fix: Fix using lowercased network policies in security integrations (#3867)

Fix setting network policies with lowercase characters in security
integrations
- Modify the SDK to properly quote network policy names in security
integrations
- Added integration tests to verify the fix works
- Remove the warning note from the documentation
- Updated the migration guide with information about the fix
- This fix contains a workaround, as the SDK doesn't support custom
quoting in identifiers nicely. Added a note to the generator readme.
- Adjust the def file with the required `oauth_redirect_uri`. The
generated code was already good, but only the def was updated. Fix the
example docs as well.
- Move some manually added code to an ext file.

## References
-  #3229
- SNOW-1833593
-
https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-snowflake

Author: sfc-gh-jmichalak

MIGRATION_GUIDE.md

@@ -29,6 +29,15 @@ Previously, this field was read-only. In this version, this field is an optional
 
 Note that this resource is still in preview, and not officially supported. This change was requested and done by the community: [#3659](https://github.com/snowflakedb/terraform-provider-snowflake/pull/3659).
 
+### *(bugfix)* Fix setting network policies with lowercase characters in security integrations
+Previously, when the provider created or set a security integration (in `snowflake_oauth_integration_for_custom_clients` or `snowflake_scim_integration`) with a network policy containing lowercase letters, this could fail due to a different quoting used in Snowflake in these objects. Namely, despite using the `"` quotes, the referenced network name was uppercased in Snowflake. This means that the uppercased network policy was used instead.
+Snowflake could return errors like `Network policy TEST does not exist or not authorized.`.
+In this case, a special quoting needs to be used (see [docs](https://docs.snowflake.com/en/sql-reference/sql/create-security-integration-oauth-snowflake)). Instead of the usual `NETWORK_POLICY = "test"`, it needs to be `NETWORK_POLICY = '"test"'`.
+
+In this version, this behavior is fixed. The provider always uses the mixed `'"name"'` notation, and the casing should match the name in Snowflake.
+
+References: [#3229](https://github.com/snowflakedb/terraform-provider-snowflake/issues/3229)
+
 ## v2.3.0 ➞ v2.4.0
 
 ### *(new feature)* snowflake_current_organization_account resource

docs/resources/oauth_integration_for_custom_clients.md

@@ -7,8 +7,6 @@ description: |-
 
 !> **Sensitive values** This resource's `oauth_redirect_uri` and `describe_output.oauth_redirect_uri` fields are not marked as sensitive in the provider. Ensure that no personal data, sensitive data, export-controlled data, or other regulated data is entered as metadata when using the provider. If you use one of these fields, they may be present in logs, so ensure that the provider logs are properly restricted. For more information, see [Sensitive values limitations](../#sensitive-values-limitations) and [Metadata fields in Snowflake](https://docs.snowflake.com/en/sql-reference/metadata).
 
-!> **Note** Setting a network policy with lowercase letters does not work correctly in Snowflake (see [issue](https://github.com/snowflakedb/terraform-provider-snowflake/issues/3229)). As a workaround, set the network policy with uppercase letters only, or use [execute](./execute) with network policy ID wrapped in `'`.
-
 !> **Note** The provider does not detect external changes on security integration type. In this case, remove the integration of wrong type manually with `terraform destroy` and recreate the resource. It will be addressed in the future.
 
 ~> **Missing fields** The `oauth_client_id` and `oauth_redirect_uri` fields are not present in the `describe_output` on purpose due to Terraform SDK limitations (more on that in the [migration guide](https://github.com/snowflakedb/terraform-provider-snowflake/blob/main/MIGRATION_GUIDE.md#removal-of-sensitive-fields)).

docs/resources/oauth_integration_for_partner_applications.md

@@ -33,6 +33,7 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" {
   enabled                      = "true"
   oauth_issue_refresh_tokens   = "true"
   oauth_refresh_token_validity = 3600
+  oauth_redirect_uri           = "http://example.com"
   oauth_use_secondary_roles    = "IMPLICIT"
   blocked_roles_list           = ["ACCOUNTADMIN", "SECURITYADMIN", snowflake_role.one.fully_qualified_name, snowflake_role.two.fully_qualified_name]
   comment                      = "example oauth integration for partner applications"

examples/resources/snowflake_oauth_integration_for_partner_applications/resource.tf

