azurerm_datadog_monitor_sso_configuration deprecate single_sign_on_enabled property (#28520)

* resolving 4.0 TODOs

* missed docs

* attempt at adding tests for the other two SSO states

* changes moved to PR #28529

* moved to PRs 28530 28531

* sort imports

* feedback

* rename property

* wip

* fix tflint

* Apply suggestions from code review

Co-authored-by: Matthew Frahry <[email protected]>

* wip

* feedback

* organize imports

* docs update for datadog monitor sso conf

* remove 4.0 properties

* WIP add 2024-10-01-preview sdk

* Revert "WIP add 2024-10-01-preview sdk"

This reverts commit 6e898f2.

* add other possible values

---------

Co-authored-by: Matthew Frahry <[email protected]>

Author: wyattfry

internal/services/datadog/azurerm_datadog_monitor_sso_configuration.go

@@ -14,6 +14,7 @@ import (
 	"github.com/hashicorp/go-azure-sdk/resource-manager/datadog/2021-03-01/singlesignon"
 	"github.com/hashicorp/terraform-provider-azurerm/helpers/tf"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/features"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/datadog/validate"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/validation"
@@ -25,7 +26,7 @@ import (
 // since this appears to be a 1:1 with it (given the name defaults to `default`)
 
 func resourceDatadogSingleSignOnConfigurations() *pluginsdk.Resource {
-	return &pluginsdk.Resource{
+	resource := &pluginsdk.Resource{
 		Create: resourceDatadogSingleSignOnConfigurationsCreate,
 		Read:   resourceDatadogSingleSignOnConfigurationsRead,
 		Update: resourceDatadogSingleSignOnConfigurationsUpdate,
@@ -63,15 +64,10 @@ func resourceDatadogSingleSignOnConfigurations() *pluginsdk.Resource {
 				ValidateFunc: validate.DatadogEnterpriseApplicationID,
 			},
 
-			"single_sign_on_enabled": {
-				Type:     pluginsdk.TypeString,
-				Required: true,
-				ValidateFunc: validation.StringInSlice([]string{
-					// @tombuildsstuff: other options are available, but the Create handles this as a boolean for now
-					// should the field be a boolean? one to consider for 4.0 when this resource is inlined
-					string(singlesignon.SingleSignOnStatesEnable),
-					string(singlesignon.SingleSignOnStatesDisable),
-				}, false),
+			"single_sign_on": {
+				Type:         pluginsdk.TypeString,
+				Required:     true,
+				ValidateFunc: validation.StringInSlice(singlesignon.PossibleValuesForSingleSignOnStates(), false),
 			},
 
 			"login_url": {
@@ -80,6 +76,29 @@ func resourceDatadogSingleSignOnConfigurations() *pluginsdk.Resource {
 			},
 		},
 	}
+
+	if !features.FivePointOh() {
+		resource.Schema["single_sign_on"] = &pluginsdk.Schema{
+			Type:         pluginsdk.TypeString,
+			Optional:     true,
+			Computed:     true,
+			ValidateFunc: validation.StringInSlice(singlesignon.PossibleValuesForSingleSignOnStates(), false),
+		}
+
+		resource.Schema["single_sign_on_enabled"] = &pluginsdk.Schema{
+			Type:     pluginsdk.TypeString,
+			Optional: true,
+			Computed: true,
+			ValidateFunc: validation.StringInSlice([]string{
+				string(singlesignon.SingleSignOnStatesEnable),
+				string(singlesignon.SingleSignOnStatesDisable),
+			}, false),
+			ExactlyOneOf: []string{"single_sign_on", "single_sign_on_enabled"},
+			Deprecated:   "`single_sign_on_enabled` has been deprecated in favour of the `single_sign_on` property and will be removed in v5.0 of the AzureRM Provider.",
+		}
+	}
+
+	return resource
 }
 
 func resourceDatadogSingleSignOnConfigurationsCreate(d *pluginsdk.ResourceData, meta interface{}) error {
@@ -105,11 +124,16 @@ func resourceDatadogSingleSignOnConfigurationsCreate(d *pluginsdk.ResourceData,
 
 	payload := singlesignon.DatadogSingleSignOnResource{
 		Properties: &singlesignon.DatadogSingleSignOnProperties{
-			SingleSignOnState: pointer.To(singlesignon.SingleSignOnStates(d.Get("single_sign_on_enabled").(string))),
-			EnterpriseAppId:   utils.String(d.Get("enterprise_application_id").(string)),
+			EnterpriseAppId: pointer.To(d.Get("enterprise_application_id").(string)),
 		},
 	}
 
