325,6 +325,7 @@ it will result in:
 - Add support for datasource tests (assertions and config builders).
 - Consider overriding the assertions when invoking same check multiple times with different params (e.g. `Warehouse(...).HasType(X).HasType(Y)`; it could use the last-check-wins approach, to more easily reuse complex checks between the test steps).
 - Consider not adding the check for `show_output` presence on creation (same with `parameters`). The majority of the use cases need it to be present but there are a few others (like conditional presence in the datasources). Currently, it seems that they should be always present in the resources, so no change is made. Later, with adding the support for the datasource tests, consider simple destructive implementation like:
+- Add support for `set` so that assertions like e.g. `oauth_scopes.*` could be done.
 ```go
 func (w *WarehouseDatasourceShowOutputAssert) IsEmpty() {
     w.assertions = make([]resourceAssertion, 0)

pkg/resources/secret_common.go

@@ -4,8 +4,10 @@ import (
 	"context"
 	"errors"
 
+	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/internal/provider"
 	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/schemas"
 	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
@@ -62,21 +64,13 @@ func handleSecretImport(d *schema.ResourceData) error {
 	return nil
 }
 
-func handleSecretCreate(d *schema.ResourceData) (database, schema, name string) {
-	return d.Get("database").(string), d.Get("schema").(string), d.Get("name").(string)
-}
-
 func handleSecretRead(d *schema.ResourceData, id sdk.SchemaObjectIdentifier, secret *sdk.Secret, secretDescription *sdk.SecretDetails) error {
-	err := errors.Join(
+	return errors.Join(
 		d.Set(FullyQualifiedNameAttributeName, id.FullyQualifiedName()),
 		d.Set("comment", secret.Comment),
 		d.Set(ShowOutputAttributeName, []map[string]any{schemas.SecretToSchema(secret)}),
 		d.Set(DescribeOutputAttributeName, []map[string]any{schemas.SecretDescriptionToSchema(*secretDescription)}),
 	)
-	if err != nil {
-		return err
-	}
-	return nil
 }
 
 func handleSecretUpdate(d *schema.ResourceData, set *sdk.SecretSetRequest, unset *sdk.SecretUnsetRequest) {
@@ -88,3 +82,18 @@ func handleSecretUpdate(d *schema.ResourceData, set *sdk.SecretSetRequest, unset
 		}
 	}
 }
+
+func DeleteContextSecret(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	client := meta.(*provider.Context).Client
+	id, err := sdk.ParseSchemaObjectIdentifier(d.Id())
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	if err := client.Secrets.Drop(ctx, sdk.NewDropSecretRequest(id).WithIfExists(true)); err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId("")
+	return nil
+}

pkg/resources/secret_with_basic_authentication.go

@@ -11,6 +11,7 @@ import (
 	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/internal/provider"
 	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/sdk"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/customdiff"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
@@ -19,6 +20,7 @@ var secretBasicAuthenticationSchema = func() map[string]*schema.Schema {
 		"username": {
 			Type:        schema.TypeString,
 			Required:    true,
+			Sensitive:   true,
 			Description: "Specifies the username value to store in the secret.",
 		},
 		"password": {
@@ -36,9 +38,15 @@ func SecretWithBasicAuthentication() *schema.Resource {
 		CreateContext: CreateContextSecretWithBasicAuthentication,
 		ReadContext:   ReadContextSecretWithBasicAuthentication,
