Skip to content

Resource Identity: Run custom type validation during import #1136

@austinvalle

Description

@austinvalle
Member

Module version

terraform-plugin-framework@v1.15.0 (yet to be released)

Context

Resource identity will soon be released in terraform-plugin-framework@v1.15.0, which will allow a managed resource to be imported via an import config block with an identity object attribute (defined by a resource identity schema) in-place of the existing id string attribute:

import {
  to = examplecloud_thing.example
  identity = {
    region = "us-east-1"
    id = "abc-123"
  }
}

As with any provider-defined schema data that is input by a practitioner, providers will likely want to determine that this configuration is valid, which in framework can be done with:

  • Schema-based attribute validators
  • Resource-level config validators
  • Resource-level validate config method
  • Custom type validations

Import itself is unique in Terraform in that it currently does not have an "offline" validate RPC like other configuration does (ValidateResourceConfig, ValidateDatasourceConfig, etc.), so the only place that providers can determine the configuration is invalid, is during the ImportResourceState RPC. This import RPC call is not run during the "offline" terraform validate command; it's only run during terraform plan and terraform apply. Providers today can read configuration, then return an error diagnostic during import for validation, but since import has historically only been receiving a "string id" as input, it's been typically easier to just return a 404 during refresh when an ID is invalid.

Proposal

At the very least, we should probably run "Custom type validations" during import, since there is no connection to "offline" validate RPCs like there is with the other schema/resource-based approaches. Custom type validation runs every time a framework type is created/read from, regardless of the RPC executing.

Unfortunately, we don't currently get this validation for free, since all framework data objects (tfsdk packages) are represented in terraform-plugin-go, rather than the framework types, see #590.

To run the custom type validation, we would just need to traverse the identity object during ImportResourceState and check each type for xattr.ValidateableAttribute, then run the validation.


If we decide to introduce schema/resource validation, it would need to be carefully documented to ensure provider developers know that the validations will not run during terraform validate.

References

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @austinvalle

        Issue actions

          Resource Identity: Run custom type validation during import · Issue #1136 · hashicorp/terraform-plugin-framework