Add a new openai_integration resource (#657)

* Add a new openai_integration resource

* Fix comments in PR

Author: adrianburusdbt

.changes/unreleased/Changes-20260407-094322.yaml

@@ -0,0 +1,3 @@
+kind: Changes
+body: Added openai_integration resource
+time: 2026-04-07T09:43:22.103746+03:00

docs/resources/openai_integration.md

@@ -0,0 +1,90 @@
+---
+page_title: "dbtcloud_openai_integration Resource - dbtcloud"
+subcategory: ""
+description: |-
+  Manages a bring-your-own-key OpenAI integration for a dbt Cloud account, enabling AI-powered features such as dbt Copilot.
+  Two key types are supported:
+  openai — your own OpenAI API keyazure_openai — your own Azure OpenAI deployment
+  Lifecycle note: dbt Cloud defaults to a dbt Labs-managed OpenAI key when no integration record exists. Creating this resource switches the account to a customer-managed key. Destroying it (or removing it from the Terraform config) deletes the record and automatically reverts the account to the dbt Labs-managed key — no additional steps are required.
+  Secret handling: the API key is write-only and never returned after creation. Use key_value_wo with key_value_wo_version (Terraform 1.11+) to keep the secret out of state entirely. Use key_value for older Terraform versions — it is stored as a sensitive value in state.
+---
+
+# dbtcloud_openai_integration (Resource)
+
+
+Manages a bring-your-own-key OpenAI integration for a dbt Cloud account, enabling AI-powered features such as dbt Copilot.
+
+Two key types are supported:
+- `openai` — your own OpenAI API key
+- `azure_openai` — your own Azure OpenAI deployment
+
+**Lifecycle note:** dbt Cloud defaults to a dbt Labs-managed OpenAI key when no integration record exists. Creating this resource switches the account to a customer-managed key. Destroying it (or removing it from the Terraform config) deletes the record and automatically reverts the account to the dbt Labs-managed key — no additional steps are required.
+
+**Secret handling:** the API key is write-only and never returned after creation. Use `key_value_wo` with `key_value_wo_version` (Terraform 1.11+) to keep the secret out of state entirely. Use `key_value` for older Terraform versions — it is stored as a sensitive value in state.
+
+## Example Usage
+
+```terraform
+# Use a native OpenAI API key.
+# Recommended: write-only (Terraform 1.11+) — the key is never stored in state.
+resource "dbtcloud_openai_integration" "openai" {
+  key_type             = "openai"
+  key_value_wo         = var.openai_api_key
+  key_value_wo_version = 1
+}
+
+# For older Terraform versions, use key_value instead — stored as a sensitive value in state.
+# resource "dbtcloud_openai_integration" "openai" {
+#   key_type  = "openai"
+#   key_value = var.openai_api_key
+# }
+
+# Use an Azure OpenAI deployment.
+resource "dbtcloud_openai_integration" "azure" {
+  key_type              = "azure_openai"
+  key_value_wo          = var.azure_openai_api_key
+  key_value_wo_version  = 1
+  azure_endpoint        = "https://my-deployment.openai.azure.com/"
+  azure_deployment_name = "gpt-4o"
+  azure_api_version     = "2024-02-01"
+}
+
+# To revert to the dbt Labs-managed key, remove this resource from your config
+# and run `terraform apply`, or run `terraform destroy`. Deleting the record is
+# all that is needed — dbt Cloud automatically falls back to the managed key
+# when no integration exists.
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `key_type` (String) The type of OpenAI key. One of: ~~~openai~~~, ~~~azure_openai~~~. To revert to the dbt Labs-managed key, destroy this resource.
+
+### Optional
+
+- `azure_api_version` (String) The Azure OpenAI API version (e.g. ~~~2024-02-01~~~). Required when ~~~key_type~~~ is ~~~azure_openai~~~.
+- `azure_deployment_name` (String) The Azure OpenAI deployment name. Required when ~~~key_type~~~ is ~~~azure_openai~~~.
+- `azure_endpoint` (String) The Azure OpenAI endpoint URL. Required when ~~~key_type~~~ is ~~~azure_openai~~~.
+- `key_value` (String, Sensitive) The OpenAI or Azure OpenAI API key. Stored as a sensitive value in Terraform state. Conflicts with ~~~key_value_wo~~~. For Terraform 1.11+, prefer ~~~key_value_wo~~~ to avoid storing secrets in state.
+- `key_value_wo` (String) Write-only variant of the API key (Terraform 1.11+). Never stored in state. Increment ~~~key_value_wo_version~~~ to rotate the key. Conflicts with ~~~key_value~~~.
+- `key_value_wo_version` (Number) Increment this value to rotate the key when using ~~~key_value_wo~~~.
+
+### Read-Only
+
+- `account_id` (Number) The ID of the dbt Cloud account.
+- `created_at` (String) Timestamp when the integration was created.
+- `id` (Number) The ID of the OpenAI integration.
+- `updated_at` (String) Timestamp when the integration was last updated.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Import an existing OpenAI integration by its numeric ID.
+# Note: key_value will be absent after import — the API never returns it.
+# Use key_value_wo or key_value_wo_version to manage the key going forward.
+terraform import dbtcloud_openai_integration.openai 12345
+```

