Add SCIM access token Datasource (Snowflake-Labs#557)

daniepett · Feb 9, 2022 · d385425 · d385425
1 parent 6cf9452
commit d385425
Show file tree

Hide file tree

Showing 9 changed files with 208 additions and 4 deletions.
diff --git a/docs/data-sources/system_generate_scim_access_token.md b/docs/data-sources/system_generate_scim_access_token.md
@@ -0,0 +1,36 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "snowflake_system_generate_scim_access_token Data Source - terraform-provider-snowflake"
+subcategory: ""
+description: |-
+  
+---
+
+# snowflake_system_generate_scim_access_token (Data Source)
+
+
+
+## Example Usage
+
+```terraform
+data "snowflake_system_generate_scim_access_token" "scim" {
+	integration_name = "AAD_PROVISIONING"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- **integration_name** (String) SCIM Integration Name
+
+### Optional
+
+- **id** (String) The ID of this resource.
+
+### Read-Only
+
+- **access_token** (String) SCIM Access Token
+
+
diff --git a/docs/resources/scim_integration.md b/docs/resources/scim_integration.md
@@ -18,7 +18,6 @@ resource "snowflake_scim_integration" "aad" {
   network_policy   = "AAD_NETWORK_POLICY"
   provisioner_role = "AAD_PROVISIONER"
   scim_client      = "AZURE"
-  enabled          = true
 }
 ```
 

diff --git a/examples/data-sources/snowflake_system_generate_scim_access_token/data-source.tf b/examples/data-sources/snowflake_system_generate_scim_access_token/data-source.tf
@@ -0,0 +1,3 @@
+data "snowflake_system_generate_scim_access_token" "scim" {
+	integration_name = "AAD_PROVISIONING"
+}
diff --git a/examples/resources/snowflake_scim_integration/resource.tf b/examples/resources/snowflake_scim_integration/resource.tf
@@ -3,5 +3,4 @@ resource "snowflake_scim_integration" "aad" {
   network_policy   = "AAD_NETWORK_POLICY"
   provisioner_role = "AAD_PROVISIONER"
   scim_client      = "AZURE"
-  enabled          = true
 }
diff --git a/pkg/datasources/system_generate_scim_access_token.go b/pkg/datasources/system_generate_scim_access_token.go
@@ -0,0 +1,54 @@
+package datasources
+
+import (
+	"database/sql"
+	"log"
+
+	"github.com/chanzuckerberg/terraform-provider-snowflake/pkg/snowflake"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+var systemGenerateSCIMAccesstokenSchema = map[string]*schema.Schema{
+	"integration_name": {
+		Type:        schema.TypeString,
+		Required:    true,
+		Description: "SCIM Integration Name",
+	},
+	"access_token": {
+		Type:        schema.TypeString,
+		Computed:    true,
+		Description: "SCIM Access Token",
+	},
+}
+
+func SystemGenerateSCIMAccessToken() *schema.Resource {
+	return &schema.Resource{
+		Read:   ReadSystemGenerateSCIMAccessToken,
+		Schema: systemGenerateSCIMAccesstokenSchema,
+	}
+}
+
+// ReadSystemGetAWSSNSIAMPolicy implements schema.ReadFunc
+func ReadSystemGenerateSCIMAccessToken(d *schema.ResourceData, meta interface{}) error {
+	db := meta.(*sql.DB)
+	integrationName := d.Get("integration_name").(string)
+
+	sel := snowflake.SystemGenerateSCIMAccessToken(integrationName).Select()
+	row := snowflake.QueryRow(db, sel)
+	accessToken, err := snowflake.ScanSCIMAccessToken(row)
+	if err == sql.ErrNoRows {
+		// If not found, mark resource to be removed from statefile during apply or refresh
+		log.Printf("[DEBUG] system_generate_scim_access_token (%s) not found", d.Id())
+		d.SetId("")
+		return nil
+	}
+
+	if err != nil {
+		log.Printf("[DEBUG] system_generate_scim_access_token (%s) failed to generate (%q)", d.Id(), err.Error())
+		d.SetId("")
+		return nil
+	}
+
+	d.SetId(integrationName)
+	return d.Set("access_token", accessToken.Token)
+}
diff --git a/pkg/datasources/system_generate_scim_access_token_acceptance_test.go b/pkg/datasources/system_generate_scim_access_token_acceptance_test.go
@@ -0,0 +1,63 @@
+package datasources_test
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+)
+
+func TestAcc_SystemGenerateSCIMAccessToken(t *testing.T) {