 		UpdateContext: UpdateContextSecretWithBasicAuthentication,
-		DeleteContext: DeleteContextSecretWithBasicAuthentication,
+		DeleteContext: DeleteContextSecret,
 		Description:   "Resource used to manage secret objects with Basic Authentication. For more information, check [secret documentation](https://docs.snowflake.com/en/sql-reference/sql/create-secret).",
 
+		CustomizeDiff: customdiff.All(
+			ComputedIfAnyAttributeChanged(secretBasicAuthenticationSchema, ShowOutputAttributeName, "name", "comment"),
+			ComputedIfAnyAttributeChanged(secretBasicAuthenticationSchema, DescribeOutputAttributeName, "name", "username"),
+			ComputedIfAnyAttributeChanged(secretBasicAuthenticationSchema, FullyQualifiedNameAttributeName, "name"),
+		),
+
 		Schema: secretBasicAuthenticationSchema,
 		Importer: &schema.ResourceImporter{
 			StateContext: ImportSecretWithBasicAuthentication,
@@ -72,7 +80,7 @@ func ImportSecretWithBasicAuthentication(ctx context.Context, d *schema.Resource
 
 func CreateContextSecretWithBasicAuthentication(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
 	client := meta.(*provider.Context).Client
-	databaseName, schemaName, name := handleSecretCreate(d)
+	databaseName, schemaName, name := d.Get("database").(string), d.Get("schema").(string), d.Get("name").(string)
 	id := sdk.NewSchemaObjectIdentifier(databaseName, schemaName, name)
 
 	usernameString := d.Get("username").(string)
@@ -143,20 +151,20 @@ func UpdateContextSecretWithBasicAuthentication(ctx context.Context, d *schema.R
 	set := &sdk.SecretSetRequest{}
 	unset := &sdk.SecretUnsetRequest{}
 	handleSecretUpdate(d, set, unset)
-	setForFlow := &sdk.SetForFlowRequest{
-		SetForBasicAuthentication: &sdk.SetForBasicAuthenticationRequest{},
-	}
+	setForBasicAuthentication := &sdk.SetForBasicAuthenticationRequest{}
 
 	if d.HasChange("username") {
 		username := d.Get("username").(string)
-		setForFlow.SetForBasicAuthentication.WithUsername(username)
-		set.WithSetForFlow(*setForFlow)
+		setForBasicAuthentication.WithUsername(username)
 	}
 
 	if d.HasChange("password") {
 		password := d.Get("password").(string)
-		setForFlow.SetForBasicAuthentication.WithPassword(password)
-		set.WithSetForFlow(*setForFlow)
+		setForBasicAuthentication.WithPassword(password)
+	}
+
+	if !reflect.DeepEqual(*setForBasicAuthentication, sdk.SetForBasicAuthenticationRequest{}) {
+		set.WithSetForFlow(sdk.SetForFlowRequest{SetForBasicAuthentication: setForBasicAuthentication})
 	}
 
 	if !reflect.DeepEqual(*set, sdk.SecretSetRequest{}) {
@@ -173,18 +181,3 @@ func UpdateContextSecretWithBasicAuthentication(ctx context.Context, d *schema.R
 
 	return ReadContextSecretWithBasicAuthentication(ctx, d, meta)
 }
-
-func DeleteContextSecretWithBasicAuthentication(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
-	client := meta.(*provider.Context).Client
-	id, err := sdk.ParseSchemaObjectIdentifier(d.Id())
-	if err != nil {
-		return diag.FromErr(err)
-	}
-
-	if err := client.Secrets.Drop(ctx, sdk.NewDropSecretRequest(id).WithIfExists(true)); err != nil {
-		return diag.FromErr(err)
-	}
-
-	d.SetId("")
-	return nil
-}

pkg/resources/secret_with_basic_authentication_acceptance_test.go

@@ -57,7 +57,7 @@ func TestAcc_SecretWithBasicAuthentication_BasicFlow(t *testing.T) {
 						resourceshowoutputassert.SecretShowOutput(t, secretName).
 							HasName(name).
 							HasDatabaseName(id.DatabaseName()).
-							HasSecretType("PASSWORD").
+							HasSecretType(sdk.SecretTypePassword).
 							HasSchemaName(id.SchemaName()).
