@pulumi/dbtcloud 1.8.0-alpha.1775837411 → 1.8.0

package/athenaCredential.d.ts

@@ -2,20 +2,6 @@ import * as pulumi from "@pulumi/pulumi";
 /**
  * Athena credential resource
  *
- * ## Example Usage
- *
- * ```typescript
- * import * as pulumi from "@pulumi/pulumi";
- * import * as dbtcloud from "@pulumi/dbtcloud";
- *
- * const example = new dbtcloud.AthenaCredential("example", {
- *     projectId: exampleDbtcloudProject.id,
- *     awsAccessKeyId: "your-access-key-id",
- *     awsSecretAccessKey: "your-secret-access-key",
- *     schema: "your_schema",
- * });
- * ```
- *
  * ## Import
  *
  * using  import blocks (requires Terraform >= 1.5)
@@ -53,13 +39,31 @@ export declare class AthenaCredential extends pulumi.CustomResource {
      */
     static isInstance(obj: any): obj is AthenaCredential;
     /**
-     * AWS access key ID for Athena user
+     * AWS access key ID for Athena user. Consider using `awsAccessKeyIdWo` instead, which is not stored in state.
+     */
+    readonly awsAccessKeyId: pulumi.Output<string | undefined>;
+    /**
+     * **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+     * Write-only alternative to `awsAccessKeyId`. The value is not stored in state. Requires `awsAccessKeyIdWoVersion` to trigger updates.
+     */
+    readonly awsAccessKeyIdWo: pulumi.Output<string | undefined>;
+    /**
+     * Version number for `awsAccessKeyIdWo`. Increment this value to trigger an update of the AWS access key ID when using `awsAccessKeyIdWo`.
      */
-    readonly awsAccessKeyId: pulumi.Output<string>;
+    readonly awsAccessKeyIdWoVersion: pulumi.Output<number | undefined>;
     /**
-     * AWS secret access key for Athena user
+     * AWS secret access key for Athena user. Consider using `awsSecretAccessKeyWo` instead, which is not stored in state.
      */
-    readonly awsSecretAccessKey: pulumi.Output<string>;
+    readonly awsSecretAccessKey: pulumi.Output<string | undefined>;
+    /**
+     * **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+     * Write-only alternative to `awsSecretAccessKey`. The value is not stored in state. Requires `awsSecretAccessKeyWoVersion` to trigger updates.
+     */
+    readonly awsSecretAccessKeyWo: pulumi.Output<string | undefined>;
+    /**
+     * Version number for `awsSecretAccessKeyWo`. Increment this value to trigger an update of the AWS secret access key when using `awsSecretAccessKeyWo`.
+     */
+    readonly awsSecretAccessKeyWoVersion: pulumi.Output<number | undefined>;
     /**
      * The internal credential ID
      */
@@ -86,13 +90,31 @@ export declare class AthenaCredential extends pulumi.CustomResource {
  */
 export interface AthenaCredentialState {
     /**
-     * AWS access key ID for Athena user
+     * AWS access key ID for Athena user. Consider using `awsAccessKeyIdWo` instead, which is not stored in state.
      */
     awsAccessKeyId?: pulumi.Input<string>;
     /**
-     * AWS secret access key for Athena user
+     * **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+     * Write-only alternative to `awsAccessKeyId`. The value is not stored in state. Requires `awsAccessKeyIdWoVersion` to trigger updates.
+     */
+    awsAccessKeyIdWo?: pulumi.Input<string>;
+    /**
+     * Version number for `awsAccessKeyIdWo`. Increment this value to trigger an update of the AWS access key ID when using `awsAccessKeyIdWo`.
+     */
+    awsAccessKeyIdWoVersion?: pulumi.Input<number>;
+    /**
+     * AWS secret access key for Athena user. Consider using `awsSecretAccessKeyWo` instead, which is not stored in state.
      */
     awsSecretAccessKey?: pulumi.Input<string>;
+    /**
+     * **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+     * Write-only alternative to `awsSecretAccessKey`. The value is not stored in state. Requires `awsSecretAccessKeyWoVersion` to trigger updates.
+     */
+    awsSecretAccessKeyWo?: pulumi.Input<string>;
+    /**
+     * Version number for `awsSecretAccessKeyWo`. Increment this value to trigger an update of the AWS secret access key when using `awsSecretAccessKeyWo`.
