-
Notifications
You must be signed in to change notification settings - Fork 99
Description
Module version
terraform-plugin-framework@v1.15.0 (yet to be released)
Context
Resource identity will soon be released in terraform-plugin-framework@v1.15.0
, which will allow a managed resource to be imported via an import
config block with an identity
object attribute (defined by a resource identity schema) in-place of the existing id
string attribute:
import {
to = examplecloud_thing.example
identity = {
region = "us-east-1"
id = "abc-123"
}
}
As with any provider-defined schema data that is input by a practitioner, providers will likely want to determine that this configuration is valid, which in framework can be done with:
- Schema-based attribute validators
- Resource-level config validators
- Resource-level validate config method
- Custom type validations
Import itself is unique in Terraform in that it currently does not have an "offline" validate RPC like other configuration does (ValidateResourceConfig
, ValidateDatasourceConfig
, etc.), so the only place that providers can determine the configuration is invalid, is during the ImportResourceState
RPC. This import RPC call is not run during the "offline" terraform validate
command; it's only run during terraform plan
and terraform apply
. Providers today can read configuration, then return an error diagnostic during import for validation, but since import has historically only been receiving a "string id" as input, it's been typically easier to just return a 404 during refresh when an ID is invalid.
Proposal
At the very least, we should probably run "Custom type validations" during import, since there is no connection to "offline" validate RPCs like there is with the other schema/resource-based approaches. Custom type validation runs every time a framework type is created/read from, regardless of the RPC executing.
Unfortunately, we don't currently get this validation for free, since all framework data objects (tfsdk
packages) are represented in terraform-plugin-go
, rather than the framework types, see #590.
To run the custom type validation, we would just need to traverse the identity object during ImportResourceState
and check each type for xattr.ValidateableAttribute
, then run the validation.
If we decide to introduce schema/resource validation, it would need to be carefully documented to ensure provider developers know that the validations will not run during terraform validate
.
Activity