fix: handle external change of secret type

docs/resources/secret_with_authorization_code_grant.md

@@ -59,7 +59,7 @@ resource "snowflake_secret_with_authorization_code_grant" "test" {
 - `describe_output` (List of Object) Outputs the result of `DESCRIBE SECRET` for the given secret. (see [below for nested schema](#nestedatt--describe_output))
 - `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
 - `id` (String) The ID of this resource.
-- `secret_type` (String) Specifies a type for the secret.
+- `secret_type` (String) Specifies a type for the secret. This field is used for checking external changes and recreating the resources if needed.
 - `show_output` (List of Object) Outputs the result of `SHOW SECRETS` for the given secret. (see [below for nested schema](#nestedatt--show_output))
 
 <a id="nestedatt--describe_output"></a>

docs/resources/secret_with_basic_authentication.md

@@ -56,7 +56,7 @@ resource "snowflake_secret_with_basic_authentication" "test" {
 - `describe_output` (List of Object) Outputs the result of `DESCRIBE SECRET` for the given secret. (see [below for nested schema](#nestedatt--describe_output))
 - `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
 - `id` (String) The ID of this resource.
-- `secret_type` (String) Specifies a type for the secret.
+- `secret_type` (String) Specifies a type for the secret. This field is used for checking external changes and recreating the resources if needed.
 - `show_output` (List of Object) Outputs the result of `SHOW SECRETS` for the given secret. (see [below for nested schema](#nestedatt--show_output))
 
 <a id="nestedatt--describe_output"></a>

docs/resources/secret_with_client_credentials.md

@@ -56,7 +56,7 @@ resource "snowflake_secret_with_client_credentials" "test" {
 - `describe_output` (List of Object) Outputs the result of `DESCRIBE SECRET` for the given secret. (see [below for nested schema](#nestedatt--describe_output))
 - `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
 - `id` (String) The ID of this resource.
-- `secret_type` (String) Specifies a type for the secret.
+- `secret_type` (String) Specifies a type for the secret. This field is used for checking external changes and recreating the resources if needed.
 - `show_output` (List of Object) Outputs the result of `SHOW SECRETS` for the given secret. (see [below for nested schema](#nestedatt--show_output))
 
 <a id="nestedatt--describe_output"></a>

docs/resources/secret_with_generic_string.md

@@ -53,7 +53,7 @@ resource "snowflake_secret_with_generic_string" "test" {
 - `describe_output` (List of Object) Outputs the result of `DESCRIBE SECRET` for the given secret. (see [below for nested schema](#nestedatt--describe_output))
 - `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
 - `id` (String) The ID of this resource.
-- `secret_type` (String) Specifies a type for the secret.
+- `secret_type` (String) Specifies a type for the secret. This field is used for checking external changes and recreating the resources if needed.
 - `show_output` (List of Object) Outputs the result of `SHOW SECRETS` for the given secret. (see [below for nested schema](#nestedatt--show_output))
 
 <a id="nestedatt--describe_output"></a>

pkg/datasources/secrets_acceptance_test.go

@@ -62,15 +62,15 @@ func TestAcc_Secrets_WithClientCredentials(t *testing.T) {
 						HasDatabaseName(id.DatabaseName()).
 						HasSchemaName(id.SchemaName()).
 						HasComment("").
-						HasSecretType(sdk.SecretTypeOAuth2),
+						HasSecretType(string(sdk.SecretTypeOAuth2)),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.show_output.0.oauth_scopes.#", "2")),
 					assert.Check(resource.TestCheckTypeSetElemAttr(dsName, "secrets.0.show_output.0.oauth_scopes.*", "username")),
 					assert.Check(resource.TestCheckTypeSetElemAttr(dsName, "secrets.0.show_output.0.oauth_scopes.*", "test_scope")),
 
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.name", id.Name())),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.database_name", id.DatabaseName())),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.schema_name", id.SchemaName())),
-					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.secret_type", sdk.SecretTypeOAuth2)),
+					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.secret_type", string(sdk.SecretTypeOAuth2))),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.username", "")),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.comment", "")),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.oauth_scopes.#", "2")),
@@ -117,13 +117,13 @@ func TestAcc_Secrets_WithAuthorizationCodeGrant(t *testing.T) {
 						HasDatabaseName(id.DatabaseName()).
 						HasSchemaName(id.SchemaName()).
 						HasComment("test_comment").
-						HasSecretType(sdk.SecretTypeOAuth2),
+						HasSecretType(string(sdk.SecretTypeOAuth2)),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.show_output.0.oauth_scopes.#", "0")),
 
