Apply resource conventions

docs/resources/saml2_integration.md

@@ -64,11 +64,11 @@ resource "snowflake_saml2_integration" "test" {
 - `saml2_enable_sp_initiated` (String) The Boolean indicating if the Log In With button will be shown on the login page. TRUE: displays the Log in With button on the login page. FALSE: does not display the Log in With button on the login page. Available options are: `true` or `false`. When the value is not set in the configuration the provider will put `unknown` there which means to use the Snowflake default for this value.
 - `saml2_force_authn` (String) The Boolean indicating whether users, during the initial authentication flow, are forced to authenticate again to access Snowflake. When set to TRUE, Snowflake sets the ForceAuthn SAML parameter to TRUE in the outgoing request from Snowflake to the identity provider. TRUE: forces users to authenticate again to access Snowflake, even if a valid session with the identity provider exists. FALSE: does not force users to authenticate again to access Snowflake. Available options are: `true` or `false`. When the value is not set in the configuration the provider will put `unknown` there which means to use the Snowflake default for this value.
 - `saml2_post_logout_redirect_url` (String) The endpoint to which Snowflake redirects users after clicking the Log Out button in the classic Snowflake web interface. Snowflake terminates the Snowflake session upon redirecting to the specified endpoint.
-- `saml2_requested_nameid_format` (String) The SAML NameID format allows Snowflake to set an expectation of the identifying attribute of the user (i.e. SAML Subject) in the SAML assertion from the IdP to ensure a valid authentication to Snowflake. Valid options are: [urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:2.0:nameid-format:transient]
+- `saml2_requested_nameid_format` (String) The SAML NameID format allows Snowflake to set an expectation of the identifying attribute of the user (i.e. SAML Subject) in the SAML assertion from the IdP to ensure a valid authentication to Snowflake. Valid options are: [urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:2.0:nameid-format:transient] When the value is not set in the configuration the provider will put `Snowflake default value` in the state which is a placeholder that means to use the Snowflake default for this value.
 - `saml2_sign_request` (String) The Boolean indicating whether SAML requests are signed. TRUE: allows SAML requests to be signed. FALSE: does not allow SAML requests to be signed. Available options are: `true` or `false`. When the value is not set in the configuration the provider will put `unknown` there which means to use the Snowflake default for this value.
-- `saml2_snowflake_acs_url` (String) The string containing the Snowflake Assertion Consumer Service URL to which the IdP will send its SAML authentication response back to Snowflake. This property will be set in the SAML authentication request generated by Snowflake when initiating a SAML SSO operation with the IdP. If an incorrect value is specified, Snowflake returns an error message indicating the acceptable values to use.
-- `saml2_snowflake_issuer_url` (String) The string containing the EntityID / Issuer for the Snowflake service provider. If an incorrect value is specified, Snowflake returns an error message indicating the acceptable values to use.
-- `saml2_snowflake_x509_cert` (String) The Base64 encoded self-signed certificate generated by Snowflake for use with Encrypting SAML Assertions and Signed SAML Requests. You must have at least one of these features (encrypted SAML assertions or signed SAML responses) enabled in your Snowflake account to access the certificate value.
+- `saml2_snowflake_acs_url` (String) The string containing the Snowflake Assertion Consumer Service URL to which the IdP will send its SAML authentication response back to Snowflake. This property will be set in the SAML authentication request generated by Snowflake when initiating a SAML SSO operation with the IdP. If an incorrect value is specified, Snowflake returns an error message indicating the acceptable values to use. When the value is not set in the configuration the provider will put `Snowflake default value` in the state which is a placeholder that means to use the Snowflake default for this value.
+- `saml2_snowflake_issuer_url` (String) The string containing the EntityID / Issuer for the Snowflake service provider. If an incorrect value is specified, Snowflake returns an error message indicating the acceptable values to use. When the value is not set in the configuration the provider will put `Snowflake default value` in the state which is a placeholder that means to use the Snowflake default for this value.
+- `saml2_snowflake_x509_cert` (String) The Base64 encoded self-signed certificate generated by Snowflake for use with Encrypting SAML Assertions and Signed SAML Requests. You must have at least one of these features (encrypted SAML assertions or signed SAML responses) enabled in your Snowflake account to access the certificate value. When the value is not set in the configuration the provider will put `Snowflake default value` in the state which is a placeholder that means to use the Snowflake default for this value.
 - `saml2_sp_initiated_login_page_label` (String) The string containing the label to display after the Log In With button on the login page. If this field changes value from non-empty to empty, the whole resource is recreated because of Snowflake limitations.
 
