add private key to import and validation to read

Author: austinvalle

internal/fwserver/server_applyresourcechange_test.go

@@ -1840,9 +1840,9 @@ func TestServerApplyResourceChange(t *testing.T) {
 				Diagnostics: diag.Diagnostics{
 					diag.NewErrorDiagnostic(
 						"Unexpected Identity Change",
-						"During the apply operation, the Terraform Provider unexpectedly returned a different identity then the previously stored one.\n\n"+
+						"During the update operation, the Terraform Provider unexpectedly returned a different identity then the previously stored one.\n\n"+
 							"This is always a problem with the provider and should be reported to the provider developer.\n\n"+
-							"Planned Identity: tftypes.Object[\"test_id\":tftypes.String]<\"test_id\":tftypes.String<\"id-123\">>\n"+
+							"Planned Identity: tftypes.Object[\"test_id\":tftypes.String]<\"test_id\":tftypes.String<\"id-123\">>\n\n"+
 							"New Identity: tftypes.Object[\"test_id\":tftypes.String]<\"test_id\":tftypes.String<\"new-id-123\">>",
 					),
 				},

internal/fwserver/server_importresourcestate.go

@@ -205,6 +205,12 @@ func (s *Server) ImportResourceState(ctx context.Context, req *ImportResourceSta
 
 	private := &privatestate.Data{}
 
+	// Set an internal private field that will get sent alongside the imported resource. This will be cleared by
+	// the following ReadResource RPC and is primarily used to control validation of resource identities during refresh.
+	private.Framework = map[string][]byte{
+		privatestate.ImportBeforeReadKey: []byte(`true`), // The actual data isn't important, we just use the map key to detect it.
+	}
+
 	if importResp.Private != nil {
 		private.Provider = importResp.Private
 	}

internal/fwserver/server_importresourcestate_test.go

@@ -166,12 +166,18 @@ func TestServerImportResourceState(t *testing.T) {
 	testProviderData := privatestate.MustProviderData(context.Background(), testProviderKeyValue)
 
 	testPrivate := &privatestate.Data{
+		Framework: map[string][]byte{
+			privatestate.ImportBeforeReadKey: []byte(`true`),
+		},
 		Provider: testProviderData,
 	}
 
 	testEmptyProviderData := privatestate.EmptyProviderData(context.Background())
 
 	testEmptyPrivate := &privatestate.Data{
+		Framework: map[string][]byte{
+			privatestate.ImportBeforeReadKey: []byte(`true`),
+		},
 		Provider: testEmptyProviderData,
 	}
 

internal/fwserver/server_planresourcechange.go

@@ -385,7 +385,7 @@ func (s *Server) PlanResourceChange(ctx context.Context, req *PlanResourceChange
 				"Unexpected Identity Change",
 				"During the planning operation, the Terraform Provider unexpectedly returned a different identity then the previously stored one.\n\n"+
 					"This is always a problem with the provider and should be reported to the provider developer.\n\n"+
-					fmt.Sprintf("Prior Identity: %s\n", req.PriorIdentity.Raw.String())+
+					fmt.Sprintf("Prior Identity: %s\n\n", req.PriorIdentity.Raw.String())+
 					fmt.Sprintf("Planned Identity: %s", resp.PlannedIdentity.Raw.String()),
 			)
 

