Added scim_config and scim_config_token resources

Author: adrianburusdbt

.changes/unreleased/Changes-20260407-084200.yaml

@@ -0,0 +1,3 @@
+kind: Changes
+body: Added scim_config and scim_config_token resources
+time: 2026-04-07T08:42:00.212569+03:00

docs/resources/scim_config.md

@@ -0,0 +1,52 @@
+---
+page_title: "dbtcloud_scim_config Resource - dbtcloud"
+subcategory: ""
+description: |-
+  Manages the SCIM configuration for a dbt Cloud account. SCIM (System for Cross-domain Identity Management) allows identity providers such as Okta and Azure AD to automatically provision and deprovision users and groups.
+  This is a singleton resource — only one SCIM configuration exists per account. Destroying the resource resets the configuration to its defaults (SCIM disabled, manual updates allowed, license type not SCIM-controlled).
+  Requires the SCIM feature to be enabled on the account (enterprise plans only).
+---
+
+# dbtcloud_scim_config (Resource)
+
+
+Manages the SCIM configuration for a dbt Cloud account. SCIM (System for Cross-domain Identity Management) allows identity providers such as Okta and Azure AD to automatically provision and deprovision users and groups.
+
+This is a singleton resource — only one SCIM configuration exists per account. Destroying the resource resets the configuration to its defaults (SCIM disabled, manual updates allowed, license type not SCIM-controlled).
+
+Requires the SCIM feature to be enabled on the account (enterprise plans only).
+
+## Example Usage
+
+```terraform
+# Enable SCIM with strict IdP control — no manual updates, license type managed by SCIM.
+# This is the recommended configuration when using an identity provider such as
+# Okta or Azure AD as the single source of truth for user provisioning.
+resource "dbtcloud_scim_config" "main" {
+  enabled                      = true
+  manual_updates_allowed       = false
+  scim_controlled_license_type = true
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `enabled` (Boolean) Whether SCIM provisioning is enabled for the account.
+- `manual_updates_allowed` (Boolean) Whether administrators can manually update users and groups that are managed by SCIM. When set to ~~~false~~~, SCIM is the sole source of truth for user and group management.
+- `scim_controlled_license_type` (Boolean) Whether the dbt Cloud license type (Developer, Read-Only, IT) is controlled by SCIM attribute mapping. When set to ~~~false~~~, license types are managed manually inside dbt Cloud.
+
+### Read-Only
+
+- `id` (String) The ID of the resource (matches the dbt Cloud account ID).
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Singleton resource — import using the dbt Cloud account ID.
+terraform import dbtcloud_scim_config.main 12345
+```

docs/resources/scim_config_token.md

@@ -0,0 +1,63 @@
+---
+page_title: "dbtcloud_scim_config_token Resource - dbtcloud"
+subcategory: ""
+description: |-
+  Manages a SCIM API token for a dbt Cloud account. SCIM tokens are used by identity providers (e.g. Okta, Azure AD) to provision and deprovision users and groups automatically.
+  The token value is only available immediately after creation and is stored in Terraform state as a sensitive value. It cannot be retrieved from the API afterwards.
+  Requires the SCIM feature to be enabled on the account (enterprise plans only).
+---
+
+# dbtcloud_scim_config_token (Resource)
+
+
+Manages a SCIM API token for a dbt Cloud account. SCIM tokens are used by identity providers (e.g. Okta, Azure AD) to provision and deprovision users and groups automatically.
+
+The token value is only available immediately after creation and is stored in Terraform state as a sensitive value. It cannot be retrieved from the API afterwards.
+
+Requires the SCIM feature to be enabled on the account (enterprise plans only).
+
+## Example Usage
+
+```terraform
+# Create a SCIM token to allow an identity provider (e.g. Okta, Azure AD) to
+# provision and deprovision users and groups in dbt Cloud.
+#
+# The token value is returned only on creation and stored in Terraform state
+# as a sensitive value. It is never returned by subsequent API reads, so
+# changing the `name` forces a new token to be created.
+resource "dbtcloud_scim_config_token" "okta" {
+  name = "okta-scim"
+}
+
+# The token string can be passed to other resources or outputs.
+# Mark outputs as sensitive when exposing the token value.
+output "scim_token" {
+  value     = dbtcloud_scim_config_token.okta.token_string
+  sensitive = true
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) A human-readable name for the token. Changing this value forces a new token to be created.
+
+### Read-Only
+
+- `created_at` (String) Timestamp when the token was created.
+- `id` (Number) The ID of the SCIM token.
+- `last_used` (String) Timestamp when the token was last used. Null if never used.
+- `token_string` (String, Sensitive) The SCIM token value. Only available immediately after creation — not returned by subsequent API reads. Store this value securely.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Import a SCIM config token by its numeric ID.
+# Note: token_string will be empty after import — the API never returns the
+# token value after creation. This is expected and documented behaviour.
+terraform import dbtcloud_scim_config_token.okta 12345
+```