+	scimIntName := strings.ToUpper(acctest.RandStringFromCharSet(10, acctest.CharSetAlpha))
+	resource.ParallelTest(t, resource.TestCase{
+		Providers: providers(),
+		Steps: []resource.TestStep{
+			{
+				Config: generateAccessTokenConfig(scimIntName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.snowflake_system_generate_scim_access_token.p", "integration_name", scimIntName),
+					resource.TestCheckResourceAttrSet("data.snowflake_system_generate_scim_access_token.p", "access_token"),
+				),
+			},
+		},
+	})
+}
+
+func generateAccessTokenConfig(name string) string {
+	return fmt.Sprintf(`
+	resource "snowflake_role" "azured" {
+		name = "AAD_PROVISIONER"
+		comment = "test comment"
+	}
+
+	resource "snowflake_account_grant" "azurecud" {
+		roles     = [snowflake_role.azured.name]
+		privilege = "CREATE USER"
+	}
+	resource "snowflake_account_grant" "azurecrd" {
+		roles     = [snowflake_role.azured.name]
+		privilege = "CREATE ROLE"
+	}
+	resource "snowflake_role_grants" "azured" {
+		role_name = snowflake_role.azured.name
+		roles = ["ACCOUNTADMIN"]
+	}
+
+	resource "snowflake_scim_integration" "azured" {
+		name = "%s"
+		scim_client = "AZURE"
+		provisioner_role = snowflake_role.azured.name
+		depends_on = [
+			snowflake_account_grant.azurecud,
+			snowflake_account_grant.azurecrd,
+			snowflake_role_grants.azured
+		]
+	}
+
+	data snowflake_system_generate_scim_access_token p {
+		integration_name = snowflake_scim_integration.azured.name
+	}
+	`, name)
+}
diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go
@@ -190,8 +190,9 @@ func getResources() map[string]*schema.Resource {
 
 func getDataSources() map[string]*schema.Resource {
 	dataSources := map[string]*schema.Resource{
-		"snowflake_system_get_aws_sns_iam_policy": datasources.SystemGetAWSSNSIAMPolicy(),
-		"snowflake_system_get_privatelink_config": datasources.SystemGetPrivateLinkConfig(),
+		"snowflake_system_generate_scim_access_token": datasources.SystemGenerateSCIMAccessToken(),
+		"snowflake_system_get_aws_sns_iam_policy":     datasources.SystemGetAWSSNSIAMPolicy(),
+		"snowflake_system_get_privatelink_config":     datasources.SystemGetPrivateLinkConfig(),
 	}
 
 	return dataSources

diff --git a/pkg/snowflake/system_generate_scim_access_token.go b/pkg/snowflake/system_generate_scim_access_token.go
@@ -0,0 +1,35 @@
+package snowflake
+
+import (
+	"fmt"
+
+	"github.com/jmoiron/sqlx"
+)
+
+// SystemGenerateSCIMAccessTokenBuilder abstracts calling the SYSTEM$GENERATE_SCIM_ACCESS_TOKEN system function
+type SystemGenerateSCIMAccessTokenBuilder struct {
+	integrationName string
+}
+
+// SystemGenerateSCIMAccessToken returns a pointer to a builder that abstracts calling the the SYSTEM$GENERATE_SCIM_ACCESS_TOKEN system function
+func SystemGenerateSCIMAccessToken(integrationName string) *SystemGenerateSCIMAccessTokenBuilder {
+	return &SystemGenerateSCIMAccessTokenBuilder{
+		integrationName: integrationName,
+	}
+}
+
+// Select generates the select statement for obtaining the scim access token
+func (pb *SystemGenerateSCIMAccessTokenBuilder) Select() string {
+	return fmt.Sprintf(`SELECT SYSTEM$GENERATE_SCIM_ACCESS_TOKEN('%v') AS "token"`, pb.integrationName)
+}
+
+type scimAccessToken struct {
+	Token string `db:"token"`
+}
+
+// ScanSCIMAccessToken convert a result into a
+func ScanSCIMAccessToken(row *sqlx.Row) (*scimAccessToken, error) {
+	p := &scimAccessToken{}
+	e := row.StructScan(p)
+	return p, e
+}
diff --git a/pkg/snowflake/system_generate_scim_access_token_test.go b/pkg/snowflake/system_generate_scim_access_token_test.go
@@ -0,0 +1,14 @@
+package snowflake
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSystemGenerateSCIMAccessToken(t *testing.T) {
+	r := require.New(t)
+	sb := SystemGenerateSCIMAccessToken("AAD_PROVISIONING")
+
+	r.Equal(sb.Select(), `SELECT SYSTEM$GENERATE_SCIM_ACCESS_TOKEN('AAD_PROVISIONING') AS "token"`)
+}