+     */
+    awsSecretAccessKeyWoVersion?: pulumi.Input<number>;
     /**
      * The internal credential ID
      */
@@ -111,13 +133,31 @@ export interface AthenaCredentialState {
  */
 export interface AthenaCredentialArgs {
     /**
-     * AWS access key ID for Athena user
+     * AWS access key ID for Athena user. Consider using `awsAccessKeyIdWo` instead, which is not stored in state.
+     */
+    awsAccessKeyId?: pulumi.Input<string>;
+    /**
+     * **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+     * Write-only alternative to `awsAccessKeyId`. The value is not stored in state. Requires `awsAccessKeyIdWoVersion` to trigger updates.
+     */
+    awsAccessKeyIdWo?: pulumi.Input<string>;
+    /**
+     * Version number for `awsAccessKeyIdWo`. Increment this value to trigger an update of the AWS access key ID when using `awsAccessKeyIdWo`.
+     */
+    awsAccessKeyIdWoVersion?: pulumi.Input<number>;
+    /**
+     * AWS secret access key for Athena user. Consider using `awsSecretAccessKeyWo` instead, which is not stored in state.
+     */
+    awsSecretAccessKey?: pulumi.Input<string>;
+    /**
+     * **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+     * Write-only alternative to `awsSecretAccessKey`. The value is not stored in state. Requires `awsSecretAccessKeyWoVersion` to trigger updates.
      */
-    awsAccessKeyId: pulumi.Input<string>;
+    awsSecretAccessKeyWo?: pulumi.Input<string>;
     /**
-     * AWS secret access key for Athena user
+     * Version number for `awsSecretAccessKeyWo`. Increment this value to trigger an update of the AWS secret access key when using `awsSecretAccessKeyWo`.
      */
-    awsSecretAccessKey: pulumi.Input<string>;
+    awsSecretAccessKeyWoVersion?: pulumi.Input<number>;
     /**
      * Project ID to create the Athena credential in
      */

package/athenaCredential.js

@@ -8,20 +8,6 @@ const utilities = require("./utilities");
 /**
  * Athena credential resource
  *
- * ## Example Usage
- *
- * ```typescript
- * import * as pulumi from "@pulumi/pulumi";
- * import * as dbtcloud from "@pulumi/dbtcloud";
- *
- * const example = new dbtcloud.AthenaCredential("example", {
- *     projectId: exampleDbtcloudProject.id,
- *     awsAccessKeyId: "your-access-key-id",
- *     awsSecretAccessKey: "your-secret-access-key",
- *     schema: "your_schema",
- * });
- * ```
- *
  * ## Import
  *
  * using  import blocks (requires Terraform >= 1.5)
@@ -71,19 +57,17 @@ class AthenaCredential extends pulumi.CustomResource {
         if (opts.id) {
             const state = argsOrState;
             resourceInputs["awsAccessKeyId"] = state?.awsAccessKeyId;
+            resourceInputs["awsAccessKeyIdWo"] = state?.awsAccessKeyIdWo;
+            resourceInputs["awsAccessKeyIdWoVersion"] = state?.awsAccessKeyIdWoVersion;
             resourceInputs["awsSecretAccessKey"] = state?.awsSecretAccessKey;
+            resourceInputs["awsSecretAccessKeyWo"] = state?.awsSecretAccessKeyWo;
+            resourceInputs["awsSecretAccessKeyWoVersion"] = state?.awsSecretAccessKeyWoVersion;
             resourceInputs["credentialId"] = state?.credentialId;
             resourceInputs["projectId"] = state?.projectId;
             resourceInputs["schema"] = state?.schema;
         }
         else {
             const args = argsOrState;
-            if (args?.awsAccessKeyId === undefined && !opts.urn) {
-                throw new Error("Missing required property 'awsAccessKeyId'");
-            }
-            if (args?.awsSecretAccessKey === undefined && !opts.urn) {
-                throw new Error("Missing required property 'awsSecretAccessKey'");
-            }
             if (args?.projectId === undefined && !opts.urn) {
                 throw new Error("Missing required property 'projectId'");
             }
