Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Make blocked_roles_field optional in OAuth security integrations #3267

Merged
merged 8 commits into from
Dec 12, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion MIGRATION_GUIDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,27 @@ across different versions.

## v0.99.0 ➞ v0.100.0

### snowflake_oauth_integration_for_partner_applications and snowflake_oauth_integration_for_custom_clients resource changes
#### *(behavior change)* `blocked_roles_list` field is no longer required

Previously, `blocked_roles_list` field was required to handle default account roles like `ACCOUNTADMIN`, `ORGADMIN`, and `SECURITYADMIN`.

Now, it is optional, because of using the value of `OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST` parameter (read more below).

No changes in the configuration are necessary.

#### *(behavior change)* new field `related_parameters`

To handle `blocked_roles_list` field properly in both of the resources, we introduce `related_parameters` field. This field is a list of parameters related to OAuth integrations. It is a computed-only field containing value of `OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST` account parameter (see [docs](https://docs.snowflake.com/en/sql-reference/parameters#oauth-add-privileged-roles-to-blocked-list)).

### snowflake_account resource changes

Changes:
- `admin_user_type` is now supported. No action required during the migration.
- `grace_period_in_days` is now required. The field should be explicitly set in the following versions.
- Account renaming is now supported.
- `is_org_admin` is a settable field (previously it was read-only field). Changing its value is also supported.
- `must_change_password` and `is_org_admin` type was changed from `bool` to bool-string (more on that [here](/~https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/CHANGES_BEFORE_V1.md#empty-values)). No action required during the migration.
- `must_change_password` and `is_org_admin` type was changed from `bool` to bool-string (more on that [here](/~https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/v1-preparations/CHANGES_BEFORE_V1.md#empty-values)). No action required during the migration.
- The underlying resource identifier was changed from `<account_locator>` to `<organization_name>.<account_name>`. Migration will be done automatically. Notice this introduces changes in how `snowflake_account` resource is imported.
- New `show_output` field was added (see [raw Snowflake output](./v1-preparations/CHANGES_BEFORE_V1.md#raw-snowflake-output)).

Expand Down
2 changes: 1 addition & 1 deletion docs/resources/external_oauth_integration.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ resource "snowflake_external_oauth_integration" "test" {
- `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATIONS` for the given security integration. (see [below for nested schema](#nestedatt--describe_output))
- `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
- `id` (String) The ID of this resource.
- `related_parameters` (List of Object) Paramteres related to this security integration. (see [below for nested schema](#nestedatt--related_parameters))
- `related_parameters` (List of Object) Parameters related to this security integration. (see [below for nested schema](#nestedatt--related_parameters))
- `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATIONS` for the given security integration. (see [below for nested schema](#nestedatt--show_output))

<a id="nestedatt--describe_output"></a>
Expand Down
24 changes: 22 additions & 2 deletions docs/resources/oauth_integration_for_custom_clients.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ resource "snowflake_oauth_integration_for_custom_clients" "basic" {
name = "integration"
oauth_client_type = "CONFIDENTIAL"
oauth_redirect_uri = "https://example.com"
blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"]
}

# resource with all fields set
Expand Down Expand Up @@ -53,13 +52,13 @@ resource "snowflake_oauth_integration_for_custom_clients" "complete" {

### Required

- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. For more information about this resource, see [docs](./account_role).
- `name` (String) Specifies the name of the OAuth integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account. Due to technical limitations (read more [here](/~https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `"`.
- `oauth_client_type` (String) Specifies the type of client being registered. Snowflake supports both confidential and public clients. Valid options are: `PUBLIC` | `CONFIDENTIAL`.
- `oauth_redirect_uri` (String) Specifies the client URI. After a user is authenticated, the web browser is redirected to this URI.

### Optional

- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. By default, this list includes the ACCOUNTADMIN, ORGADMIN and SECURITYADMIN roles. To remove these privileged roles from the list, use the ALTER ACCOUNT command to set the OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST account parameter to FALSE. For more information about this resource, see [docs](./account_role).
- `comment` (String) Specifies a comment for the OAuth integration.
- `enabled` (String) Specifies whether this OAuth integration is enabled or disabled. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
- `network_policy` (String) Specifies an existing network policy. This network policy controls network traffic that is attempting to exchange an authorization code for an access or refresh token or to use a refresh token to obtain a new access token. For more information about this resource, see [docs](./network_policy).
Expand All @@ -77,6 +76,7 @@ resource "snowflake_oauth_integration_for_custom_clients" "complete" {
- `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--describe_output))
- `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
- `id` (String) The ID of this resource.
- `related_parameters` (List of Object) Parameters related to this security integration. (see [below for nested schema](#nestedatt--related_parameters))
- `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--show_output))

<a id="nestedatt--describe_output"></a>
Expand Down Expand Up @@ -314,6 +314,26 @@ Read-Only:



<a id="nestedatt--related_parameters"></a>
### Nested Schema for `related_parameters`

Read-Only:

- `oauth_add_privileged_roles_to_blocked_list` (List of Object) (see [below for nested schema](#nestedobjatt--related_parameters--oauth_add_privileged_roles_to_blocked_list))

<a id="nestedobjatt--related_parameters--oauth_add_privileged_roles_to_blocked_list"></a>
### Nested Schema for `related_parameters.oauth_add_privileged_roles_to_blocked_list`

Read-Only:

- `default` (String)
- `description` (String)
- `key` (String)
- `level` (String)
- `value` (String)



<a id="nestedatt--show_output"></a>
### Nested Schema for `show_output`

Expand Down
24 changes: 22 additions & 2 deletions docs/resources/oauth_integration_for_partner_applications.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" {
name = "example"
oauth_client = "LOOKER"
oauth_redirect_uri = "http://example.com"
blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"]
}

# resource with all fields set
Expand All @@ -44,12 +43,12 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" {

### Required

- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. For more information about this resource, see [docs](./account_role).
- `name` (String) Specifies the name of the OAuth integration. This name follows the rules for Object Identifiers. The name should be unique among security integrations in your account. Due to technical limitations (read more [here](/~https://github.com/Snowflake-Labs/terraform-provider-snowflake/blob/main/docs/technical-documentation/identifiers_rework_design_decisions.md#known-limitations-and-identifier-recommendations)), avoid using the following characters: `|`, `.`, `"`.
- `oauth_client` (String) Creates an OAuth interface between Snowflake and a partner application. Valid options are: `LOOKER` | `TABLEAU_DESKTOP` | `TABLEAU_SERVER`.

### Optional

- `blocked_roles_list` (Set of String) A set of Snowflake roles that a user cannot explicitly consent to using after authenticating. By default, this list includes the ACCOUNTADMIN, ORGADMIN and SECURITYADMIN roles. To remove these privileged roles from the list, use the ALTER ACCOUNT command to set the OAUTH_ADD_PRIVILEGED_ROLES_TO_BLOCKED_LIST account parameter to FALSE. For more information about this resource, see [docs](./account_role).
- `comment` (String) Specifies a comment for the OAuth integration.
- `enabled` (String) Specifies whether this OAuth integration is enabled or disabled. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
- `oauth_issue_refresh_tokens` (String) Specifies whether to allow the client to exchange a refresh token for an access token when the current access token has expired. Available options are: "true" or "false". When the value is not set in the configuration the provider will put "default" there which means to use the Snowflake default for this value.
Expand All @@ -62,6 +61,7 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" {
- `describe_output` (List of Object) Outputs the result of `DESCRIBE SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--describe_output))
- `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
- `id` (String) The ID of this resource.
- `related_parameters` (List of Object) Parameters related to this security integration. (see [below for nested schema](#nestedatt--related_parameters))
- `show_output` (List of Object) Outputs the result of `SHOW SECURITY INTEGRATION` for the given integration. (see [below for nested schema](#nestedatt--show_output))

<a id="nestedatt--describe_output"></a>
Expand Down Expand Up @@ -299,6 +299,26 @@ Read-Only:



<a id="nestedatt--related_parameters"></a>
### Nested Schema for `related_parameters`

Read-Only:

- `oauth_add_privileged_roles_to_blocked_list` (List of Object) (see [below for nested schema](#nestedobjatt--related_parameters--oauth_add_privileged_roles_to_blocked_list))

<a id="nestedobjatt--related_parameters--oauth_add_privileged_roles_to_blocked_list"></a>
### Nested Schema for `related_parameters.oauth_add_privileged_roles_to_blocked_list`

Read-Only:

- `default` (String)
- `description` (String)
- `key` (String)
- `level` (String)
- `value` (String)



<a id="nestedatt--show_output"></a>
### Nested Schema for `show_output`

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ resource "snowflake_oauth_integration_for_custom_clients" "basic" {
name = "integration"
oauth_client_type = "CONFIDENTIAL"
oauth_redirect_uri = "https://example.com"
blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"]
}

# resource with all fields set
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" {
name = "example"
oauth_client = "LOOKER"
oauth_redirect_uri = "http://example.com"
blocked_roles_list = ["ACCOUNTADMIN", "SECURITYADMIN"]
}

# resource with all fields set
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,14 @@ var allResourceSchemaDefs = []ResourceSchemaDef{
name: "Account",
schema: resources.Account().Schema,
},
{
name: "OauthIntegrationForCustomClients",
schema: resources.OauthIntegrationForCustomClients().Schema,
},
{
name: "OauthIntegrationForPartnerApplications",
schema: resources.OauthIntegrationForPartnerApplications().Schema,
},
{
name: "FunctionJava",
schema: resources.FunctionJava().Schema,
Expand Down
Loading
Loading