Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: oauth_scopes Parameter Incorrectly Marked as Required for snowflake_secret_with_client_credentials Resource #3272

Open
1 task
TrsNium opened this issue Dec 12, 2024 · 3 comments
Assignees
Labels
bug Used to mark issues with provider's incorrect behavior resource:secret_with_client_credentials

Comments

@TrsNium
Copy link

TrsNium commented Dec 12, 2024

Terraform CLI Version

1.7.0

Terraform Provider Version

0.99.0

Company Name

No response

Terraform Configuration

resource "snowflake_secret_with_client_credentials" "example" {
  provider           = snowflake.accountadmin
  name               = "example"
  database           = "workspace"
  schema             = "example"
  api_authentication = snowflake_api_authentication_integration_with_jwt_bearer.snowflake_connector_for_gard.name
  // oauth_scopes    = ["something scope"]
  comment            = "Secret for Snowflake Connector for Google Analytics Raw Data"
}

Category

category:resource

Object type(s)

resource:api_integration

Expected Behavior

According to the Snowflake SQL documentation, the oauth_scopes parameter is optional when creating secrets with client credentials. Therefore, when using the Terraform provider to manage such secrets, specifying oauth_scopes should also be optional. Users should be able to omit oauth_scopes entirely if it’s not needed.

Actual Behavior

In the current Terraform provider implementation for snowflake_secret_with_client_credentials, oauth_scopes is treated as a required parameter. Even if the underlying Snowflake configuration considers it optional, the Terraform provider forces the user to provide a value. As a result, users cannot create a secret resource without explicitly specifying oauth_scopes, which contradicts the optional nature described in the Snowflake SQL reference.

Steps to Reproduce

Create api_authentication_integration and snowflake_secret_with_client_credentials as follows: snowflake_secret_with_client_credentials auth_ scopes of snowflake_secret_with_client_credentials can be reproduced by setting it to empty.