@@ -12,6 +12,7 @@ resource "snowflake_oauth_integration_for_partner_applications" "test" {
   enabled                      = "true"
   oauth_issue_refresh_tokens   = "true"
   oauth_refresh_token_validity = 3600
+  oauth_redirect_uri           = "http://example.com"
   oauth_use_secondary_roles    = "IMPLICIT"
   blocked_roles_list           = ["ACCOUNTADMIN", "SECURITYADMIN", snowflake_role.one.fully_qualified_name, snowflake_role.two.fully_qualified_name]
   comment                      = "example oauth integration for partner applications"

pkg/acceptance/helpers/network_rule_client.go

@@ -39,6 +39,16 @@ func (c *NetworkRuleClient) CreateIngress(t *testing.T) (*sdk.NetworkRule, func(
 	))
 }
 
+func (c *NetworkRuleClient) CreateIP(t *testing.T) (*sdk.NetworkRule, func()) {
+	t.Helper()
+	return c.CreateWithRequest(t, sdk.NewCreateNetworkRuleRequest(
+		c.ids.RandomSchemaObjectIdentifier(),
+		sdk.NetworkRuleTypeIpv4,
+		[]sdk.NetworkRuleValue{{Value: "1.2.3.4"}},
+		sdk.NetworkRuleModeIngress,
+	))
+}
+
 func (c *NetworkRuleClient) CreateEgressWithIdentifier(t *testing.T, id sdk.SchemaObjectIdentifier) (*sdk.NetworkRule, func()) {
 	t.Helper()
 	return c.CreateWithRequest(t, sdk.NewCreateNetworkRuleRequest(

pkg/sdk/poc/README.md

@@ -142,6 +142,7 @@ find a better solution to solve the issue (add more logic to the templates ?)
   - Add a possibility to generate a non-sql method with a custom implementation. Currently, it is done only in `ShowById...` functions with `newNoSqlOperation`.
 - improve handling operations that return one row
 - add more context to validated identifiers, so that error contains the affected field
+- add custom identifier wrapping, like it's used in security integrations' network policies
 
 ##### Known issues
 - generating two converts when Show and Desc use the same data structure

pkg/sdk/security_integrations_def.go

@@ -512,7 +512,7 @@ var oauthForCustomClientsIntegrationSetDef = g.NewQueryStruct("OauthForCustomCli
 		g.KindOfT[OauthSecurityIntegrationUseSecondaryRolesOption](),
 		g.ParameterOptions(),
 	).
-	OptionalIdentifier("NetworkPolicy", g.KindOfT[AccountObjectIdentifier](), g.IdentifierOptions().Equals().SQL("NETWORK_POLICY")).
+	OptionalTextAssignment("NETWORK_POLICY", g.ParameterOptions().NoQuotes()).
 	OptionalTextAssignment("OAUTH_CLIENT_RSA_PUBLIC_KEY", g.ParameterOptions().SingleQuotes()).
 	OptionalTextAssignment("OAUTH_CLIENT_RSA_PUBLIC_KEY_2", g.ParameterOptions().SingleQuotes()).
 	OptionalComment().
@@ -567,7 +567,7 @@ var saml2IntegrationUnsetDef = g.NewQueryStruct("Saml2IntegrationUnset").
 