internal/fwserver/server_planresourcechange_test.go

@@ -4077,7 +4077,7 @@ func TestServerPlanResourceChange(t *testing.T) {
 						"Unexpected Identity Change",
 						"During the planning operation, the Terraform Provider unexpectedly returned a different identity then the previously stored one.\n\n"+
 							"This is always a problem with the provider and should be reported to the provider developer.\n\n"+
-							"Prior Identity: tftypes.Object[\"test_id\":tftypes.String]<\"test_id\":tftypes.String<\"id-123\">>\n"+
+							"Prior Identity: tftypes.Object[\"test_id\":tftypes.String]<\"test_id\":tftypes.String<\"id-123\">>\n\n"+
 							"Planned Identity: tftypes.Object[\"test_id\":tftypes.String]<\"test_id\":tftypes.String<\"new-id-123\">>",
 					),
 				},
@@ -6728,7 +6728,7 @@ func TestServerPlanResourceChange(t *testing.T) {
 						"Unexpected Identity Change",
 						"During the planning operation, the Terraform Provider unexpectedly returned a different identity then the previously stored one.\n\n"+
 							"This is always a problem with the provider and should be reported to the provider developer.\n\n"+
-							"Prior Identity: tftypes.Object[\"test_id\":tftypes.String]<\"test_id\":tftypes.String<\"id-123\">>\n"+
+							"Prior Identity: tftypes.Object[\"test_id\":tftypes.String]<\"test_id\":tftypes.String<\"id-123\">>\n\n"+
 							"Planned Identity: tftypes.Object[\"test_id\":tftypes.String]<\"test_id\":tftypes.String<\"new-id-123\">>",
 					),
 				},

internal/fwserver/server_readresource.go

@@ -5,6 +5,7 @@ package fwserver
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/hashicorp/terraform-plugin-go/tftypes"
 
@@ -110,12 +111,21 @@ func (s *Server) ReadResource(ctx context.Context, req *ReadResourceRequest, res
 	readReq.Private = privateProviderData
 	readResp.Private = privateProviderData
 
+	readFollowingImport := false
 	if req.Private != nil {
 		if req.Private.Provider != nil {
 			readReq.Private = req.Private.Provider
 			readResp.Private = req.Private.Provider
 		}
 
+		// This internal private field is set on a resource during ImportResourceState to help framework determine if
+		// the resource has been recently imported. We only need to read this once, so we immediately clear it after.
+		_, ok := req.Private.Framework[privatestate.ImportBeforeReadKey]
+		if ok {
+			readFollowingImport = true
+			delete(req.Private.Framework, privatestate.ImportBeforeReadKey)
+		}
+
 		resp.Private = req.Private
 	}
 
@@ -162,14 +172,29 @@ func (s *Server) ReadResource(ctx context.Context, req *ReadResourceRequest, res
 		return
 	}
 
-	if resp.NewIdentity != nil && req.IdentitySchema == nil {
-		resp.Diagnostics.AddError(
-			"Unexpected Read Response",
-			"An unexpected error was encountered when creating the read response. New identity data was returned by the provider read operation, but the resource does not indicate identity support.\n\n"+
-				"This is always a problem with the provider and should be reported to the provider developer.",
-		)
+	if resp.NewIdentity != nil {
+		if req.IdentitySchema == nil {
+			resp.Diagnostics.AddError(
+				"Unexpected Read Response",
+				"An unexpected error was encountered when creating the read response. New identity data was returned by the provider read operation, but the resource does not indicate identity support.\n\n"+
+					"This is always a problem with the provider and should be reported to the provider developer.",
+			)
 
-		return
+			return
+		}
+
+		// If we're refreshing the resource state (excluding a recently imported resource), validate that the new identity isn't changing
+		if !readFollowingImport && !req.CurrentIdentity.Raw.IsNull() && !req.CurrentIdentity.Raw.Equal(resp.NewIdentity.Raw) {
+			resp.Diagnostics.AddError(
+				"Unexpected Identity Change",
+				"During the read operation, the Terraform Provider unexpectedly returned a different identity then the previously stored one.\n\n"+
+					"This is always a problem with the provider and should be reported to the provider developer.\n\n"+
+					fmt.Sprintf("Current Identity: %s\n\n", req.CurrentIdentity.Raw.String())+
+					fmt.Sprintf("New Identity: %s", resp.NewIdentity.Raw.String()),
+			)
+
+			return
+		}
 	}
 
 	semanticEqualityReq := SchemaSemanticEqualityRequest{

internal/fwserver/server_readresource_test.go

@@ -198,6 +198,13 @@ func TestServerReadResource(t *testing.T) {
 		Provider: testEmptyProviderData,
 	}
 