+	if v, ok := d.GetOk("single_sign_on"); ok {
+		payload.Properties.SingleSignOnState = pointer.To(singlesignon.SingleSignOnStates(v.(string)))
+	} else if !features.FivePointOh() {
+		payload.Properties.SingleSignOnState = pointer.To(singlesignon.SingleSignOnStates(d.Get("single_sign_on_enabled").(string)))
+	}
+
 	if err := client.ConfigurationsCreateOrUpdateThenPoll(ctx, id, payload); err != nil {
 		return fmt.Errorf("creating %s: %+v", id, err)
 	}
@@ -143,10 +167,13 @@ func resourceDatadogSingleSignOnConfigurationsRead(d *pluginsdk.ResourceData, me
 	if model := resp.Model; model != nil {
 		if props := model.Properties; props != nil {
 			// per the create func
-			singleSignOnEnabled := props.SingleSignOnState != nil && *props.SingleSignOnState == singlesignon.SingleSignOnStatesEnable
-			d.Set("single_sign_on_enabled", singleSignOnEnabled)
+			d.Set("single_sign_on", string(pointer.From(props.SingleSignOnState)))
 			d.Set("login_url", props.SingleSignOnURL)
 			d.Set("enterprise_application_id", props.EnterpriseAppId)
+
+			if !features.FivePointOh() {
+				d.Set("single_sign_on_enabled", string(pointer.From(props.SingleSignOnState)))
+			}
 		}
 	}
 
@@ -165,11 +192,16 @@ func resourceDatadogSingleSignOnConfigurationsUpdate(d *pluginsdk.ResourceData,
 
 	payload := singlesignon.DatadogSingleSignOnResource{
 		Properties: &singlesignon.DatadogSingleSignOnProperties{
-			SingleSignOnState: pointer.To(singlesignon.SingleSignOnStates(d.Get("single_sign_on_enabled").(string))),
-			EnterpriseAppId:   utils.String(d.Get("enterprise_application_id").(string)),
+			EnterpriseAppId: pointer.To(d.Get("enterprise_application_id").(string)),
 		},
 	}
 
+	if v, ok := d.GetOk("single_sign_on"); ok && d.HasChange("single_sign_on") {
+		payload.Properties.SingleSignOnState = pointer.To(singlesignon.SingleSignOnStates(v.(string)))
+	} else if !features.FivePointOh() {
+		payload.Properties.SingleSignOnState = pointer.To(singlesignon.SingleSignOnStates(d.Get("single_sign_on_enabled").(string)))
+	}
+
 	if err := client.ConfigurationsCreateOrUpdateThenPoll(ctx, *id, payload); err != nil {
 		return fmt.Errorf("updating %s: %+v", id, err)
 	}

internal/services/datadog/azurerm_datadog_monitor_sso_configuration_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/hashicorp/terraform-provider-azurerm/internal/acceptance"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/acceptance/check"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/features"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk"
 	"github.com/hashicorp/terraform-provider-azurerm/utils"
 )
@@ -48,7 +49,24 @@ func TestAccDatadogMonitorSSO_basic(t *testing.T) {
 			Config: r.basic(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
-				check.That(data.ResourceName).Key("single_sign_on_enabled").HasValue("Enable"),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
+func TestAccDatadogMonitorSSO_singleSignOnEnabled(t *testing.T) {
+	if features.FivePointOh() {
+		t.Skip("Skipping as single_sign_on_enabled is not supported in 5.0")
+	}
+	data := acceptance.BuildTestData(t, "azurerm_datadog_monitor_sso_configuration", "test")
+	r := SSODatadogMonitorResource{}
+	r.populateValuesFromEnvironment(t)
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.singleSignOnEnabled(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
 			),
 		},
 		data.ImportStep(),
@@ -64,7 +82,6 @@ func TestAccDatadogMonitorSSO_requiresImport(t *testing.T) {
 			Config: r.basic(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
-				check.That(data.ResourceName).Key("single_sign_on_enabled").HasValue("Enable"),
 			),
 		},
 		data.RequiresImportErrorStep(r.requiresImport),
@@ -80,23 +97,20 @@ func TestAccDatadogMonitorSSO_update(t *testing.T) {
 			Config: r.basic(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
-				check.That(data.ResourceName).Key("single_sign_on_enabled").HasValue("Enable"),
 			),
 		},
 		data.ImportStep(),
 		{
 			Config: r.update(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
-				check.That(data.ResourceName).Key("single_sign_on_enabled").HasValue("Disable"),
 			),
 		},
 		data.ImportStep(),
 		{
 			Config: r.basic(data),
 			Check: acceptance.ComposeTestCheckFunc(
 				check.That(data.ResourceName).ExistsInAzure(r),
-				check.That(data.ResourceName).Key("single_sign_on_enabled").HasValue("Enable"),
 			),
 		},
 		data.ImportStep(),
@@ -152,6 +166,22 @@ provider "azurerm" {
 