 							HasComment(""),
 					),
@@ -67,8 +67,9 @@ func TestAcc_SecretWithBasicAuthentication_BasicFlow(t *testing.T) {
 					resource.TestCheckResourceAttr(secretName, "describe_output.0.name", name),
 					resource.TestCheckResourceAttr(secretName, "describe_output.0.database_name", id.DatabaseName()),
 					resource.TestCheckResourceAttr(secretName, "describe_output.0.schema_name", id.SchemaName()),
-					resource.TestCheckResourceAttr(secretName, "describe_output.0.secret_type", "PASSWORD"),
+					resource.TestCheckResourceAttr(secretName, "describe_output.0.secret_type", sdk.SecretTypePassword),
 					resource.TestCheckResourceAttr(secretName, "describe_output.0.username", "foo"),
+					resource.TestCheckResourceAttr(secretName, "describe_output.0.comment", ""),
 					resource.TestCheckResourceAttr(secretName, "describe_output.0.oauth_access_token_expiry_time", ""),
 					resource.TestCheckResourceAttr(secretName, "describe_output.0.oauth_refresh_token_expiry_time", ""),
 					resource.TestCheckResourceAttr(secretName, "describe_output.0.integration_name", ""),
@@ -78,23 +79,39 @@ func TestAcc_SecretWithBasicAuthentication_BasicFlow(t *testing.T) {
 			// set username, password and comment
 			{
 				Config: config.FromModel(t, secretModelDifferentCredentialsWithComment),
-				Check: assert.AssertThat(t,
-					resourceassert.SecretWithBasicAuthenticationResource(t, secretName).
-						HasNameString(name).
-						HasDatabaseString(id.DatabaseName()).
-						HasSchemaString(id.SchemaName()).
-						HasUsernameString("bar").
-						HasPasswordString("bar").
-						HasCommentString(comment),
+				Check: resource.ComposeTestCheckFunc(
+					assert.AssertThat(t,
+
+						resourceassert.SecretWithBasicAuthenticationResource(t, secretName).
+							HasNameString(name).
+							HasDatabaseString(id.DatabaseName()).
+							HasSchemaString(id.SchemaName()).
+							HasUsernameString("bar").
+							HasPasswordString("bar").
+							HasCommentString(comment),
+
+						resourceshowoutputassert.SecretShowOutput(t, secretName).
+							HasSecretType(sdk.SecretTypePassword).
+							HasComment(comment),
+					),
+
+					resource.TestCheckResourceAttr(secretName, "describe_output.0.username", "bar"),
+					resource.TestCheckResourceAttr(secretName, "describe_output.0.comment", comment),
 				),
 			},
 			// set username and comment externally
 			{
 				PreConfig: func() {
-					acc.TestClient().Secret.Alter(t, sdk.NewAlterSecretRequest(id).WithSet(*sdk.NewSecretSetRequest().
-						WithComment("test_comment").
-						WithSetForFlow(*sdk.NewSetForFlowRequest().WithSetForBasicAuthentication(*sdk.NewSetForBasicAuthenticationRequest().WithUsername("test_username"))),
-					))
+					acc.TestClient().Secret.Alter(t, sdk.NewAlterSecretRequest(id).
+						WithSet(*sdk.NewSecretSetRequest().
+							WithComment("test_comment").
+							WithSetForFlow(*sdk.NewSetForFlowRequest().
+								WithSetForBasicAuthentication(*sdk.NewSetForBasicAuthenticationRequest().
+									WithUsername("test_username"),
+								),
+							),
+						),
+					)
 				},
 				ConfigPlanChecks: resource.ConfigPlanChecks{
 					PreApply: []plancheck.PlanCheck{
@@ -159,7 +176,7 @@ func TestAcc_SecretWithBasicAuthentication_BasicFlow(t *testing.T) {
 					importchecks.TestCheckResourceAttrInstanceState(helpers.EncodeResourceIdentifier(id), "comment", ""),
 				),
 			},
-			// create with empty username and password
+			// set empty username and password
 			{
 				Config: config.FromModel(t, secretModelEmptyCredentials),
 				Check: resource.ComposeTestCheckFunc(