@@ -91,13 +75,17 @@ class AthenaCredential extends pulumi.CustomResource {
                 throw new Error("Missing required property 'schema'");
             }
             resourceInputs["awsAccessKeyId"] = args?.awsAccessKeyId ? pulumi.secret(args.awsAccessKeyId) : undefined;
+            resourceInputs["awsAccessKeyIdWo"] = args?.awsAccessKeyIdWo ? pulumi.secret(args.awsAccessKeyIdWo) : undefined;
+            resourceInputs["awsAccessKeyIdWoVersion"] = args?.awsAccessKeyIdWoVersion;
             resourceInputs["awsSecretAccessKey"] = args?.awsSecretAccessKey ? pulumi.secret(args.awsSecretAccessKey) : undefined;
+            resourceInputs["awsSecretAccessKeyWo"] = args?.awsSecretAccessKeyWo ? pulumi.secret(args.awsSecretAccessKeyWo) : undefined;
+            resourceInputs["awsSecretAccessKeyWoVersion"] = args?.awsSecretAccessKeyWoVersion;
             resourceInputs["projectId"] = args?.projectId;
             resourceInputs["schema"] = args?.schema;
             resourceInputs["credentialId"] = undefined /*out*/;
         }
         opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
-        const secretOpts = { additionalSecretOutputs: ["awsAccessKeyId", "awsSecretAccessKey"] };
+        const secretOpts = { additionalSecretOutputs: ["awsAccessKeyId", "awsAccessKeyIdWo", "awsSecretAccessKey", "awsSecretAccessKeyWo"] };
         opts = pulumi.mergeOptions(opts, secretOpts);
         super(AthenaCredential.__pulumiType, name, resourceInputs, opts);
     }

package/athenaCredential.js.map

@@ -1 +1 @@
-{"version":3,"file":"athenaCredential.js","sourceRoot":"","sources":["../athenaCredential.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AACzC,yCAAyC;AAEzC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,MAAa,gBAAiB,SAAQ,MAAM,CAAC,cAAc;IACvD;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAA6B,EAAE,IAAmC;QAC3H,OAAO,IAAI,gBAAgB,CAAC,IAAI,EAAO,KAAK,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACvE,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,gBAAgB,CAAC,YAAY,CAAC;IACjE,CAAC;IA+BD,YAAY,IAAY,EAAE,WAA0D,EAAE,IAAmC;QACrH,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAAgD,CAAC;YAC/D,cAAc,CAAC,gBAAgB,CAAC,GAAG,KAAK,EAAE,cAAc,CAAC;YACzD,cAAc,CAAC,oBAAoB,CAAC,GAAG,KAAK,EAAE,kBAAkB,CAAC;YACjE,cAAc,CAAC,cAAc,CAAC,GAAG,KAAK,EAAE,YAAY,CAAC;YACrD,cAAc,CAAC,WAAW,CAAC,GAAG,KAAK,EAAE,SAAS,CAAC;YAC/C,cAAc,CAAC,QAAQ,CAAC,GAAG,KAAK,EAAE,MAAM,CAAC;SAC5C;aAAM;YACH,MAAM,IAAI,GAAG,WAA+C,CAAC;YAC7D,IAAI,IAAI,EAAE,cAAc,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACjD,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;aACjE;YACD,IAAI,IAAI,EAAE,kBAAkB,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACrD,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;aACrE;YACD,IAAI,IAAI,EAAE,SAAS,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC5C,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;aAC5D;YACD,IAAI,IAAI,EAAE,MAAM,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACzC,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;aACzD;YACD,cAAc,CAAC,gBAAgB,CAAC,GAAG,IAAI,EAAE,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YACzG,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,EAAE,kBAAkB,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YACrH,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACtD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,MAAM,UAAU,GAAG,EAAE,uBAAuB,EAAE,CAAC,gBAAgB,EAAE,oBAAoB,CAAC,EAAE,CAAC;QACzF,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC7C,KAAK,CAAC,gBAAgB,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IACrE,CAAC;;AA3FL,4CA4FC;AA9EG,gBAAgB;AACO,6BAAY,GAAG,kDAAkD,CAAC"}
