Added new resource: dbtcloud_azure_ad_application (#658)

* Added azure-ad-application resource

* Address comments in PR

Author: adrianburusdbt

.changes/unreleased/Changes-20260408-093813.yaml

@@ -0,0 +1,3 @@
+kind: Changes
+body: Added resource for azure-ad-application-resource
+time: 2026-04-08T09:38:13.641938+03:00

docs/resources/azure_ad_application.md

@@ -0,0 +1,94 @@
+---
+page_title: "dbtcloud_azure_ad_application Resource - dbtcloud"
+subcategory: ""
+description: |-
+  Manages an Azure Active Directory (Microsoft Entra ID) application registration for a dbt Cloud account. This enables Azure DevOps integration, allowing dbt Cloud to access Azure DevOps repositories for project setup.
+  The client_id, client_secret and tenant_id are encrypted at rest and never returned by the API. They are stored as sensitive values in Terraform state so they can be resent on every update — the API requires all three on both create and update.
+  Destroy behaviour: running terraform destroy calls the dbt Cloud DELETE endpoint, which marks the record as inactive. Due to a known dbt Cloud backend limitation, the underlying database row is retained and re-creating the resource against the same account without a backend cleanup will fail with a unique-constraint error. If you need to recreate the resource after a destroy, contact dbt Cloud support to have the orphaned record removed, or use terraform import to re-adopt the existing record ID.
+  Requires the Azure DevOps integration feature to be enabled on the account (enterprise plans only).
+---
+
+# dbtcloud_azure_ad_application (Resource)
+
+
+Manages an Azure Active Directory (Microsoft Entra ID) application registration for a dbt Cloud account. This enables Azure DevOps integration, allowing dbt Cloud to access Azure DevOps repositories for project setup.
+
+The `client_id`, `client_secret` and `tenant_id` are encrypted at rest and never returned by the API. They are stored as sensitive values in Terraform state so they can be resent on every update — the API requires all three on both create and update.
+
+**Destroy behaviour:** running `terraform destroy` calls the dbt Cloud DELETE endpoint, which marks the record as inactive. Due to a known dbt Cloud backend limitation, the underlying database row is retained and re-creating the resource against the same account without a backend cleanup will fail with a unique-constraint error. If you need to recreate the resource after a destroy, contact dbt Cloud support to have the orphaned record removed, or use `terraform import` to re-adopt the existing record ID.
+
+Requires the Azure DevOps integration feature to be enabled on the account (enterprise plans only).
+
+## Example Usage
+
+```terraform
+resource "dbtcloud_azure_ad_application" "this" {
+  organization_name = "my-azure-devops-org"
+  client_id         = "00000000-0000-0000-0000-000000000000"
+  client_secret     = var.azure_client_secret
+  tenant_id         = "00000000-0000-0000-0000-000000000001"
+
+  # Optional: defaults to "service_user". Set to "service_principal" to use
+  # service principal authentication instead.
+  azure_service_authentication_method = "service_user"
+}
+
+# NOTE: destroying this resource calls the dbt Cloud DELETE endpoint, which
+# marks the record as inactive but does not remove the underlying database row.
+# Re-creating the resource against the same account after a destroy will fail
+# with a unique-constraint error. To recover, ask dbt Cloud support to remove
+# the orphaned record, or use `terraform import` to re-adopt it:
+#
+#   terraform import dbtcloud_azure_ad_application.this <id>
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `client_id` (String, Sensitive) The client ID (application ID) of the Azure AD app registration. Stored as a sensitive value — the API never returns it.
+- `client_secret` (String, Sensitive) The client secret of the Azure AD app registration. Stored as a sensitive value — the API never returns it.
+- `organization_name` (String) The name of the Azure DevOps organization.
+- `tenant_id` (String, Sensitive) The tenant ID of the Azure AD directory. Stored as a sensitive value — the API never returns it.
+
+### Optional
+
+- `azure_service_authentication_method` (String) The method used for service authentication. One of: ~~~service_user~~~, ~~~service_principal~~~. Defaults to ~~~service_user~~~.
+
+### Read-Only
+
+- `account_id` (Number) The ID of the dbt Cloud account.
+- `created_at` (String) Timestamp when the application was created.
+- `id` (Number) The ID of the Azure AD application.
+- `oauth_redirect_uri_domain` (String) The domain used for the OAuth redirect URI. Set automatically by dbt Cloud based on the account's subdomain.
+- `updated_at` (String) Timestamp when the application was last updated.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+# using import blocks (requires Terraform >= 1.5)
+import {
+  to = dbtcloud_azure_ad_application.this
+  id = "azure_ad_application_id"
+}
+
+import {
+  to = dbtcloud_azure_ad_application.this
+  id = "12345"
+}
+
+# using the older import command
+terraform import dbtcloud_azure_ad_application.this azure_ad_application_id
+terraform import dbtcloud_azure_ad_application.this 12345
+
+# NOTE: client_id, client_secret, and tenant_id will be empty after import —
+# the API never returns these values. You must set them in your config to
+# avoid drift on the next apply.
+#
+# Import is also the recovery path if destroy left an orphaned record in dbt
+# Cloud (the DELETE endpoint soft-deletes the row rather than removing it).
+# Find the existing record ID and import it instead of creating a new one.
+```

