[Bug]: oauth_scopes Parameter Incorrectly Marked as Required for snowflake_secret_with_client_credentials Resource

[TrsNium]

Terraform CLI Version

1.7.0

Terraform Provider Version

0.99.0

Company Name

No response

Terraform Configuration

resource "snowflake_secret_with_client_credentials" "example" {
  provider           = snowflake.accountadmin
  name               = "example"
  database           = "workspace"
  schema             = "example"
  api_authentication = snowflake_api_authentication_integration_with_jwt_bearer.snowflake_connector_for_gard.name
  // oauth_scopes    = ["something scope"]
  comment            = "Secret for Snowflake Connector for Google Analytics Raw Data"
}

Category

category:resource

Object type(s)

resource:api_integration

Expected Behavior

According to the Snowflake SQL documentation, the oauth_scopes parameter is optional when creating secrets with client credentials. Therefore, when using the Terraform provider to manage such secrets, specifying oauth_scopes should also be optional. Users should be able to omit oauth_scopes entirely if it’s not needed.

Actual Behavior

In the current Terraform provider implementation for snowflake_secret_with_client_credentials, oauth_scopes is treated as a required parameter. Even if the underlying Snowflake configuration considers it optional, the Terraform provider forces the user to provide a value. As a result, users cannot create a secret resource without explicitly specifying oauth_scopes, which contradicts the optional nature described in the Snowflake SQL reference.

Steps to Reproduce

Create api_authentication_integration and snowflake_secret_with_client_credentials as follows: snowflake_secret_with_client_credentials auth_ scopes of snowflake_secret_with_client_credentials can be reproduced by setting it to empty.

# client secret is dummy value generated by openssl
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 | ruby -e 'puts STDIN.read.lines.reject{|l|l.include?("-----")}.join.gsub("\n","")'
resource "snowflake_api_authentication_integration_with_jwt_bearer" "snowflake_connector_for_gard" {
  provider               = snowflake.accountadmin
  enabled                = true
  name                   = var.security_integration_name
  comment                = "Security integration for Snowflake Connector for Google Analytics Raw Data"
  oauth_client_id        = "dummy"
  oauth_client_secret    = "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC/J7hwtsysaaph2C3b/R3XBskOZ95g1KUsfZKDC45Q/2gp5p+LSr+1SKzf3wwpPsbmHw5g2quvPrNf4gw6Pc6Oy3iPgl0LiOPQtME5Dil7WS8/iYN3wNqa8cuWfNtuw3E1kOEloqO5TajYDbFzss2Xs7knhWoDvurby9iMnnCrakvz8aXlaa0Rc0iKrZZv6JMz4+bX4A0R9NFxlC6/NErFtxO3Y2ht+IJ8oSASTKmiS06pMTkEJQVXyFXgghPo91qrzrPu8dIn10HrzZ+YkwSg0huQUS4mi8Fw82prny1chTtb4XL8+xoSN/LARC2I29QgSWBehSbHiF7rnklMwHARAgMBAAECggEAbNsozH889R5DWe7qxrFQ8ee6TUrXN5tA6KIl8hx9kiCwZ9QenQsXOxxE3kQ9v6sxR1D+Niewx15UddDbl7skyuqSIF9jrzLoUSzuMBihhM3X+z3LMUIQ+1Wg03UM3PnNmWyE2pLQ27Ce61J48GMtcyt00E3IfpOVWU+vZPzBOsuUL1qhD2lZTB/8MUr4uqMwNMk3RWfiQXCy8SXi8ck+IYVKqjjSktyqMLbbqgBc/kZdHaQJG59BgW9tNcBEsCOpg4mmOdmpmxwZpQKz3PscoDHmSVZ5qyGh0MPVwG2gcFVWFVkup98UFDyuW38B0i2NMd2TO1tEYTqc7d1kkYIORQKBgQDsTHGCjAWG0GfrbOZv1FvvjX5MZA7LcQOK3Y+nLnnrij32zGd/x0uCEsHHRRKFnqM3R+CujLv/Z1a66vBjF2Td5jfL6VjfzDF2MZkJWRCxdKhM0UrAD0LKvRdwuHOvYkEL7kNdyAG8gmm9mF44zXCky75ML/CmDP5JgT261zGUTwKBgQDPF7xHTlE7sX7fvrgYIU0ymam1wyb7EE/pjw16/on8fiTGdxrMUShsL5168SEKybEw6u1SPgIaj4xYgQuIB6D6Ej/F28wGjbyv9bAVpmoCz/uj9mHWptDq41CoQZ3cJNLbrU4oL8GCeFWRL/SgRx1nSxXyaB0HCFF6jeLZFVm9nwKBgBTPtr+UrXfuKvjlInZ+8YnroFACD/uC/JjiYqCKy1ofVs3BuuvaFaBjHoX6Y2M5UY6w2e0FoBkidNUJlBpmGRAiEo/3AUjUpxaNz7ivC3VVnO0HEdpQfcV1Wfcnh6jOsoPmfDBqSRzdL4rvPH0sOtuIxj3Xiw5U3qCCrXkjMs6pAoGAet1YJO4AH+xEm7ZpPlezl0u3dlEb9WROJQFsPAZ8E0M7ykurqICV/OmbAu/AbMgQyjb3Kg4D7YIw/+k/0CrGhNcC4v5uY4z/311iZNXgm16Nq09n6JP76v+GQOz9HTjzqMV/UzRSGHgQPB05g0Xt2fSgRrsiTaPPw2geqDCUl30CgYA3P8RQM0uOpsP+N8QmxOWOeDS/G2GrqarzmrJy7yvvFP1vpirSyTZ3ChInGRawQBp3pWiBUrvd+ktqaQFB/WEMOQDmYqCv32wRtmE4r90+uROg336z6/HtEyEPOa/8DWsnXRQkHwJZYwHjMgrFZetcXRj56DSasSv8kTZW9C1EkQ=="
  oauth_assertion_issuer = "dummy"
  oauth_token_endpoint   = "https://oauth2.googleapis.com/token"
}
resource "snowflake_secret_with_client_credentials" "example" {
  provider           = snowflake.accountadmin
  name               = "example"
  database           = "workspace"
  schema             = "example"
  api_authentication = snowflake_api_authentication_integration_with_jwt_bearer.snowflake_connector_for_gard.name
  // oauth_scopes    = ["something scope"]
  comment            = "Secret for Snowflake Connector for Google Analytics Raw Data"
}

How much impact is this issue causing?

Medium

Logs

No response

Additional Information

No response

Would you like to implement a fix?

• Yeah, I'll take it 😎

[sfc-gh-sghosh]

Hello @TrsNium ,

Thanks for raising the issue.
As you have shown interest in providing a fix, please read our contributing guidelines, and in case of any issues (or questions about the implementation), use this thread for communication.

[sfc-gh-jcieslak]

Hey @TrsNium 👋
Snowflake SQL documentation states that the parameter ouath_scopes for secret with client credentials is required. However, you are right about the behavior of the object itself. On Snowlight, it is possible to create the secret with client credentials without specifying the oauth_scopes parameter.

We make the resources according to the documentation, not to the undocumented behavior, and that's why this parameter is marked as required.

Thanks for reporting the issue, it will help us push this issue further internally.

[PedroMartinSteenstrup]

Lost a fair bit of time trying to figure this one.
I was starting to wonder if this was a secret of type CLOUD_PROVIDER_TOKEN which is not yet available in Terraform but that I could find on the documentation. Looking forward to hear what's the retained final behavior then.