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.name", id.Name())),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.database_name", id.DatabaseName())),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.schema_name", id.SchemaName())),
-					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.secret_type", sdk.SecretTypeOAuth2)),
+					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.secret_type", string(sdk.SecretTypeOAuth2))),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.username", "")),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.comment", "test_comment")),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.oauth_scopes.#", "0")),
@@ -158,13 +158,13 @@ func TestAcc_Secrets_WithBasicAuthentication(t *testing.T) {
 						HasDatabaseName(id.DatabaseName()).
 						HasSchemaName(id.SchemaName()).
 						HasComment("").
-						HasSecretType(sdk.SecretTypePassword),
+						HasSecretType(string(sdk.SecretTypePassword)),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.show_output.0.oauth_scopes.#", "0")),
 
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.name", id.Name())),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.database_name", id.DatabaseName())),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.schema_name", id.SchemaName())),
-					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.secret_type", sdk.SecretTypePassword)),
+					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.secret_type", string(sdk.SecretTypePassword))),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.username", "test_username")),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.comment", "")),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.oauth_scopes.#", "0")),
@@ -199,14 +199,14 @@ func TestAcc_Secrets_WithGenericString(t *testing.T) {
 						HasDatabaseName(id.DatabaseName()).
 						HasSchemaName(id.SchemaName()).
 						HasComment("").
-						HasSecretType(sdk.SecretTypeGenericString),
+						HasSecretType(string(sdk.SecretTypeGenericString)),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.show_output.0.oauth_scopes.#", "0")),
 
 					assert.Check(resource.TestCheckResourceAttrSet(dsName, "secrets.0.describe_output.0.created_on")),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.name", id.Name())),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.database_name", id.DatabaseName())),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.schema_name", id.SchemaName())),
-					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.secret_type", sdk.SecretTypeGenericString)),
+					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.secret_type", string(sdk.SecretTypeGenericString))),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.username", "")),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.comment", "")),
 					assert.Check(resource.TestCheckResourceAttr(dsName, "secrets.0.describe_output.0.oauth_scopes.#", "0")),

pkg/resources/custom_diffs.go

@@ -196,27 +196,30 @@ func RecreateWhenUserTypeChangedExternally(userType sdk.UserType) schema.Customi
 	}
 }
 
-func RecreateWhenSecretTypeChangedExternally(secretType string, oauthType *sdk.OauthSecretType) schema.CustomizeDiffFunc {
+func RecreateWhenSecretTypeChangedExternally(secretType sdk.SecretType) schema.CustomizeDiffFunc {
 	return func(_ context.Context, diff *schema.ResourceDiff, _ interface{}) error {
 		if n := diff.Get("secret_type"); n != nil {
 			logging.DebugLogger.Printf("[DEBUG] new external value for secret type %s\n", n.(string))
-			if secretType != strings.ToUpper(n.(string)) {
+
+			diffSecretType, _ := sdk.ToSecretType(n.(string))
+			if acceptableSecretTypes, ok := sdk.AcceptableSecretTypes[secretType]; ok && !slices.Contains(acceptableSecretTypes, diffSecretType) {
 				return errors.Join(diff.SetNew("secret_type", "<changed externally>"), diff.ForceNew("secret_type"))
 			}
 			// both client_credentials and authorization_code_grant secrets have the same type: "OAUTH2"
 			// to detect the external type change we need to check fields that are required in one, but should be absent in the other
 			// we will check if the 'oauth_refresh_token_expiry_time' is present in the describe_output
 			// since it is required in authorization_code_grant flow and should be empty in client_credentials flow
-			if strings.ToUpper(n.(string)) == string(sdk.SecretTypeOAuth2) && oauthType != nil {
-				var forceNew bool
+			if diffSecretType == sdk.SecretTypeOAuth2 {
+				var isRefreshTokenExpiryTimeEmpty bool
 				rt := diff.Get("describe_output.0.oauth_refresh_token_expiry_time").(string)
-				switch *oauthType {
-				case sdk.OAuth2AuthorizationCodeGrantFlow:
-					forceNew = rt == ""
-				case sdk.OAuth2ClientCredentialsFlow:
-					forceNew = rt != ""
+
+				switch secretType {
+				case sdk.SecretTypeOAuth2AuthorizationCodeGrant:
+					isRefreshTokenExpiryTimeEmpty = rt == ""
+				case sdk.SecretTypeOAuth2ClientCredentials:
+					isRefreshTokenExpiryTimeEmpty = rt != ""
 				}
-				if forceNew {
+				if isRefreshTokenExpiryTimeEmpty {
 					return errors.Join(diff.SetNew("secret_type", "<changed externally>"), diff.ForceNew("secret_type"))
 				}
 			}