feat: Support setting storage_aws_external_id in storage integration resource (#3659)

## Summary

This PR adds support for specifying the `storage_aws_external_id` field
when creating and updating a Snowflake storage integration resource.

Previously, the field was treated as `Computed` and could not be
explicitly set via Terraform, which caused issues in scenarios involving
AWS IAM role trust relationships requiring a fixed external ID.

## What was changed

- Updated the Create and Alter function in sdk to pass the value to the
Snowflake API if specified.
- Changed `storage_aws_external_id` attribute to be `Optional`.
- Added acceptance test to verify the behavior.
- Updated doc of storage integration.
- Add clarification of missing support for Git API integrations.

## Test Plan
* [x] integration tests for storage integration
* [ ] acceptance tests for storage integration


## References

-
#2624

---------

Co-authored-by: Jakub Michalak <[email protected]>

Author: yoiki

MIGRATION_GUIDE.md

@@ -21,6 +21,14 @@ for changes required after enabling given [Snowflake BCR Bundle](https://docs.sn
 > [!TIP]
 > If you're still using the `Snowflake-Labs/snowflake` source, see [Upgrading from Snowflake-Labs Provider](./SNOWFLAKEDB_MIGRATION.md) to upgrade to the snowflakedb namespace.
 
+## v2.4.x ➞ v2.5.0
+
+### *(new feature)* Added `storage_aws_external_id` field in the `storage_integration` resource
+
+Previously, this field was read-only. In this version, this field is an optional configurable attribute. Additionally, we added a new `describe_output` field to handle this field properly (read more in our [design considerations](v1-preparations/CHANGES_BEFORE_V1.md#default-values)). Note that fields other than `storage_aws_external_id` do not leverage this field. This will be addressed during the resource rework.
+
+Note that this resource is still in preview, and not officially supported. This change was requested and done by the community: [#3659](https://github.com/snowflakedb/terraform-provider-snowflake/pull/3659).
+
 ## v2.3.0 ➞ v2.4.0
 
 ### *(new feature)* snowflake_current_organization_account resource

docs/resources/api_integration.md

@@ -7,6 +7,8 @@ description: |-
 
 !> **Caution: Preview Feature** This feature is considered a preview feature in the provider, regardless of the state of the resource in Snowflake. We do not guarantee its stability. It will be reworked and marked as a stable feature in future releases. Breaking changes are expected, even without bumping the major version. To use this feature, add the relevant feature name to `preview_features_enabled` field in the [provider configuration](https://registry.terraform.io/providers/snowflakedb/snowflake/latest/docs#schema). Please always refer to the [Getting Help](https://github.com/snowflakedb/terraform-provider-snowflake?tab=readme-ov-file#getting-help) section in our Github repo to best determine how to get help for your questions.
 
+-> **Note** Currently, API integrations for `git_https_api` API provider are not supported. It will be added in the future.
+
 # snowflake_api_integration (Resource)
 
 

docs/resources/storage_integration.md

@@ -7,6 +7,8 @@ description: |-
 
 !> **Caution: Preview Feature** This feature is considered a preview feature in the provider, regardless of the state of the resource in Snowflake. We do not guarantee its stability. It will be reworked and marked as a stable feature in future releases. Breaking changes are expected, even without bumping the major version. To use this feature, add the relevant feature name to `preview_features_enabled` field in the [provider configuration](https://registry.terraform.io/providers/snowflakedb/snowflake/latest/docs#schema). Please always refer to the [Getting Help](https://github.com/snowflakedb/terraform-provider-snowflake?tab=readme-ov-file#getting-help) section in our Github repo to best determine how to get help for your questions.
 
+-> **Note** Currently, `describe_output` field is not used in all the relevant fields (only `storage_aws_external_id` is supported). This will be addressed during the resource rework.
+
 # snowflake_storage_integration (Resource)
 
 
@@ -29,7 +31,7 @@ resource "snowflake_storage_integration" "integration" {
   #   storage_aws_object_acl    = "bucket-owner-full-control"
 
   storage_provider         = "S3"
-  storage_aws_external_id  = "..."
+  storage_aws_external_id  = "ABC12345_DEFRole=2_123ABC459AWQmtAdRqwe/A=="
   storage_aws_iam_user_arn = "..."
   storage_aws_role_arn     = "..."
 