+{"version":3,"file":"athenaCredential.js","sourceRoot":"","sources":["../athenaCredential.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AACzC,yCAAyC;AAEzC;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAa,gBAAiB,SAAQ,MAAM,CAAC,cAAc;IACvD;;;;;;;;OAQG;IACI,MAAM,CAAC,GAAG,CAAC,IAAY,EAAE,EAA2B,EAAE,KAA6B,EAAE,IAAmC;QAC3H,OAAO,IAAI,gBAAgB,CAAC,IAAI,EAAO,KAAK,EAAE,EAAE,GAAG,IAAI,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACvE,CAAC;IAKD;;;OAGG;IACI,MAAM,CAAC,UAAU,CAAC,GAAQ;QAC7B,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE;YACnC,OAAO,KAAK,CAAC;SAChB;QACD,OAAO,GAAG,CAAC,cAAc,CAAC,KAAK,gBAAgB,CAAC,YAAY,CAAC;IACjE,CAAC;IAiDD,YAAY,IAAY,EAAE,WAA0D,EAAE,IAAmC;QACrH,IAAI,cAAc,GAAkB,EAAE,CAAC;QACvC,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;QAClB,IAAI,IAAI,CAAC,EAAE,EAAE;YACT,MAAM,KAAK,GAAG,WAAgD,CAAC;YAC/D,cAAc,CAAC,gBAAgB,CAAC,GAAG,KAAK,EAAE,cAAc,CAAC;YACzD,cAAc,CAAC,kBAAkB,CAAC,GAAG,KAAK,EAAE,gBAAgB,CAAC;YAC7D,cAAc,CAAC,yBAAyB,CAAC,GAAG,KAAK,EAAE,uBAAuB,CAAC;YAC3E,cAAc,CAAC,oBAAoB,CAAC,GAAG,KAAK,EAAE,kBAAkB,CAAC;YACjE,cAAc,CAAC,sBAAsB,CAAC,GAAG,KAAK,EAAE,oBAAoB,CAAC;YACrE,cAAc,CAAC,6BAA6B,CAAC,GAAG,KAAK,EAAE,2BAA2B,CAAC;YACnF,cAAc,CAAC,cAAc,CAAC,GAAG,KAAK,EAAE,YAAY,CAAC;YACrD,cAAc,CAAC,WAAW,CAAC,GAAG,KAAK,EAAE,SAAS,CAAC;YAC/C,cAAc,CAAC,QAAQ,CAAC,GAAG,KAAK,EAAE,MAAM,CAAC;SAC5C;aAAM;YACH,MAAM,IAAI,GAAG,WAA+C,CAAC;YAC7D,IAAI,IAAI,EAAE,SAAS,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBAC5C,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;aAC5D;YACD,IAAI,IAAI,EAAE,MAAM,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE;gBACzC,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;aACzD;YACD,cAAc,CAAC,gBAAgB,CAAC,GAAG,IAAI,EAAE,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YACzG,cAAc,CAAC,kBAAkB,CAAC,GAAG,IAAI,EAAE,gBAAgB,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAC/G,cAAc,CAAC,yBAAyB,CAAC,GAAG,IAAI,EAAE,uBAAuB,CAAC;YAC1E,cAAc,CAAC,oBAAoB,CAAC,GAAG,IAAI,EAAE,kBAAkB,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YACrH,cAAc,CAAC,sBAAsB,CAAC,GAAG,IAAI,EAAE,oBAAoB,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAC3H,cAAc,CAAC,6BAA6B,CAAC,GAAG,IAAI,EAAE,2BAA2B,CAAC;YAClF,cAAc,CAAC,WAAW,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC;YAC9C,cAAc,CAAC,QAAQ,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC;YACxC,cAAc,CAAC,cAAc,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;SACtD;QACD,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,CAAC,CAAC;QACnE,MAAM,UAAU,GAAG,EAAE,uBAAuB,EAAE,CAAC,gBAAgB,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,sBAAsB,CAAC,EAAE,CAAC;QACrI,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC7C,KAAK,CAAC,gBAAgB,CAAC,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;IACrE,CAAC;;AA/GL,4CAgHC;AAlGG,gBAAgB;AACO,6BAAY,GAAG,kDAAkD,CAAC"}

package/authProvider.d.ts

@@ -0,0 +1,339 @@
+import * as pulumi from "@pulumi/pulumi";
+/**
+ * Manages an SSO auth provider for a dbt Cloud account. Supports SAML/Okta, Azure Active Directory (single-tenant, multi-tenant), and Google Workspace.
+ *
+ * Only one auth provider may exist per account. Requires the SSO feature enabled on the account (enterprise plans only).
+ *
+ * See the [documentation](https://docs.getdbt.com/docs/cloud/manage-access/sso-overview) for more information.
+ *
+ * ## Import
+ *
+ * Import an existing auth provider by its numeric ID.
+ * The ID can be found via the dbt Cloud API:
+ * GET /api/v3/accounts/{account_id}/auth-provider/
+ *
+ * ```sh
+ * $ pulumi import dbtcloud:index/authProvider:AuthProvider example 12345
+ * ```
+ */
+export declare class AuthProvider extends pulumi.CustomResource {
+    /**
+     * Get an existing AuthProvider resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AuthProviderState, opts?: pulumi.CustomResourceOptions): AuthProvider;
+    /**
+     * Returns true if the given object is an instance of AuthProvider.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj: any): obj is AuthProvider;
+    /**
+     * Google Workspace admin OAuth refresh token used to fetch group memberships.