examples/local-test-azure-ad-application/main.tf

@@ -0,0 +1,64 @@
+terraform {
+  required_providers {
+    dbtcloud = {
+      source  = "dbt-labs/dbtcloud"
+      version = ">= 0.3"
+    }
+  }
+}
+
+provider "dbtcloud" {
+  account_id = 1234       # replace with your account ID
+  token      = "xxxx"     # replace with your API token
+  host_url   = "https://dbt.com/api"  # replace with your dbt Cloud host URL if different
+}
+
+# ── Case 1: Create with service_user auth (default) ──────────────────────────
+# Apply this first. Verify in the dbt Cloud UI under Account Settings > Integrations
+# that the Azure AD application appears with the correct org name.
+resource "dbtcloud_azure_ad_application" "test" {
+  organization_name = "xxxx"
+  client_id         = "xxxx"
+  client_secret     = "xxxx"
+  tenant_id         = "xxxx"
+
+  azure_service_authentication_method = "service_user"
+}
+
+output "azure_ad_application_id" {
+  value = dbtcloud_azure_ad_application.test.id
+}
+
+output "oauth_redirect_uri_domain" {
+  description = "The OAuth redirect URI domain set by the API (computed)"
+  value       = dbtcloud_azure_ad_application.test.oauth_redirect_uri_domain
+}
+
+# ── Case 2: Switch auth method to service_principal ───────────────────────────
+# Comment out Case 1 above and uncomment this block, then re-apply.
+# Verify the auth method changes in the UI without recreating the resource.
+# resource "dbtcloud_azure_ad_application" "test" {
+#   organization_name = "xxxx"
+#   client_id         = "xxxx"
+#   client_secret     = "xxxx"
+#   tenant_id         = "xxxx"
+#
+#   azure_service_authentication_method = "service_principal"
+# }
+
+# ── Case 3: Rotate the client_secret ─────────────────────────────────────────
+# Change client_secret to a new value and re-apply.
+# The API requires all four fields (org, client_id, secret, tenant_id) on every
+# update — they are stored in state as sensitive so they can be resent.
+# resource "dbtcloud_azure_ad_application" "test" {
+#   organization_name = "my-azure-devops-org"
+#   client_id         = "00000000-0000-0000-0000-000000000000"
+#   client_secret     = "my-NEW-client-secret"    # rotated
+#   tenant_id         = "00000000-0000-0000-0000-000000000001"
+#
+#   azure_service_authentication_method = "service_user"
+# }
+
+# ── Case 4: Destroy ────────────────────────────────────────────────────────────
+# Run: terraform destroy
+# Verify the Azure AD application is removed from Account Settings > Integrations.

examples/resources/dbtcloud_azure_ad_application/import.sh

@@ -0,0 +1,22 @@
+# using import blocks (requires Terraform >= 1.5)
+import {
+  to = dbtcloud_azure_ad_application.this
+  id = "azure_ad_application_id"
+}
+
+import {
+  to = dbtcloud_azure_ad_application.this
+  id = "12345"
+}
+
+# using the older import command
+terraform import dbtcloud_azure_ad_application.this azure_ad_application_id
+terraform import dbtcloud_azure_ad_application.this 12345
+
+# NOTE: client_id, client_secret, and tenant_id will be empty after import —
+# the API never returns these values. You must set them in your config to
+# avoid drift on the next apply.
+#
+# Import is also the recovery path if destroy left an orphaned record in dbt
+# Cloud (the DELETE endpoint soft-deletes the row rather than removing it).
+# Find the existing record ID and import it instead of creating a new one.

examples/resources/dbtcloud_azure_ad_application/resource.tf

@@ -0,0 +1,18 @@
+resource "dbtcloud_azure_ad_application" "this" {
+  organization_name = "my-azure-devops-org"
+  client_id         = "00000000-0000-0000-0000-000000000000"
+  client_secret     = var.azure_client_secret
+  tenant_id         = "00000000-0000-0000-0000-000000000001"
+
+  # Optional: defaults to "service_user". Set to "service_principal" to use
+  # service principal authentication instead.
+  azure_service_authentication_method = "service_user"
+}
+
+# NOTE: destroying this resource calls the dbt Cloud DELETE endpoint, which
+# marks the record as inactive but does not remove the underlying database row.
+# Re-creating the resource against the same account after a destroy will fail
+# with a unique-constraint error. To recover, ask dbt Cloud support to remove
+# the orphaned record, or use `terraform import` to re-adopt it:
+#
+#   terraform import dbtcloud_azure_ad_application.this <id>