examples/local-test-openai-integration/main.tf

@@ -0,0 +1,45 @@
+terraform {
+  required_providers {
+    dbtcloud = {
+      source  = "dbt-labs/dbtcloud"
+      version = ">= 0.3"
+    }
+  }
+}
+
+provider "dbtcloud" {
+  account_id = 1234
+  token      = "xxx"
+  host_url   = "https://dbt.com/api"
+}
+
+# ── Case 1: native OpenAI key (key_value, stored in state) ────────────────────
+# resource "dbtcloud_openai_integration" "test" {
+#   key_type  = "openai"
+#   key_value = "sk-test-placeholder"
+# }
+
+# ── Case 2: rotate the key ────────────────────────────────────────────────────
+# Uncomment and re-apply to test PATCH updating key_value.
+# resource "dbtcloud_openai_integration" "test" {
+#   key_type  = "openai"
+#   key_value = "sk-test-rotated"
+# }
+
+# ── Case 4: azure_openai ──────────────────────────────────────────────────────
+# Uncomment and re-apply to test Azure OpenAI integration.
+# resource "dbtcloud_openai_integration" "test" {
+#   key_type              = "azure_openai"
+#   key_value             = "az-test-placeholder"
+#   azure_endpoint        = "https://my-deployment.openai.azure.com/"
+#   azure_deployment_name = "gpt-4o"
+#   azure_api_version     = "2024-02-01"
+# }
+
+# ── Case 5: write-only key (Terraform 1.11+) ──────────────────────────────────
+# Uncomment and re-apply to test key_value_wo (not stored in state).
+# resource "dbtcloud_openai_integration" "test" {
+#   key_type             = "openai"
+#   key_value_wo         = "sk-wo-placeholder"
+#   key_value_wo_version = 1
+# }

examples/resources/dbtcloud_openai_integration/import.sh

@@ -0,0 +1,4 @@
+# Import an existing OpenAI integration by its numeric ID.
+# Note: key_value will be absent after import — the API never returns it.
+# Use key_value_wo or key_value_wo_version to manage the key going forward.
+terraform import dbtcloud_openai_integration.openai 12345

examples/resources/dbtcloud_openai_integration/resource.tf

@@ -0,0 +1,28 @@
+# Use a native OpenAI API key.
+# Recommended: write-only (Terraform 1.11+) — the key is never stored in state.
+resource "dbtcloud_openai_integration" "openai" {
+  key_type             = "openai"
+  key_value_wo         = var.openai_api_key
+  key_value_wo_version = 1
+}
+
+# For older Terraform versions, use key_value instead — stored as a sensitive value in state.
+# resource "dbtcloud_openai_integration" "openai" {
+#   key_type  = "openai"
+#   key_value = var.openai_api_key
+# }
+
+# Use an Azure OpenAI deployment.
+resource "dbtcloud_openai_integration" "azure" {
+  key_type              = "azure_openai"
+  key_value_wo          = var.azure_openai_api_key
+  key_value_wo_version  = 1
+  azure_endpoint        = "https://my-deployment.openai.azure.com/"
+  azure_deployment_name = "gpt-4o"
+  azure_api_version     = "2024-02-01"
+}
+
+# To revert to the dbt Labs-managed key, remove this resource from your config
+# and run `terraform apply`, or run `terraform destroy`. Deleting the record is
+# all that is needed — dbt Cloud automatically falls back to the managed key
+# when no integration exists.