+     */
+    readonly adminRefreshToken: pulumi.Output<string | undefined>;
+    /**
+     * When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
+     */
+    readonly allowPasswordBackdoor: pulumi.Output<boolean>;
+    /**
+     * JSON map of SAML attribute names to dbt Cloud user fields.
+     */
+    readonly attributeMap: pulumi.Output<string>;
+    /**
+     * OAuth authorization URL for Google Workspace. May be auto-populated server-side.
+     */
+    readonly authorizationUrl: pulumi.Output<string>;
+    /**
+     * SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using `certWo` instead. Conflicts with `certWo`.
+     */
+    readonly cert: pulumi.Output<string | undefined>;
+    /**
+     * Expiry date of the SAML X.509 certificate (SAML/Okta only).
+     */
+    readonly certExpiryDate: pulumi.Output<string>;
+    /**
+     * **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+     * Write-only alternative to `cert`. Not stored in state. Use `certWoVersion` to trigger updates. Conflicts with `cert`.
+     */
+    readonly certWo: pulumi.Output<string | undefined>;
+    /**
+     * Increment to rotate `certWo` without changing the value.
+     */
+    readonly certWoVersion: pulumi.Output<number | undefined>;
+    /**
+     * OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
+     */
+    readonly clientId: pulumi.Output<string>;
+    /**
+     * OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using `clientSecretWo` instead. Conflicts with `clientSecretWo`.
+     */
+    readonly clientSecret: pulumi.Output<string | undefined>;
+    /**
+     * **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+     * Write-only alternative to `clientSecret`. Not stored in state. Use `clientSecretWoVersion` to trigger updates. Conflicts with `clientSecret`.
+     */
+    readonly clientSecretWo: pulumi.Output<string | undefined>;
+    /**
+     * Increment to rotate `clientSecretWo` without changing the value.
+     */
+    readonly clientSecretWoVersion: pulumi.Output<number | undefined>;
+    readonly createdAt: pulumi.Output<string>;
+    /**
+     * Primary domain for the Azure AD or Google Workspace tenant.
+     */
+    readonly domain: pulumi.Output<string | undefined>;
+    /**
+     * SAML entity ID (Issuer) from your identity provider. Required for `saml` and `okta`.
+     */
+    readonly entityId: pulumi.Output<string | undefined>;
+    /**
+     * Google Workspace admin email used to fetch group memberships.
+     */
+    readonly gsuiteAdminId: pulumi.Output<string | undefined>;
+    /**
+     * Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
+     */
+    readonly includeIndirectGroups: pulumi.Output<boolean>;
+    /**
+     * The SSO login URL for the account, auto-generated from the slug.
+     */
+    readonly loginUrl: pulumi.Output<string>;
+    /**
+     * Maximum number of Azure AD groups to fetch per user. Defaults to 250.
+     */
+    readonly maxGroupsToRetrieve: pulumi.Output<number>;
+    /**
+     * Whether to sign SAML authentication requests. Defaults to false.
+     */
+    readonly signRequest: pulumi.Output<boolean>;
+    /**
+     * URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
+     */
+    readonly slug: pulumi.Output<string>;
+    /**
+     * SAML Single Sign-On URL from your identity provider. Required for `saml` and `okta`.
+     */
+    readonly ssoUrl: pulumi.Output<string | undefined>;
+    /**
+     * The state of the auth provider (1 = active).
+     */
+    readonly state: pulumi.Output<number>;
+    /**
+     * Azure AD tenant ID. Required for `azureSingleTenant`.
+     */
+    readonly tenantId: pulumi.Output<string | undefined>;
+    /**
+     * The SSO provider type. One of: `saml`, `okta`, `gsuite`, `azureSingleTenant`, `azureMultiTenant`, `azureActiveDirectory`. Changing this value forces a new resource.
+     */
+    readonly type: pulumi.Output<string>;
+    readonly updatedAt: pulumi.Output<string>;
+    /**
+     * Create a AuthProvider resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: AuthProviderArgs, opts?: pulumi.CustomResourceOptions);
+}
+/**
+ * Input properties used for looking up and filtering AuthProvider resources.
+ */
+export interface AuthProviderState {
+    /**
+     * Google Workspace admin OAuth refresh token used to fetch group memberships.
+     */
+    adminRefreshToken?: pulumi.Input<string>;
+    /**
+     * When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
+     */
+    allowPasswordBackdoor?: pulumi.Input<boolean>;
+    /**
+     * JSON map of SAML attribute names to dbt Cloud user fields.