examples/local-test-scim-config-token/main.tf

@@ -0,0 +1,68 @@
+terraform {
+  required_providers {
+    dbtcloud = {
+      source  = "dbt-labs/dbtcloud"
+      version = ">= 0.3"
+    }
+  }
+}
+
+provider "dbtcloud" {
+  account_id = 1234
+  token      = "xxxx"
+  host_url   = "https://dbt.com/api"
+}
+
+# ── Case 1: SCIM global config ────────────────────────────────────────────────
+# Start: enabled=true, manual_updates_allowed=false, scim_controlled_license_type=false
+# Then toggle to test updates:
+#   Step 2 — manual_updates_allowed=true
+#   Step 3 — scim_controlled_license_type=true
+#   Step 4 — enabled=false (disables SCIM entirely)
+resource "dbtcloud_scim_config" "main" {
+  enabled                      = true
+  manual_updates_allowed       = true
+  scim_controlled_license_type = true
+}
+
+# ── Case 2: create a SCIM token ───────────────────────────────────────────────
+resource "dbtcloud_scim_config_token" "test" {
+  name = "tf-test-scim"
+}
+
+output "scim_token" {
+  value     = dbtcloud_scim_config_token.test.token_string
+  sensitive = true
+}
+
+# ── Case 3: read back current config (no-op plan) ─────────────────────────────
+# After applying Case 1, comment it out and uncomment this to verify no drift.
+# resource "dbtcloud_scim_config" "main" {
+#   enabled                      = true
+#   manual_updates_allowed       = false
+#   scim_controlled_license_type = false
+# }
+
+# ── Case 4: enable manual updates ─────────────────────────────────────────────
+# Uncomment and re-apply to test updating manual_updates_allowed=true.
+# resource "dbtcloud_scim_config" "main" {
+#   enabled                      = true
+#   manual_updates_allowed       = true
+#   scim_controlled_license_type = false
+# }
+
+# ── Case 5: enable scim_controlled_license_type ───────────────────────────────
+# Uncomment and re-apply to test enabling license type control via SCIM.
+# resource "dbtcloud_scim_config" "main" {
+#   enabled                      = true
+#   manual_updates_allowed       = true
+#   scim_controlled_license_type = true
+# }
+
+# ── Case 6: disable SCIM entirely ─────────────────────────────────────────────
+# Uncomment and re-apply to verify enabled=false is accepted and reflected.
+# resource "dbtcloud_scim_config" "main" {
+#   enabled                      = false
+#   manual_updates_allowed       = false
+#   scim_controlled_license_type = false
+# }

examples/resources/dbtcloud_scim_config/import.sh

@@ -0,0 +1,2 @@
+# Singleton resource — import using the dbt Cloud account ID.
+terraform import dbtcloud_scim_config.main 12345

examples/resources/dbtcloud_scim_config/resource.tf

@@ -0,0 +1,8 @@
+# Enable SCIM with strict IdP control — no manual updates, license type managed by SCIM.
+# This is the recommended configuration when using an identity provider such as
+# Okta or Azure AD as the single source of truth for user provisioning.
+resource "dbtcloud_scim_config" "main" {
+  enabled                      = true
+  manual_updates_allowed       = false
+  scim_controlled_license_type = true
+}

examples/resources/dbtcloud_scim_config_token/import.sh

@@ -0,0 +1,4 @@
+# Import a SCIM config token by its numeric ID.
+# Note: token_string will be empty after import — the API never returns the
+# token value after creation. This is expected and documented behaviour.
+terraform import dbtcloud_scim_config_token.okta 12345

examples/resources/dbtcloud_scim_config_token/resource.tf

@@ -0,0 +1,16 @@
+# Create a SCIM token to allow an identity provider (e.g. Okta, Azure AD) to
+# provision and deprovision users and groups in dbt Cloud.
+#
+# The token value is returned only on creation and stored in Terraform state
+# as a sensitive value. It is never returned by subsequent API reads, so
+# changing the `name` forces a new token to be created.
+resource "dbtcloud_scim_config_token" "okta" {
+  name = "okta-scim"
+}
+
+# The token string can be passed to other resources or outputs.
+# Mark outputs as sensitive when exposing the token value.
+output "scim_token" {
+  value     = dbtcloud_scim_config_token.okta.token_string
+  sensitive = true
+}

pkg/dbt_cloud/scim_config.go

@@ -0,0 +1,79 @@
+package dbt_cloud
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+)
+
+type SCIMConfig struct {
+	Enabled                   bool `json:"enabled"`
+	ManualUpdatesAllowed      bool `json:"manual_updates_allowed"`
+	SCIMControlledLicenseType bool `json:"scim_controlled_license_type"`
+}
+
+type SCIMConfigResponse struct {
+	Data   SCIMConfig     `json:"data"`
+	Status ResponseStatus `json:"status"`
+}
+
+func (c *Client) GetSCIMConfig() (*SCIMConfig, error) {
+	req, err := http.NewRequest(
+		"GET",
+		fmt.Sprintf(
+			"%s/v3/accounts/%s/scim-config/",
+			c.HostURL,
+			strconv.FormatInt(c.AccountID, 10),
+		),
+		nil,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := c.doRequestWithRetry(req)
+	if err != nil {
+		return nil, err
+	}
+
+	resp := SCIMConfigResponse{}
+	if err = json.Unmarshal(body, &resp); err != nil {
+		return nil, err
+	}
+
+	return &resp.Data, nil
+}
+
+func (c *Client) UpdateSCIMConfig(cfg SCIMConfig) (*SCIMConfig, error) {
+	payload, err := json.Marshal(cfg)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequest(
+		"POST",
+		fmt.Sprintf(
+			"%s/v3/accounts/%s/scim-config/",
+			c.HostURL,
+			strconv.FormatInt(c.AccountID, 10),
+		),
+		strings.NewReader(string(payload)),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := c.doRequestWithRetry(req)
+	if err != nil {
+		return nil, err
+	}
+
+	resp := SCIMConfigResponse{}
+	if err = json.Unmarshal(body, &resp); err != nil {
+		return nil, err
+	}
+
+	return &resp.Data, nil
+}