Add dbtcloud_auth_provider resource (#655)

* Added auth provider resource

* Address pr comments

Author: adrianburusdbt

.changes/unreleased/Changes-20260406-182129.yaml

@@ -0,0 +1,3 @@
+kind: Changes
+body: Added auth provider resource
+time: 2026-04-06T18:21:29.016021+03:00

.gitignore

@@ -1,4 +1,7 @@
 .terraform
+*.tfstate
+*.tfstate.backup
+*.tfvars
 vendor/
 terraform-provider*
 .idea

docs/resources/auth_provider.md

@@ -0,0 +1,193 @@
+---
+page_title: "dbtcloud_auth_provider Resource - dbtcloud"
+subcategory: ""
+description: |-
+  Manages an SSO auth provider for a dbt Cloud account. Supports SAML/Okta, Azure Active Directory (single-tenant, multi-tenant), and Google Workspace.
+  Only one auth provider may exist per account. Requires the SSO feature enabled on the account (enterprise plans only).
+  See the documentation https://docs.getdbt.com/docs/cloud/manage-access/sso-overview for more information.
+---
+
+# dbtcloud_auth_provider (Resource)
+
+
+Manages an SSO auth provider for a dbt Cloud account. Supports SAML/Okta, Azure Active Directory (single-tenant, multi-tenant), and Google Workspace.
+
+Only one auth provider may exist per account. Requires the SSO feature enabled on the account (enterprise plans only).
+
+See the [documentation](https://docs.getdbt.com/docs/cloud/manage-access/sso-overview) for more information.
+
+## Example Usage
+
+```terraform
+// SAML — write-only cert (recommended, not stored in state)
+//
+// Requires Terraform >= 1.11 for write-only attribute support.
+// Bump cert_wo_version to rotate the cert without recreating the resource.
+
+variable "saml_cert" {
+  type      = string
+  ephemeral = true
+}
+
+resource "dbtcloud_auth_provider" "saml" {
+  type      = "saml"
+  entity_id = "https://your-idp.example.com/metadata"
+  sso_url   = "https://your-idp.example.com/sso/saml"
+
+  cert_wo         = var.saml_cert
+  cert_wo_version = 1
+}
+
+output "login_url" {
+  description = "SSO login URL to share with users."
+  value       = dbtcloud_auth_provider.saml.login_url
+}
+
+
+// SAML — all optional fields
+
+resource "dbtcloud_auth_provider" "saml_full" {
+  type      = "saml"
+  entity_id = "https://your-idp.example.com/metadata"
+  sso_url   = "https://your-idp.example.com/sso/saml"
+  cert      = file("idp-cert.pem")
+
+  sign_request  = true
+  attribute_map = jsonencode({
+    email      = "nameID"
+    first_name = "firstName"
+    last_name  = "lastName"
+  })
+
+  allow_password_backdoor = false
+}
+
+
+// Okta (identical to SAML, different type value)
+
+resource "dbtcloud_auth_provider" "okta" {
+  type      = "okta"
+  entity_id = "http://www.okta.com/<okta_app_id>"
+  sso_url   = "https://<your-org>.okta.com/app/<app_path>/sso/saml"
+
+  cert_wo         = var.saml_cert
+  cert_wo_version = 1
+}
+
+
+// Azure AD — single tenant
+
+variable "azure_client_secret" {
+  type      = string
+  ephemeral = true
+}
+
+resource "dbtcloud_auth_provider" "azure_single_tenant" {
+  type      = "azure_single_tenant"
+  client_id = "00000000-0000-0000-0000-000000000000"
+  tenant_id = "11111111-1111-1111-1111-111111111111"
+
+  client_secret_wo         = var.azure_client_secret
+  client_secret_wo_version = 1
+
+  domain                  = "acme.com"
+  include_indirect_groups = true
+  max_groups_to_retrieve  = 500
+}
+
+
+// Azure AD — multi tenant (no tenant_id required)
+
+resource "dbtcloud_auth_provider" "azure_multi_tenant" {
+  type      = "azure_multi_tenant"
+  client_id = "00000000-0000-0000-0000-000000000000"
+
+  client_secret_wo         = var.azure_client_secret
+  client_secret_wo_version = 1
+}
+
+
+// Azure Active Directory
+
+resource "dbtcloud_auth_provider" "azure_active_directory" {
+  type      = "azure_active_directory"
+  client_id = "00000000-0000-0000-0000-000000000000"
+  tenant_id = "11111111-1111-1111-1111-111111111111"
+
+  client_secret_wo         = var.azure_client_secret
+  client_secret_wo_version = 1
+
+  domain = "acme.com"
+}
+
+
+// Google Workspace
+
+variable "gsuite_client_secret" {
+  type      = string
+  ephemeral = true
+}
+
+resource "dbtcloud_auth_provider" "gsuite" {
+  type      = "gsuite"
+  client_id = "000000000000-xxxx.apps.googleusercontent.com"
+
+  client_secret_wo         = var.gsuite_client_secret
+  client_secret_wo_version = 1
+
+  admin_refresh_token = "<oauth-refresh-token>"
+  domain              = "acme.com"
+  gsuite_admin_id     = "admin@acme.com"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `type` (String) The SSO provider type. One of: `saml`, `okta`, `gsuite`, `azure_single_tenant`, `azure_multi_tenant`, `azure_active_directory`. Changing this value forces a new resource.
+
+### Optional
+
+- `admin_refresh_token` (String, Sensitive) Google Workspace admin OAuth refresh token used to fetch group memberships.
+- `allow_password_backdoor` (Boolean) When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
+- `attribute_map` (String) JSON map of SAML attribute names to dbt Cloud user fields.
+- `authorization_url` (String) OAuth authorization URL for Google Workspace. May be auto-populated server-side.
+- `cert` (String, Sensitive) SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using `cert_wo` instead. Conflicts with `cert_wo`.
+- `cert_wo` (String) Write-only alternative to `cert`. Not stored in state. Use `cert_wo_version` to trigger updates. Conflicts with `cert`.
+- `cert_wo_version` (Number) Increment to rotate `cert_wo` without changing the value.
+- `client_id` (String) OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
+- `client_secret` (String, Sensitive) OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using `client_secret_wo` instead. Conflicts with `client_secret_wo`.
+- `client_secret_wo` (String) Write-only alternative to `client_secret`. Not stored in state. Use `client_secret_wo_version` to trigger updates. Conflicts with `client_secret`.
+- `client_secret_wo_version` (Number) Increment to rotate `client_secret_wo` without changing the value.
+- `domain` (String) Primary domain for the Azure AD or Google Workspace tenant.
+- `entity_id` (String) SAML entity ID (Issuer) from your identity provider. Required for `saml` and `okta`.
+- `gsuite_admin_id` (String) Google Workspace admin email used to fetch group memberships.
+- `include_indirect_groups` (Boolean) Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
+- `max_groups_to_retrieve` (Number) Maximum number of Azure AD groups to fetch per user. Defaults to 250.
+- `sign_request` (Boolean) Whether to sign SAML authentication requests. Defaults to false.
+- `slug` (String) URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
+- `sso_url` (String) SAML Single Sign-On URL from your identity provider. Required for `saml` and `okta`.
+- `tenant_id` (String, Sensitive) Azure AD tenant ID. Required for `azure_single_tenant`.
+
+### Read-Only
+
+- `cert_expiry_date` (String) Expiry date of the SAML X.509 certificate (SAML/Okta only).
+- `created_at` (String)
+- `id` (Number) The ID of the auth provider.
+- `login_url` (String) The SSO login URL for the account, auto-generated from the slug.
+- `state` (Number) The state of the auth provider (1 = active).
+- `updated_at` (String)
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# Import an existing auth provider by its numeric ID.
+# The ID can be found via the dbt Cloud API:
+#   GET /api/v3/accounts/{account_id}/auth-provider/
+
+terraform import dbtcloud_auth_provider.example 12345
+```