pkg/dbt_cloud/openai_integration.go

@@ -0,0 +1,149 @@
+package dbt_cloud
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+)
+
+type OpenAIIntegration struct {
+	ID                  *int64  `json:"id,omitempty"`
+	AccountID           int64   `json:"account_id,omitempty"`
+	KeyType             string  `json:"key_type"`
+	KeyValue            *string `json:"key_value,omitempty"`
+	AzureEndpoint       *string `json:"azure_endpoint,omitempty"`
+	AzureDeploymentName *string `json:"azure_deployment_name,omitempty"`
+	AzureAPIVersion     *string `json:"azure_api_version,omitempty"`
+	CreatedAt           *string `json:"created_at,omitempty"`
+	UpdatedAt           *string `json:"updated_at,omitempty"`
+}
+
+type OpenAIIntegrationResponse struct {
+	Data   OpenAIIntegration `json:"data"`
+	Status ResponseStatus    `json:"status"`
+}
+
+type OpenAIIntegrationListResponse struct {
+	Data   []OpenAIIntegration `json:"data"`
+	Status ResponseStatus      `json:"status"`
+}
+
+func (c *Client) GetOpenAIIntegration(integrationID int64) (*OpenAIIntegration, error) {
+	req, err := http.NewRequest(
+		"GET",
+		fmt.Sprintf(
+			"%s/v3/accounts/%s/integrations/open-ai/%d/",
+			c.HostURL,
+			strconv.FormatInt(c.AccountID, 10),
+			integrationID,
+		),
+		nil,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := c.doRequestWithRetry(req)
+	if err != nil {
+		return nil, err
+	}
+
+	resp := OpenAIIntegrationResponse{}
+	if err = json.Unmarshal(body, &resp); err != nil {
+		return nil, err
+	}
+
+	return &resp.Data, nil
+}
+
+func (c *Client) CreateOpenAIIntegration(integration OpenAIIntegration) (*OpenAIIntegration, error) {
+	// account_id is passed via the URL path — the API rejects it in the body.
+	integration.AccountID = 0
+
+	payload, err := json.Marshal(integration)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequest(
+		"POST",
+		fmt.Sprintf(
+			"%s/v3/accounts/%s/integrations/open-ai/",
+			c.HostURL,
+			strconv.FormatInt(c.AccountID, 10),
+		),
+		strings.NewReader(string(payload)),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := c.doRequestWithRetry(req)
+	if err != nil {
+		return nil, err
+	}
+
+	resp := OpenAIIntegrationResponse{}
+	if err = json.Unmarshal(body, &resp); err != nil {
+		return nil, err
+	}
+
+	return &resp.Data, nil
+}
+
+func (c *Client) UpdateOpenAIIntegration(integrationID int64, integration OpenAIIntegration) (*OpenAIIntegration, error) {
+	// account_id is passed via the URL path; zero it out to avoid API rejection.
+	integration.AccountID = 0
+
+	payload, err := json.Marshal(integration)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequest(
+		"PATCH",
+		fmt.Sprintf(
+			"%s/v3/accounts/%s/integrations/open-ai/%d/",
+			c.HostURL,
+			strconv.FormatInt(c.AccountID, 10),
+			integrationID,
+		),
+		strings.NewReader(string(payload)),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := c.doRequestWithRetry(req)
+	if err != nil {
+		return nil, err
+	}
+
+	resp := OpenAIIntegrationResponse{}
+	if err = json.Unmarshal(body, &resp); err != nil {
+		return nil, err
+	}
+
+	return &resp.Data, nil
+}
+
+func (c *Client) DeleteOpenAIIntegration(integrationID int64) error {
+	req, err := http.NewRequest(
+		"DELETE",
+		fmt.Sprintf(
+			"%s/v3/accounts/%s/integrations/open-ai/%d/",
+			c.HostURL,
+			strconv.FormatInt(c.AccountID, 10),
+			integrationID,
+		),
+		nil,
+	)
+	if err != nil {
+		return err
+	}
+
+	_, err = c.doRequestWithRetry(req)
+	return err
+}

pkg/framework/objects/openai_integration/model.go

@@ -0,0 +1,19 @@
+package openai_integration
+
+import (
+	"github.com/hashicorp/terraform-plugin-framework/types"
+)
+
+type OpenAIIntegrationResourceModel struct {
+	ID                  types.Int64  `tfsdk:"id"`
+	AccountID           types.Int64  `tfsdk:"account_id"`
+	KeyType             types.String `tfsdk:"key_type"`
+	KeyValue            types.String `tfsdk:"key_value"`
+	KeyValueWO          types.String `tfsdk:"key_value_wo"`
+	KeyValueWOVersion   types.Int64  `tfsdk:"key_value_wo_version"`
+	AzureEndpoint       types.String `tfsdk:"azure_endpoint"`
+	AzureDeploymentName types.String `tfsdk:"azure_deployment_name"`
+	AzureAPIVersion     types.String `tfsdk:"azure_api_version"`
+	CreatedAt           types.String `tfsdk:"created_at"`
+	UpdatedAt           types.String `tfsdk:"updated_at"`
+}