 ### Read-Only

pkg/resources/common.go

@@ -1,12 +1,20 @@
 package resources
 
 import (
+	"fmt"
 	"strings"
 
 	"github.com/Snowflake-Labs/terraform-provider-snowflake/pkg/helpers"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
+// TODO: move to special values
+const SnowflakeDefaultStringValuePlaceholder = "Snowflake default value"
+
+func SnowflakeDefaultStringValueDescription(description string) string {
+	return fmt.Sprintf("%s When the value is not set in the configuration the provider will put `%s` in the state which is a placeholder that means to use the Snowflake default for this value.", description, SnowflakeDefaultStringValuePlaceholder)
+}
+
 // DiffSuppressStatement will suppress diffs between statements if they differ in only case or in
 // runs of whitespace (\s+ = \s). This is needed because the snowflake api does not faithfully
 // round-trip queries, so we cannot do a simple character-wise comparison to detect changes.

pkg/resources/helpers.go

@@ -145,7 +145,7 @@ func GetPropertyAsPointer[T any](d *schema.ResourceData, property string) *T {
 // the assumptions are that:
 // 1. The list is enclosed by [] brackets, and they shouldn't be a part of any item's value
 // 2. Items are separated by commas, and they shouldn't be a part of any item's value
-// 3. items can have as many spaces in between, but after separation they will be trimmed and shouldn't be a part of any item's value
+// 3. Items can have as many spaces in between, but after separation they will be trimmed and shouldn't be a part of any item's value
 func ParseCommaSeparatedStringArray(value string) []string {
 	if strings.HasPrefix(value, "[") && strings.HasSuffix(value, "]") {
 		if value == "[]" {

pkg/resources/saml2_integration.go

@@ -21,11 +21,6 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
-// TODO Scim add suppress for bools (ignore-case)
-// TODO: Scim upgrader (can skip diffs when x fields are set after the upgrade)
-// TODO: Move and change
-const SnowflakeDefaultStringValuePlaceholder = "Snowflake default value"
-
 var saml2IntegrationSchema = map[string]*schema.Schema{
 	"name": {
 		Type:        schema.TypeString,
@@ -85,7 +80,7 @@ var saml2IntegrationSchema = map[string]*schema.Schema{
 		Type:             schema.TypeString,
 		Optional:         true,
 		Default:          SnowflakeDefaultStringValuePlaceholder,
-		Description:      "The Base64 encoded self-signed certificate generated by Snowflake for use with Encrypting SAML Assertions and Signed SAML Requests. You must have at least one of these features (encrypted SAML assertions or signed SAML responses) enabled in your Snowflake account to access the certificate value.",
+		Description:      SnowflakeDefaultStringValueDescription("The Base64 encoded self-signed certificate generated by Snowflake for use with Encrypting SAML Assertions and Signed SAML Requests. You must have at least one of these features (encrypted SAML assertions or signed SAML responses) enabled in your Snowflake account to access the certificate value."),
 		DiffSuppressFunc: IgnoreChangeToCurrentSnowflakeValueInDescribe("saml2_snowflake_x509_cert"),
 	},
 	"saml2_sign_request": {
@@ -99,8 +94,8 @@ var saml2IntegrationSchema = map[string]*schema.Schema{
 	"saml2_requested_nameid_format": {
 		Type:             schema.TypeString,
 		Optional:         true,
-		Default:          SnowflakeDefaultStringValuePlaceholder, // TODO: Document in describe
-		Description:      fmt.Sprintf("The SAML NameID format allows Snowflake to set an expectation of the identifying attribute of the user (i.e. SAML Subject) in the SAML assertion from the IdP to ensure a valid authentication to Snowflake. Valid options are: %v", sdk.AllSaml2SecurityIntegrationSaml2RequestedNameidFormats),
+		Default:          SnowflakeDefaultStringValuePlaceholder,
+		Description:      SnowflakeDefaultStringValueDescription(fmt.Sprintf("The SAML NameID format allows Snowflake to set an expectation of the identifying attribute of the user (i.e. SAML Subject) in the SAML assertion from the IdP to ensure a valid authentication to Snowflake. Valid options are: %v", sdk.AllSaml2SecurityIntegrationSaml2RequestedNameidFormats)),
 		ValidateDiagFunc: sdkValidation(sdk.ToSaml2SecurityIntegrationSaml2RequestedNameidFormatOption),
 		DiffSuppressFunc: SuppressIfAny(ignoreCaseSuppressFunc, IgnoreChangeToCurrentSnowflakeValueInDescribe("saml2_requested_nameid_format")),
 	},
@@ -120,14 +115,14 @@ var saml2IntegrationSchema = map[string]*schema.Schema{
 		Type:             schema.TypeString,
 		Optional:         true,
 		Default:          SnowflakeDefaultStringValuePlaceholder,
-		Description:      "The string containing the EntityID / Issuer for the Snowflake service provider. If an incorrect value is specified, Snowflake returns an error message indicating the acceptable values to use.",
+		Description:      SnowflakeDefaultStringValueDescription("The string containing the EntityID / Issuer for the Snowflake service provider. If an incorrect value is specified, Snowflake returns an error message indicating the acceptable values to use."),
 		DiffSuppressFunc: IgnoreChangeToCurrentSnowflakeValueInDescribe("saml2_snowflake_issuer_url"),
 	},
 	"saml2_snowflake_acs_url": {
 		Type:             schema.TypeString,
 		Optional:         true,
 		Default:          SnowflakeDefaultStringValuePlaceholder,
-		Description:      "The string containing the Snowflake Assertion Consumer Service URL to which the IdP will send its SAML authentication response back to Snowflake. This property will be set in the SAML authentication request generated by Snowflake when initiating a SAML SSO operation with the IdP. If an incorrect value is specified, Snowflake returns an error message indicating the acceptable values to use.",
+		Description:      SnowflakeDefaultStringValueDescription("The string containing the Snowflake Assertion Consumer Service URL to which the IdP will send its SAML authentication response back to Snowflake. This property will be set in the SAML authentication request generated by Snowflake when initiating a SAML SSO operation with the IdP. If an incorrect value is specified, Snowflake returns an error message indicating the acceptable values to use."),
 		DiffSuppressFunc: IgnoreChangeToCurrentSnowflakeValueInDescribe("saml2_snowflake_acs_url"),
 	},
 	"allowed_user_domains": {
@@ -184,6 +179,9 @@ func SAML2Integration() *schema.Resource {
 		CustomizeDiff: customdiff.All(
 			ForceNewIfChangeToEmptySet("allowed_user_domains"),
 			ForceNewIfChangeToEmptySet("allowed_email_patterns"),
+			ForceNewIfChangeToEmptyString("saml2_snowflake_issuer_url"),
+			ForceNewIfChangeToEmptyString("saml2_snowflake_acs_url"),
+			ForceNewIfChangeToEmptyString("saml2_snowflake_x509_cert"),
 			ForceNewIfChangeToEmptyString("saml2_sp_initiated_login_page_label"),
 			ComputedIfAnyAttributeChanged(showOutputAttributeName, "name", "enabled", "comment"),
 			ComputedIfAnyAttributeChanged(describeOutputAttributeName, "saml2_issuer", "saml2_sso_url", "saml2_provider", "saml2_x509_cert",
@@ -497,16 +495,6 @@ func ReadContextSAML2Integration(withExternalChangesMarking bool) schema.ReadCon
 