examples/local-test-saml-auth-provider/README.md

@@ -0,0 +1,67 @@
+# Manual test — SAML auth provider (cases 1 & 2)
+
+## Prerequisites
+
+- dbt Cloud account on an **Enterprise plan** with SSO enabled
+- User API token from an **Account Admin** or **Security Admin**
+- A SAML 2.0 IdP app (Okta developer account recommended — free at developer.okta.com)
+- Terraform >= 1.11 (required for `cert_wo` write-only attribute)
+
+## Setup
+
+```bash
+cp terraform.tfvars.example terraform.tfvars
+# Edit terraform.tfvars with real values
+```
+
+## Running the tests
+
+Only one auth provider may exist per account. Run cases separately.
+
+### Case 1 — SAML with write-only cert
+
+```bash
+TF_VAR_run_case=1 terraform init
+TF_VAR_run_case=1 terraform apply
+
+# Verify:
+# - login_url output is non-empty
+# - slug output is auto-generated (not empty)
+# - cert_expiry output is populated
+# - terraform.tfstate does NOT contain the cert value
+
+# Re-apply should show no changes:
+TF_VAR_run_case=1 terraform plan  # expect: No changes
+
+# Rotate cert: bump saml_cert_version in tfvars, then:
+TF_VAR_run_case=1 terraform apply  # expect: in-place update, no destroy
+
+# Clean up before running case 2:
+TF_VAR_run_case=1 terraform destroy
+```
+
+### Case 2 — SAML with custom slug and all optional fields
+
+```bash
+TF_VAR_run_case=2 terraform apply
+
+# Verify:
+# - login_url contains the custom slug (var.saml_slug)
+# - slug output matches var.saml_slug exactly
+# - cert value appears as (sensitive) in plan, not plaintext
+# - allow_password_backdoor=false is accepted without error
+# - Re-apply shows no changes
+
+TF_VAR_run_case=2 terraform plan  # expect: No changes
+TF_VAR_run_case=2 terraform destroy
+```
+
+## Checking state
+
+```bash
+# Confirm cert_wo is absent from state (case 1):
+cat terraform.tfstate | grep -i cert  # should show cert_expiry_date only, no cert value
+
+# Confirm cert is marked sensitive in state (case 2):
+cat terraform.tfstate | grep -i cert  # value will be present but Terraform marks it sensitive
+```