pkg/dbt_cloud/azure_ad_application.go

@@ -0,0 +1,179 @@
+package dbt_cloud
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+)
+
+type AzureADApplication struct {
+	ID                               *int64  `json:"id,omitempty"`
+	AccountID                        int64   `json:"account_id,omitempty"`
+	OrganizationName                 string  `json:"organization_name"`
+	ClientID                         *string `json:"client_id,omitempty"`
+	ClientSecret                     *string `json:"client_secret,omitempty"`
+	TenantID                         *string `json:"tenant_id,omitempty"`
+	AzureServiceAuthenticationMethod string  `json:"azure_service_authentication_method,omitempty"`
+	OAuthRedirectURIDomain           *string `json:"oauth_redirect_uri_domain,omitempty"`
+	CreatedAt                        *string `json:"created_at,omitempty"`
+	UpdatedAt                        *string `json:"updated_at,omitempty"`
+}
+
+type AzureADApplicationResponse struct {
+	Data   AzureADApplication `json:"data"`
+	Status ResponseStatus     `json:"status"`
+}
+
+type AzureADApplicationListResponse struct {
+	Data   []AzureADApplication `json:"data"`
+	Status ResponseStatus       `json:"status"`
+}
+
+// GetAzureADApplicationForAccount fetches the single Azure AD application for
+// this account via the list endpoint. Returns nil if none exists yet.
+func (c *Client) GetAzureADApplicationForAccount() (*AzureADApplication, error) {
+	req, err := http.NewRequest(
+		"GET",
+		fmt.Sprintf(
+			"%s/v3/accounts/%s/azure-ad-applications/",
+			c.HostURL,
+			strconv.FormatInt(c.AccountID, 10),
+		),
+		nil,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := c.doRequestWithRetry(req)
+	if err != nil {
+		return nil, err
+	}
+
+	listResp := AzureADApplicationListResponse{}
+	if err = json.Unmarshal(body, &listResp); err != nil {
+		return nil, err
+	}
+
+	if len(listResp.Data) == 0 {
+		return nil, nil
+	}
+	return &listResp.Data[0], nil
+}
+
+func (c *Client) GetAzureADApplication(applicationID int64) (*AzureADApplication, error) {
+	req, err := http.NewRequest(
+		"GET",
+		fmt.Sprintf(
+			"%s/v3/accounts/%s/azure-ad-applications/%d/",
+			c.HostURL,
+			strconv.FormatInt(c.AccountID, 10),
+			applicationID,
+		),
+		nil,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := c.doRequestWithRetry(req)
+	if err != nil {
+		return nil, err
+	}
+
+	resp := AzureADApplicationResponse{}
+	if err = json.Unmarshal(body, &resp); err != nil {
+		return nil, err
+	}
+
+	return &resp.Data, nil
+}
+
+func (c *Client) CreateAzureADApplication(app AzureADApplication) (*AzureADApplication, error) {
+	payload, err := json.Marshal(app)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequest(
+		"POST",
+		fmt.Sprintf(
+			"%s/v3/accounts/%s/azure-ad-applications/",
+			c.HostURL,
+			strconv.FormatInt(c.AccountID, 10),
+		),
+		strings.NewReader(string(payload)),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := c.doRequestWithRetry(req)
+	if err != nil {
+		return nil, err
+	}
+
+	resp := AzureADApplicationResponse{}
+	if err = json.Unmarshal(body, &resp); err != nil {
+		return nil, err
+	}
+
+	return &resp.Data, nil
+}
+
+func (c *Client) UpdateAzureADApplication(applicationID int64, app AzureADApplication) (*AzureADApplication, error) {
+	// account_id is passed via the URL path; zero it out to avoid API rejection.
+	app.AccountID = 0
+
+	payload, err := json.Marshal(app)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequest(
+		"POST",
+		fmt.Sprintf(
+			"%s/v3/accounts/%s/azure-ad-applications/%d/",
+			c.HostURL,
+			strconv.FormatInt(c.AccountID, 10),
+			applicationID,
+		),
+		strings.NewReader(string(payload)),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := c.doRequestWithRetry(req)
+	if err != nil {
+		return nil, err
+	}
+
+	resp := AzureADApplicationResponse{}
+	if err = json.Unmarshal(body, &resp); err != nil {
+		return nil, err
+	}
+
+	return &resp.Data, nil
+}
+
+func (c *Client) DeleteAzureADApplication(applicationID int64) error {
+	req, err := http.NewRequest(
+		"DELETE",
+		fmt.Sprintf(
+			"%s/v3/accounts/%s/azure-ad-applications/%d/",
+			c.HostURL,
+			strconv.FormatInt(c.AccountID, 10),
+			applicationID,
+		),
+		nil,
+	)
+	if err != nil {
+		return err
+	}
+
+	_, err = c.doRequestWithRetry(req)
+	return err
+}