+     */
+    attributeMap?: pulumi.Input<string>;
+    /**
+     * OAuth authorization URL for Google Workspace. May be auto-populated server-side.
+     */
+    authorizationUrl?: pulumi.Input<string>;
+    /**
+     * SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using `certWo` instead. Conflicts with `certWo`.
+     */
+    cert?: pulumi.Input<string>;
+    /**
+     * Expiry date of the SAML X.509 certificate (SAML/Okta only).
+     */
+    certExpiryDate?: pulumi.Input<string>;
+    /**
+     * **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+     * Write-only alternative to `cert`. Not stored in state. Use `certWoVersion` to trigger updates. Conflicts with `cert`.
+     */
+    certWo?: pulumi.Input<string>;
+    /**
+     * Increment to rotate `certWo` without changing the value.
+     */
+    certWoVersion?: pulumi.Input<number>;
+    /**
+     * OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
+     */
+    clientId?: pulumi.Input<string>;
+    /**
+     * OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using `clientSecretWo` instead. Conflicts with `clientSecretWo`.
+     */
+    clientSecret?: pulumi.Input<string>;
+    /**
+     * **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+     * Write-only alternative to `clientSecret`. Not stored in state. Use `clientSecretWoVersion` to trigger updates. Conflicts with `clientSecret`.
+     */
+    clientSecretWo?: pulumi.Input<string>;
+    /**
+     * Increment to rotate `clientSecretWo` without changing the value.
+     */
+    clientSecretWoVersion?: pulumi.Input<number>;
+    createdAt?: pulumi.Input<string>;
+    /**
+     * Primary domain for the Azure AD or Google Workspace tenant.
+     */
+    domain?: pulumi.Input<string>;
+    /**
+     * SAML entity ID (Issuer) from your identity provider. Required for `saml` and `okta`.
+     */
+    entityId?: pulumi.Input<string>;
+    /**
+     * Google Workspace admin email used to fetch group memberships.
+     */
+    gsuiteAdminId?: pulumi.Input<string>;
+    /**
+     * Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
+     */
+    includeIndirectGroups?: pulumi.Input<boolean>;
+    /**
+     * The SSO login URL for the account, auto-generated from the slug.
+     */
+    loginUrl?: pulumi.Input<string>;
+    /**
+     * Maximum number of Azure AD groups to fetch per user. Defaults to 250.
+     */
+    maxGroupsToRetrieve?: pulumi.Input<number>;
+    /**
+     * Whether to sign SAML authentication requests. Defaults to false.
+     */
+    signRequest?: pulumi.Input<boolean>;
+    /**
+     * URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
+     */
+    slug?: pulumi.Input<string>;
+    /**
+     * SAML Single Sign-On URL from your identity provider. Required for `saml` and `okta`.
+     */
+    ssoUrl?: pulumi.Input<string>;
+    /**
+     * The state of the auth provider (1 = active).
+     */
+    state?: pulumi.Input<number>;
+    /**
+     * Azure AD tenant ID. Required for `azureSingleTenant`.
+     */
+    tenantId?: pulumi.Input<string>;
+    /**
+     * The SSO provider type. One of: `saml`, `okta`, `gsuite`, `azureSingleTenant`, `azureMultiTenant`, `azureActiveDirectory`. Changing this value forces a new resource.
+     */
+    type?: pulumi.Input<string>;
+    updatedAt?: pulumi.Input<string>;
+}
+/**
+ * The set of arguments for constructing a AuthProvider resource.
+ */
+export interface AuthProviderArgs {
+    /**
+     * Google Workspace admin OAuth refresh token used to fetch group memberships.
+     */
+    adminRefreshToken?: pulumi.Input<string>;
+    /**
+     * When true (default), users can still log in with email and password as a fallback. Set to false to enforce SSO-only access.
+     */
+    allowPasswordBackdoor?: pulumi.Input<boolean>;
+    /**
+     * JSON map of SAML attribute names to dbt Cloud user fields.
+     */
+    attributeMap?: pulumi.Input<string>;
+    /**
+     * OAuth authorization URL for Google Workspace. May be auto-populated server-side.
+     */
+    authorizationUrl?: pulumi.Input<string>;
+    /**
+     * SAML X.509 certificate (PEM format). Sensitive — stored in state. Consider using `certWo` instead. Conflicts with `certWo`.
+     */
+    cert?: pulumi.Input<string>;
+    /**
+     * **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+     * Write-only alternative to `cert`. Not stored in state. Use `certWoVersion` to trigger updates. Conflicts with `cert`.