@@ -53,6 +55,7 @@ resource "snowflake_storage_integration" "integration" {
 - `azure_tenant_id` (String) (Default: ``)
 - `comment` (String) (Default: ``)
 - `enabled` (Boolean) (Default: `true`)
+- `storage_aws_external_id` (String) The external ID that Snowflake will use when assuming the AWS role.
 - `storage_aws_object_acl` (String) "bucket-owner-full-control" Enables support for AWS access control lists (ACLs) to grant the bucket owner full control.
 - `storage_aws_role_arn` (String) (Default: ``)
 - `storage_blocked_locations` (List of String) Explicitly prohibits external stages that use the integration from referencing one or more storage locations.
@@ -64,9 +67,9 @@ resource "snowflake_storage_integration" "integration" {
 - `azure_consent_url` (String, Sensitive) The consent URL that is used to create an Azure Snowflake service principle inside your tenant.
 - `azure_multi_tenant_app_name` (String) This is the name of the Snowflake client application created for your account.
 - `created_on` (String) Date and time when the storage integration was created.
+- `describe_output` (List of Object) Outputs the result of `DESCRIBE STORAGE INTEGRATION` for the given storage integration. (see [below for nested schema](#nestedatt--describe_output))
 - `fully_qualified_name` (String) Fully qualified name of the resource. For more information, see [object name resolution](https://docs.snowflake.com/en/sql-reference/name-resolution).
 - `id` (String) The ID of this resource.
-- `storage_aws_external_id` (String) The external ID that Snowflake will use when assuming the AWS role.
 - `storage_aws_iam_user_arn` (String) The Snowflake user that will attempt to assume the AWS role.
 - `storage_gcp_service_account` (String) This is the name of the Snowflake Google Service Account created for your account.
 
@@ -80,6 +83,168 @@ Optional:
 - `read` (String)
 - `update` (String)
 
+
+<a id="nestedatt--describe_output"></a>
+### Nested Schema for `describe_output`
+
+Read-Only:
+
+- `azure_consent_url` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--azure_consent_url))
+- `azure_multi_tenant_app_name` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--azure_multi_tenant_app_name))
+- `comment` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--comment))
+- `enabled` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--enabled))
+- `storage_allowed_locations` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--storage_allowed_locations))
+- `storage_aws_external_id` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--storage_aws_external_id))
+- `storage_aws_iam_user_arn` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--storage_aws_iam_user_arn))
+- `storage_aws_object_acl` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--storage_aws_object_acl))
+- `storage_aws_role_arn` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--storage_aws_role_arn))
+- `storage_blocked_locations` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--storage_blocked_locations))
+- `storage_gcp_service_account` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--storage_gcp_service_account))
+- `storage_provider` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--storage_provider))
+- `use_privatelink_endpoint` (List of Object) (see [below for nested schema](#nestedobjatt--describe_output--use_privatelink_endpoint))
+
+<a id="nestedobjatt--describe_output--azure_consent_url"></a>
+### Nested Schema for `describe_output.azure_consent_url`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--azure_multi_tenant_app_name"></a>
+### Nested Schema for `describe_output.azure_multi_tenant_app_name`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--comment"></a>
+### Nested Schema for `describe_output.comment`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--enabled"></a>
+### Nested Schema for `describe_output.enabled`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--storage_allowed_locations"></a>
+### Nested Schema for `describe_output.storage_allowed_locations`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--storage_aws_external_id"></a>
+### Nested Schema for `describe_output.storage_aws_external_id`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--storage_aws_iam_user_arn"></a>
+### Nested Schema for `describe_output.storage_aws_iam_user_arn`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--storage_aws_object_acl"></a>
+### Nested Schema for `describe_output.storage_aws_object_acl`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--storage_aws_role_arn"></a>
+### Nested Schema for `describe_output.storage_aws_role_arn`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--storage_blocked_locations"></a>
+### Nested Schema for `describe_output.storage_blocked_locations`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--storage_gcp_service_account"></a>
+### Nested Schema for `describe_output.storage_gcp_service_account`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--storage_provider"></a>
+### Nested Schema for `describe_output.storage_provider`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
+
+<a id="nestedobjatt--describe_output--use_privatelink_endpoint"></a>
+### Nested Schema for `describe_output.use_privatelink_endpoint`
+
+Read-Only:
+
+- `default` (String)
+- `name` (String)
+- `type` (String)
+- `value` (String)
+
 ## Import
 
 Import is supported using the following syntax:

examples/resources/snowflake_storage_integration/resource.tf

@@ -10,7 +10,7 @@ resource "snowflake_storage_integration" "integration" {
   #   storage_aws_object_acl    = "bucket-owner-full-control"
 
   storage_provider         = "S3"
-  storage_aws_external_id  = "..."
+  storage_aws_external_id  = "ABC12345_DEFRole=2_123ABC459AWQmtAdRqwe/A=="
   storage_aws_iam_user_arn = "..."
   storage_aws_role_arn     = "..."
 

pkg/acceptance/helpers/storage_integration_client.go

@@ -77,3 +77,11 @@ func (c *StorageIntegrationClient) DropFunc(t *testing.T, id sdk.AccountObjectId
 		require.NoError(t, err)
 	}
 }
+
+func (c *StorageIntegrationClient) Alter(t *testing.T, request *sdk.AlterStorageIntegrationRequest) {
+	t.Helper()
+	ctx := context.Background()
+
+	err := c.client().Alter(ctx, request)
+	require.NoError(t, err)
+}