 var scimIntegrationSetDef = g.NewQueryStruct("ScimIntegrationSet").
 	OptionalBooleanAssignment("ENABLED", g.ParameterOptions()).
-	OptionalIdentifier("NetworkPolicy", g.KindOfT[AccountObjectIdentifier](), g.IdentifierOptions().Equals().SQL("NETWORK_POLICY")).
+	OptionalTextAssignment("NETWORK_POLICY", g.ParameterOptions().NoQuotes()).
 	OptionalBooleanAssignment("SYNC_PASSWORD", g.ParameterOptions()).
 	// TODO(SNOW-1461780): use COMMENT in unset and here use OptionalComment
 	OptionalAssignment("COMMENT", "StringAllowEmpty", g.ParameterOptions()).
@@ -733,7 +733,7 @@ var SecurityIntegrationsDef = g.NewInterface(
 					g.KindOfT[OauthSecurityIntegrationClientTypeOption](),
 					g.ParameterOptions().Required().SingleQuotes(),
 				).
-				OptionalTextAssignment("OAUTH_REDIRECT_URI", g.ParameterOptions().SingleQuotes()).
+				TextAssignment("OAUTH_REDIRECT_URI", g.ParameterOptions().Required().SingleQuotes()).
 				OptionalBooleanAssignment("ENABLED", g.ParameterOptions()).
 				OptionalBooleanAssignment("OAUTH_ALLOW_NON_TLS_REDIRECT_URI", g.ParameterOptions()).
 				OptionalBooleanAssignment("OAUTH_ENFORCE_PKCE", g.ParameterOptions()).
@@ -746,7 +746,7 @@ var SecurityIntegrationsDef = g.NewInterface(
 				OptionalQueryStructField("BlockedRolesList", blockedRolesListDef, g.ParameterOptions().SQL("BLOCKED_ROLES_LIST").Parentheses()).
 				OptionalBooleanAssignment("OAUTH_ISSUE_REFRESH_TOKENS", g.ParameterOptions()).
 				OptionalNumberAssignment("OAUTH_REFRESH_TOKEN_VALIDITY", g.ParameterOptions()).
-				OptionalIdentifier("NetworkPolicy", g.KindOfT[AccountObjectIdentifier](), g.IdentifierOptions().Equals().SQL("NETWORK_POLICY")).
+				OptionalTextAssignment("NETWORK_POLICY", g.ParameterOptions().NoQuotes()).
 				OptionalTextAssignment("OAUTH_CLIENT_RSA_PUBLIC_KEY", g.ParameterOptions().SingleQuotes()).
 				OptionalTextAssignment("OAUTH_CLIENT_RSA_PUBLIC_KEY_2", g.ParameterOptions().SingleQuotes())
 		}),
@@ -802,7 +802,7 @@ var SecurityIntegrationsDef = g.NewInterface(
 					g.KindOfT[ScimSecurityIntegrationRunAsRoleOption](),
 					g.ParameterOptions().SingleQuotes().Required(),
 				).
-				OptionalIdentifier("NetworkPolicy", g.KindOfT[AccountObjectIdentifier](), g.IdentifierOptions().Equals().SQL("NETWORK_POLICY")).
+				OptionalTextAssignment("NETWORK_POLICY", g.ParameterOptions().NoQuotes()).
 				OptionalBooleanAssignment("SYNC_PASSWORD", g.ParameterOptions())
 		}),
 	).

pkg/sdk/security_integrations_dto_gen.go

@@ -40,10 +40,6 @@ type CreateApiAuthenticationWithClientCredentialsFlowSecurityIntegrationRequest
 	Comment                     *string
 }
 
-func (r *CreateApiAuthenticationWithClientCredentialsFlowSecurityIntegrationRequest) GetName() AccountObjectIdentifier {
-	return r.name
-}
-
 type CreateApiAuthenticationWithAuthorizationCodeGrantFlowSecurityIntegrationRequest struct {
 	OrReplace                   *bool
 	IfNotExists                 *bool
@@ -61,10 +57,6 @@ type CreateApiAuthenticationWithAuthorizationCodeGrantFlowSecurityIntegrationReq
 	Comment                     *string
 }
 
-func (r *CreateApiAuthenticationWithAuthorizationCodeGrantFlowSecurityIntegrationRequest) GetName() AccountObjectIdentifier {
-	return r.name
-}
-
 type CreateApiAuthenticationWithJwtBearerFlowSecurityIntegrationRequest struct {
 	OrReplace                  *bool
 	IfNotExists                *bool
@@ -82,10 +74,6 @@ type CreateApiAuthenticationWithJwtBearerFlowSecurityIntegrationRequest struct {
 	Comment                    *string
 }
 
-func (r *CreateApiAuthenticationWithJwtBearerFlowSecurityIntegrationRequest) GetName() AccountObjectIdentifier {
-	return r.name
-}
-
 type CreateExternalOauthSecurityIntegrationRequest struct {
 	OrReplace                                  *bool
 	IfNotExists                                *bool
@@ -107,10 +95,6 @@ type CreateExternalOauthSecurityIntegrationRequest struct {
 	Comment                                    *string
 }
 