+     */
+    certWo?: pulumi.Input<string>;
+    /**
+     * Increment to rotate `certWo` without changing the value.
+     */
+    certWoVersion?: pulumi.Input<number>;
+    /**
+     * OAuth client ID. Required for Azure AD and Google Workspace providers. Not returned by the API after save (encrypted at rest).
+     */
+    clientId?: pulumi.Input<string>;
+    /**
+     * OAuth client secret. Required for Azure AD and Google Workspace providers. Sensitive — stored in state. Consider using `clientSecretWo` instead. Conflicts with `clientSecretWo`.
+     */
+    clientSecret?: pulumi.Input<string>;
+    /**
+     * **NOTE:** This field is write-only and its value will not be updated in state as part of read operations.
+     * Write-only alternative to `clientSecret`. Not stored in state. Use `clientSecretWoVersion` to trigger updates. Conflicts with `clientSecret`.
+     */
+    clientSecretWo?: pulumi.Input<string>;
+    /**
+     * Increment to rotate `clientSecretWo` without changing the value.
+     */
+    clientSecretWoVersion?: pulumi.Input<number>;
+    /**
+     * Primary domain for the Azure AD or Google Workspace tenant.
+     */
+    domain?: pulumi.Input<string>;
+    /**
+     * SAML entity ID (Issuer) from your identity provider. Required for `saml` and `okta`.
+     */
+    entityId?: pulumi.Input<string>;
+    /**
+     * Google Workspace admin email used to fetch group memberships.
+     */
+    gsuiteAdminId?: pulumi.Input<string>;
+    /**
+     * Whether to include transitive (indirect) group memberships from Azure AD. Defaults to true.
+     */
+    includeIndirectGroups?: pulumi.Input<boolean>;
+    /**
+     * Maximum number of Azure AD groups to fetch per user. Defaults to 250.
+     */
+    maxGroupsToRetrieve?: pulumi.Input<number>;
+    /**
+     * Whether to sign SAML authentication requests. Defaults to false.
+     */
+    signRequest?: pulumi.Input<boolean>;
+    /**
+     * URL-safe identifier used in the SSO login URL. Auto-generated if omitted. Immutable on accounts where auto-slug enforcement is enabled.
+     */
+    slug?: pulumi.Input<string>;
+    /**
+     * SAML Single Sign-On URL from your identity provider. Required for `saml` and `okta`.
+     */
+    ssoUrl?: pulumi.Input<string>;
+    /**
+     * Azure AD tenant ID. Required for `azureSingleTenant`.
+     */
+    tenantId?: pulumi.Input<string>;
+    /**
+     * The SSO provider type. One of: `saml`, `okta`, `gsuite`, `azureSingleTenant`, `azureMultiTenant`, `azureActiveDirectory`. Changing this value forces a new resource.
+     */
+    type: pulumi.Input<string>;
+}

package/authProvider.js

@@ -0,0 +1,121 @@
+"use strict";
+// *** WARNING: this file was generated by pulumi-language-nodejs. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthProvider = void 0;
+const pulumi = require("@pulumi/pulumi");
+const utilities = require("./utilities");
+/**
+ * Manages an SSO auth provider for a dbt Cloud account. Supports SAML/Okta, Azure Active Directory (single-tenant, multi-tenant), and Google Workspace.
+ *
+ * Only one auth provider may exist per account. Requires the SSO feature enabled on the account (enterprise plans only).
+ *
+ * See the [documentation](https://docs.getdbt.com/docs/cloud/manage-access/sso-overview) for more information.
+ *
+ * ## Import
+ *
+ * Import an existing auth provider by its numeric ID.