 %s
 
+resource "azurerm_datadog_monitor_sso_configuration" "test" {
+  datadog_monitor_id        = azurerm_datadog_monitor.test.id
+  single_sign_on            = "Enable"
+  enterprise_application_id = %q
+}
+`, r.template(data), r.enterpriseAppId)
+}
+
+func (r SSODatadogMonitorResource) singleSignOnEnabled(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+%s
+
 resource "azurerm_datadog_monitor_sso_configuration" "test" {
   datadog_monitor_id        = azurerm_datadog_monitor.test.id
   single_sign_on_enabled    = "Enable"
@@ -166,7 +196,7 @@ func (r SSODatadogMonitorResource) requiresImport(data acceptance.TestData) stri
 
 resource "azurerm_datadog_monitor_sso_configuration" "import" {
   datadog_monitor_id        = azurerm_datadog_monitor_sso_configuration.test.datadog_monitor_id
-  single_sign_on_enabled    = azurerm_datadog_monitor_sso_configuration.test.single_sign_on_enabled
+  single_sign_on            = azurerm_datadog_monitor_sso_configuration.test.single_sign_on
   enterprise_application_id = azurerm_datadog_monitor_sso_configuration.test.enterprise_application_id
 }
 `, r.basic(data))
@@ -182,7 +212,7 @@ provider "azurerm" {
 
 resource "azurerm_datadog_monitor_sso_configuration" "test" {
   datadog_monitor_id        = azurerm_datadog_monitor.test.id
-  single_sign_on_enabled    = "Disable"
+  single_sign_on            = "Disable"
   enterprise_application_id = %q
 }
 `, r.template(data), r.enterpriseAppId)

website/docs/5.0-upgrade-guide.html.markdown

@@ -128,6 +128,10 @@ Please follow the format in the example below for listing breaking changes in re
 
 * The `logs_destination` property is no longer Computed and now must be set to `log-analytics` to be able to specify a value for `log_analytics_workspace_id`. It will now default to empty, meaning Streaming Only in the Azure Portal.
 
+### `azurerm_datadog_monitor_sso_configuration`
+
+* The deprecated `single_sign_on_enabled` property has been removed in favour of the `single_sign_on` property.
+
 ### `azurerm_eventhub`
 
 * The deprecated `namespace_name` property has been removed in favour of the `namespace_id` property.

website/docs/r/datadog_monitor_sso_configuration.html.markdown

@@ -39,8 +39,8 @@ resource "azurerm_datadog_monitor" "example" {
 
 resource "azurerm_datadog_monitor_sso_configuration" "example" {
   datadog_monitor_id        = azurerm_datadog_monitor.example.id
-  single_sign_on_enabled    = "Enable"
-  enterprise_application_id = "XXXX"
+  single_sign_on            = "Enable"
+  enterprise_application_id = "00000000-0000-0000-0000-000000000000"
 }
 ```
 
@@ -50,7 +50,7 @@ The following arguments are supported:
 
 * `datadog_monitor_id` - (Required) The Datadog Monitor Id which should be used for this Datadog Monitor SSO Configuration. Changing this forces a new Datadog Monitor SSO Configuration to be created.
 
-* `single_sign_on_enabled` - (Required) The state of SingleSignOn configuration. Possible values are `Enable` and `Disable`.
+* `single_sign_on` - (Required) The state of SingleSignOn configuration. Possible values are `Enable`, `Disable`, `Initial` and `Existing`.
 
 * `enterprise_application_id` - (Required) The application Id to perform SSO operation.