-func (r *CreateExternalOauthSecurityIntegrationRequest) GetName() AccountObjectIdentifier {
-	return r.name
-}
-
 type BlockedRolesListRequest struct {
 	BlockedRolesList []AccountObjectIdentifier // required
 }
@@ -137,10 +121,6 @@ type CreateOauthForPartnerApplicationsSecurityIntegrationRequest struct {
 	Comment                   *string
 }
 
-func (r *CreateOauthForPartnerApplicationsSecurityIntegrationRequest) GetName() AccountObjectIdentifier {
-	return r.name
-}
-
 type CreateOauthForCustomClientsSecurityIntegrationRequest struct {
 	OrReplace                   *bool
 	IfNotExists                 *bool
@@ -161,10 +141,6 @@ type CreateOauthForCustomClientsSecurityIntegrationRequest struct {
 	Comment                     *string
 }
 
-func (r *CreateOauthForCustomClientsSecurityIntegrationRequest) GetName() AccountObjectIdentifier {
-	return r.name
-}
-
 type PreAuthorizedRolesListRequest struct {
 	PreAuthorizedRolesList []AccountObjectIdentifier
 }
@@ -192,10 +168,6 @@ type CreateSaml2SecurityIntegrationRequest struct {
 	Comment                        *string
 }
 
-func (r *CreateSaml2SecurityIntegrationRequest) GetName() AccountObjectIdentifier {
-	return r.name
-}
-
 type CreateScimSecurityIntegrationRequest struct {
 	OrReplace     *bool
 	IfNotExists   *bool
@@ -208,10 +180,6 @@ type CreateScimSecurityIntegrationRequest struct {
 	Comment       *string
 }
 
-func (r *CreateScimSecurityIntegrationRequest) GetName() AccountObjectIdentifier {
-	return r.name
-}
-
 type AlterApiAuthenticationWithClientCredentialsFlowSecurityIntegrationRequest struct {
 	IfExists  *bool
 	name      AccountObjectIdentifier // required

pkg/sdk/security_integrations_ext.go

@@ -0,0 +1,63 @@
+package sdk
+
+import (
+	"fmt"
+	"strings"
+)
+
+func (r *CreateApiAuthenticationWithClientCredentialsFlowSecurityIntegrationRequest) GetName() AccountObjectIdentifier {
+	return r.name
+}
+
+func (r *CreateApiAuthenticationWithAuthorizationCodeGrantFlowSecurityIntegrationRequest) GetName() AccountObjectIdentifier {
+	return r.name
+}
+
+func (r *CreateApiAuthenticationWithJwtBearerFlowSecurityIntegrationRequest) GetName() AccountObjectIdentifier {
+	return r.name
+}
+
+func (r *CreateExternalOauthSecurityIntegrationRequest) GetName() AccountObjectIdentifier {
+	return r.name
+}
+
+func (r *CreateOauthForPartnerApplicationsSecurityIntegrationRequest) GetName() AccountObjectIdentifier {
+	return r.name
+}
+
+func (r *CreateOauthForCustomClientsSecurityIntegrationRequest) GetName() AccountObjectIdentifier {
+	return r.name
+}
+
+func (r *CreateSaml2SecurityIntegrationRequest) GetName() AccountObjectIdentifier {
+	return r.name
+}
+
+func (r *CreateScimSecurityIntegrationRequest) GetName() AccountObjectIdentifier {
+	return r.name
+}
+
+func (s SecurityIntegrationProperty) GetName() string {
+	return s.Name
+}
+
+func (s SecurityIntegrationProperty) GetDefault() string {
+	return s.Default
+}
+
+func (s *SecurityIntegration) SubType() (string, error) {
+	typeParts := strings.Split(s.IntegrationType, "-")
+	if len(typeParts) < 2 {
+		return "", fmt.Errorf("expected \"<type> - <subtype>\", got: %s", s.IntegrationType)
+	}
+	return strings.TrimSpace(typeParts[1]), nil
+}
+
+func securityIntegrationNetworkPolicyQuoted(id *AccountObjectIdentifier) *string {
+	if id == nil {
+		return nil
+	}
+	// TODO(SNOW-2236323): Use a proper generation option instead.
+	// We need to use a custom parsing here, see SNOW-1833593 for more details.
+	return Pointer(fmt.Sprintf("'%s'", id.FullyQualifiedName()))
+}