+ * The ID can be found via the dbt Cloud API:
+ * GET /api/v3/accounts/{account_id}/auth-provider/
+ *
+ * ```sh
+ * $ pulumi import dbtcloud:index/authProvider:AuthProvider example 12345
+ * ```
+ */
+class AuthProvider extends pulumi.CustomResource {
+    /**
+     * Get an existing AuthProvider resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    static get(name, id, state, opts) {
+        return new AuthProvider(name, state, { ...opts, id: id });
+    }
+    /**
+     * Returns true if the given object is an instance of AuthProvider.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    static isInstance(obj) {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === AuthProvider.__pulumiType;
+    }
+    constructor(name, argsOrState, opts) {
+        let resourceInputs = {};
+        opts = opts || {};
+        if (opts.id) {
+            const state = argsOrState;
+            resourceInputs["adminRefreshToken"] = state?.adminRefreshToken;
+            resourceInputs["allowPasswordBackdoor"] = state?.allowPasswordBackdoor;
+            resourceInputs["attributeMap"] = state?.attributeMap;
+            resourceInputs["authorizationUrl"] = state?.authorizationUrl;
+            resourceInputs["cert"] = state?.cert;
+            resourceInputs["certExpiryDate"] = state?.certExpiryDate;
+            resourceInputs["certWo"] = state?.certWo;
+            resourceInputs["certWoVersion"] = state?.certWoVersion;
+            resourceInputs["clientId"] = state?.clientId;
+            resourceInputs["clientSecret"] = state?.clientSecret;
+            resourceInputs["clientSecretWo"] = state?.clientSecretWo;
+            resourceInputs["clientSecretWoVersion"] = state?.clientSecretWoVersion;
+            resourceInputs["createdAt"] = state?.createdAt;
+            resourceInputs["domain"] = state?.domain;
+            resourceInputs["entityId"] = state?.entityId;
+            resourceInputs["gsuiteAdminId"] = state?.gsuiteAdminId;
+            resourceInputs["includeIndirectGroups"] = state?.includeIndirectGroups;
+            resourceInputs["loginUrl"] = state?.loginUrl;
+            resourceInputs["maxGroupsToRetrieve"] = state?.maxGroupsToRetrieve;
+            resourceInputs["signRequest"] = state?.signRequest;
+            resourceInputs["slug"] = state?.slug;
+            resourceInputs["ssoUrl"] = state?.ssoUrl;
+            resourceInputs["state"] = state?.state;
+            resourceInputs["tenantId"] = state?.tenantId;
+            resourceInputs["type"] = state?.type;
+            resourceInputs["updatedAt"] = state?.updatedAt;
+        }
+        else {
+            const args = argsOrState;
+            if (args?.type === undefined && !opts.urn) {
+                throw new Error("Missing required property 'type'");
+            }
+            resourceInputs["adminRefreshToken"] = args?.adminRefreshToken ? pulumi.secret(args.adminRefreshToken) : undefined;
+            resourceInputs["allowPasswordBackdoor"] = args?.allowPasswordBackdoor;
+            resourceInputs["attributeMap"] = args?.attributeMap;
+            resourceInputs["authorizationUrl"] = args?.authorizationUrl;
+            resourceInputs["cert"] = args?.cert ? pulumi.secret(args.cert) : undefined;
+            resourceInputs["certWo"] = args?.certWo ? pulumi.secret(args.certWo) : undefined;
+            resourceInputs["certWoVersion"] = args?.certWoVersion;
+            resourceInputs["clientId"] = args?.clientId;
+            resourceInputs["clientSecret"] = args?.clientSecret ? pulumi.secret(args.clientSecret) : undefined;
+            resourceInputs["clientSecretWo"] = args?.clientSecretWo ? pulumi.secret(args.clientSecretWo) : undefined;
+            resourceInputs["clientSecretWoVersion"] = args?.clientSecretWoVersion;
+            resourceInputs["domain"] = args?.domain;
+            resourceInputs["entityId"] = args?.entityId;
+            resourceInputs["gsuiteAdminId"] = args?.gsuiteAdminId;
+            resourceInputs["includeIndirectGroups"] = args?.includeIndirectGroups;
+            resourceInputs["maxGroupsToRetrieve"] = args?.maxGroupsToRetrieve;
+            resourceInputs["signRequest"] = args?.signRequest;
+            resourceInputs["slug"] = args?.slug;
+            resourceInputs["ssoUrl"] = args?.ssoUrl;
+            resourceInputs["tenantId"] = args?.tenantId ? pulumi.secret(args.tenantId) : undefined;
+            resourceInputs["type"] = args?.type;
+            resourceInputs["certExpiryDate"] = undefined /*out*/;
+            resourceInputs["createdAt"] = undefined /*out*/;
+            resourceInputs["loginUrl"] = undefined /*out*/;
+            resourceInputs["state"] = undefined /*out*/;
+            resourceInputs["updatedAt"] = undefined /*out*/;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        const secretOpts = { additionalSecretOutputs: ["adminRefreshToken", "cert", "certWo", "clientSecret", "clientSecretWo", "tenantId"] };
+        opts = pulumi.mergeOptions(opts, secretOpts);
+        super(AuthProvider.__pulumiType, name, resourceInputs, opts);
+    }
+}
+exports.AuthProvider = AuthProvider;
+/** @internal */
+AuthProvider.__pulumiType = 'dbtcloud:index/authProvider:AuthProvider';
+//# sourceMappingURL=authProvider.js.map