 		integrationProperties, err := client.SecurityIntegrations.Describe(ctx, id)
 		if err != nil {
-			if errors.Is(err, sdk.ErrObjectNotFound) {
-				d.SetId("")
-				return diag.Diagnostics{
-					diag.Diagnostic{
-						Severity: diag.Warning,
-						Summary:  "Failed to query security integration properties. Marking the resource as removed.",
-						Detail:   fmt.Sprintf("Security integration name: %s, Err: %s", id.FullyQualifiedName(), err),
-					},
-				}
-			}
 			return diag.FromErr(err)
 		}
 
@@ -734,7 +722,7 @@ func UpdateContextSAML2Integration(ctx context.Context, d *schema.ResourceData,
 			}
 			set.WithEnabled(parsed)
 		} else {
-			// TODO: UNSET of type is not implemented
+			// UNSET is not implemented
 			set.WithEnabled(true)
 		}
 	}
@@ -761,6 +749,7 @@ func UpdateContextSAML2Integration(ctx context.Context, d *schema.ResourceData,
 	}
 
 	if d.HasChange("saml2_sp_initiated_login_page_label") {
+		// UNSET is not implemented (conditional ForceNew on unset)
 		set.WithSaml2SpInitiatedLoginPageLabel(d.Get("saml2_sp_initiated_login_page_label").(string))
 	}
 
@@ -772,12 +761,13 @@ func UpdateContextSAML2Integration(ctx context.Context, d *schema.ResourceData,
 			}
 			set.WithSaml2EnableSpInitiated(parsed)
 		} else {
+			// UNSET is not implemented
 			set.WithSaml2EnableSpInitiated(false)
 		}
 	}
 
 	if d.HasChange("saml2_snowflake_x509_cert") {
-		// TODO: ForceNew on empty set
+		// UNSET is not implemented (conditional ForceNew on unset)
 		set.WithSaml2SnowflakeX509Cert(d.Get("saml2_snowflake_x509_cert").(string))
 	}
 
@@ -789,6 +779,7 @@ func UpdateContextSAML2Integration(ctx context.Context, d *schema.ResourceData,
 			}
 			set.WithSaml2SignRequest(parsed)
 		} else {
+			// UNSET is not implemented
 			set.WithSaml2SignRequest(false)
 		}
 	}
@@ -821,15 +812,18 @@ func UpdateContextSAML2Integration(ctx context.Context, d *schema.ResourceData,
 			}
 			set.WithSaml2ForceAuthn(parsed)
 		} else {
+			// UNSET is not implemented
 			set.WithSaml2SignRequest(false)
 		}
 	}
 
 	if d.HasChange("saml2_snowflake_issuer_url") {
+		// UNSET is not implemented (conditional ForceNew on unset)
 		set.WithSaml2SnowflakeIssuerUrl(d.Get("saml2_snowflake_issuer_url").(string))
 	}
 
 	if d.HasChange("saml2_snowflake_acs_url") {
+		// UNSET is not implemented (conditional ForceNew on unset)
 		set.WithSaml2SnowflakeAcsUrl(d.Get("saml2_snowflake_acs_url").(string))
 	}