# client secret is dummy value generated by openssl
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 | ruby -e 'puts STDIN.read.lines.reject{|l|l.include?("-----")}.join.gsub("\n","")'
resource "snowflake_api_authentication_integration_with_jwt_bearer" "snowflake_connector_for_gard" {
  provider               = snowflake.accountadmin
  enabled                = true
  name                   = var.security_integration_name
  comment                = "Security integration for Snowflake Connector for Google Analytics Raw Data"
  oauth_client_id        = "dummy"
  oauth_client_secret    = "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC/J7hwtsysaaph2C3b/R3XBskOZ95g1KUsfZKDC45Q/2gp5p+LSr+1SKzf3wwpPsbmHw5g2quvPrNf4gw6Pc6Oy3iPgl0LiOPQtME5Dil7WS8/iYN3wNqa8cuWfNtuw3E1kOEloqO5TajYDbFzss2Xs7knhWoDvurby9iMnnCrakvz8aXlaa0Rc0iKrZZv6JMz4+bX4A0R9NFxlC6/NErFtxO3Y2ht+IJ8oSASTKmiS06pMTkEJQVXyFXgghPo91qrzrPu8dIn10HrzZ+YkwSg0huQUS4mi8Fw82prny1chTtb4XL8+xoSN/LARC2I29QgSWBehSbHiF7rnklMwHARAgMBAAECggEAbNsozH889R5DWe7qxrFQ8ee6TUrXN5tA6KIl8hx9kiCwZ9QenQsXOxxE3kQ9v6sxR1D+Niewx15UddDbl7skyuqSIF9jrzLoUSzuMBihhM3X+z3LMUIQ+1Wg03UM3PnNmWyE2pLQ27Ce61J48GMtcyt00E3IfpOVWU+vZPzBOsuUL1qhD2lZTB/8MUr4uqMwNMk3RWfiQXCy8SXi8ck+IYVKqjjSktyqMLbbqgBc/kZdHaQJG59BgW9tNcBEsCOpg4mmOdmpmxwZpQKz3PscoDHmSVZ5qyGh0MPVwG2gcFVWFVkup98UFDyuW38B0i2NMd2TO1tEYTqc7d1kkYIORQKBgQDsTHGCjAWG0GfrbOZv1FvvjX5MZA7LcQOK3Y+nLnnrij32zGd/x0uCEsHHRRKFnqM3R+CujLv/Z1a66vBjF2Td5jfL6VjfzDF2MZkJWRCxdKhM0UrAD0LKvRdwuHOvYkEL7kNdyAG8gmm9mF44zXCky75ML/CmDP5JgT261zGUTwKBgQDPF7xHTlE7sX7fvrgYIU0ymam1wyb7EE/pjw16/on8fiTGdxrMUShsL5168SEKybEw6u1SPgIaj4xYgQuIB6D6Ej/F28wGjbyv9bAVpmoCz/uj9mHWptDq41CoQZ3cJNLbrU4oL8GCeFWRL/SgRx1nSxXyaB0HCFF6jeLZFVm9nwKBgBTPtr+UrXfuKvjlInZ+8YnroFACD/uC/JjiYqCKy1ofVs3BuuvaFaBjHoX6Y2M5UY6w2e0FoBkidNUJlBpmGRAiEo/3AUjUpxaNz7ivC3VVnO0HEdpQfcV1Wfcnh6jOsoPmfDBqSRzdL4rvPH0sOtuIxj3Xiw5U3qCCrXkjMs6pAoGAet1YJO4AH+xEm7ZpPlezl0u3dlEb9WROJQFsPAZ8E0M7ykurqICV/OmbAu/AbMgQyjb3Kg4D7YIw/+k/0CrGhNcC4v5uY4z/311iZNXgm16Nq09n6JP76v+GQOz9HTjzqMV/UzRSGHgQPB05g0Xt2fSgRrsiTaPPw2geqDCUl30CgYA3P8RQM0uOpsP+N8QmxOWOeDS/G2GrqarzmrJy7yvvFP1vpirSyTZ3ChInGRawQBp3pWiBUrvd+ktqaQFB/WEMOQDmYqCv32wRtmE4r90+uROg336z6/HtEyEPOa/8DWsnXRQkHwJZYwHjMgrFZetcXRj56DSasSv8kTZW9C1EkQ=="
  oauth_assertion_issuer = "dummy"
  oauth_token_endpoint   = "https://oauth2.googleapis.com/token"
}
resource "snowflake_secret_with_client_credentials" "example" {
  provider           = snowflake.accountadmin
  name               = "example"
  database           = "workspace"
  schema             = "example"
  api_authentication = snowflake_api_authentication_integration_with_jwt_bearer.snowflake_connector_for_gard.name
  // oauth_scopes    = ["something scope"]
  comment            = "Secret for Snowflake Connector for Google Analytics Raw Data"
}

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Would you like to implement a fix?

  • Yeah, I'll take it 😎
@TrsNium TrsNium added the bug Used to mark issues with provider's incorrect behavior label Dec 12, 2024
@sfc-gh-sghosh
Copy link

sfc-gh-sghosh commented Dec 13, 2024

Hello @TrsNium ,

Thanks for raising the issue.
As you have shown interest in providing a fix, please read our contributing guidelines, and in case of any issues (or questions about the implementation), use this thread for communication.

@sfc-gh-jcieslak
Copy link
Collaborator

Hey @TrsNium 👋
Snowflake SQL documentation states that the parameter ouath_scopes for secret with client credentials is required. However, you are right about the behavior of the object itself. On Snowlight, it is possible to create the secret with client credentials without specifying the oauth_scopes parameter.

We make the resources according to the documentation, not to the undocumented behavior, and that's why this parameter is marked as required.

Thanks for reporting the issue, it will help us push this issue further internally.

@sfc-gh-jcieslak sfc-gh-jcieslak self-assigned this Dec 13, 2024
@PedroMartinSteenstrup
Copy link

Lost a fair bit of time trying to figure this one.
I was starting to wonder if this was a secret of type CLOUD_PROVIDER_TOKEN which is not yet available in Terraform but that I could find on the documentation. Looking forward to hear what's the retained final behavior then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Used to mark issues with provider's incorrect behavior resource:secret_with_client_credentials
Projects
None yet
Development

No branches or pull requests

5 participants