+	testPrivateAfterImport := &privatestate.Data{
+		Framework: map[string][]byte{
+			privatestate.ImportBeforeReadKey: []byte(`true`),
+		},
+		Provider: testEmptyProviderData,
+	}
+
 	testDeferralAllowed := resource.ReadClientCapabilities{
 		DeferralAllowed: true,
 	}
@@ -629,13 +636,41 @@ func TestServerReadResource(t *testing.T) {
 				Private:     testEmptyPrivate,
 			},
 		},
-		"response-identity-update": {
+		"response-identity-valid-update-null-currentidentity": {
+			server: &fwserver.Server{
+				Provider: &testprovider.Provider{},
+			},
+			request: &fwserver.ReadResourceRequest{
+				CurrentState:   testCurrentState,
+				IdentitySchema: testIdentitySchema,
+				Resource: &testprovider.ResourceWithIdentity{
+					Resource: &testprovider.Resource{
+						ReadMethod: func(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+							identityData := struct {
+								TestID types.String `tfsdk:"test_id"`
+							}{
+								TestID: types.StringValue("new-id-123"),
+							}
+
+							resp.Diagnostics.Append(resp.Identity.Set(ctx, &identityData)...)
+						},
+					},
+				},
+			},
+			expectedResponse: &fwserver.ReadResourceResponse{
+				NewState:    testCurrentState,
+				NewIdentity: testNewIdentity,
+				Private:     testEmptyPrivate,
+			},
+		},
+		"response-identity-valid-update-after-import": {
 			server: &fwserver.Server{
 				Provider: &testprovider.Provider{},
 			},
 			request: &fwserver.ReadResourceRequest{
 				CurrentState:    testCurrentState,
 				CurrentIdentity: testCurrentIdentity,
+				Private:         testPrivateAfterImport,
 				IdentitySchema:  testIdentitySchema,
 				Resource: &testprovider.ResourceWithIdentity{
 					Resource: &testprovider.Resource{
@@ -654,6 +689,48 @@ func TestServerReadResource(t *testing.T) {
 				},
 			},
 			expectedResponse: &fwserver.ReadResourceResponse{
+				NewState:    testCurrentState,
+				NewIdentity: testNewIdentity,
+				Private: &privatestate.Data{
+					Framework: make(map[string][]byte, 0), // Private import key should be cleared
+					Provider:  testEmptyProviderData,
+				},
+			},
+		},
+		"response-identity-invalid-update": {
+			server: &fwserver.Server{
+				Provider: &testprovider.Provider{},
+			},
+			request: &fwserver.ReadResourceRequest{
+				CurrentState:    testCurrentState,
+				CurrentIdentity: testCurrentIdentity,
+				IdentitySchema:  testIdentitySchema,
+				Resource: &testprovider.ResourceWithIdentity{
+					Resource: &testprovider.Resource{
+						ReadMethod: func(ctx context.Context, req resource.ReadRequest, resp *resource.ReadResponse) {
+							var identityData struct {
+								TestID types.String `tfsdk:"test_id"`
+							}
+
+							resp.Diagnostics.Append(req.Identity.Get(ctx, &identityData)...)
+
+							identityData.TestID = types.StringValue("new-id-123")
+
+							resp.Diagnostics.Append(resp.Identity.Set(ctx, &identityData)...)
+						},
+					},
+				},
+			},
+			expectedResponse: &fwserver.ReadResourceResponse{
+				Diagnostics: diag.Diagnostics{
+					diag.NewErrorDiagnostic(
+						"Unexpected Identity Change",
+						"During the read operation, the Terraform Provider unexpectedly returned a different identity then the previously stored one.\n\n"+
+							"This is always a problem with the provider and should be reported to the provider developer.\n\n"+
+							"Current Identity: tftypes.Object[\"test_id\":tftypes.String]<\"test_id\":tftypes.String<\"id-123\">>\n\n"+
+							"New Identity: tftypes.Object[\"test_id\":tftypes.String]<\"test_id\":tftypes.String<\"new-id-123\">>",
+					),
+				},
 				NewState:    testCurrentState,
 				NewIdentity: testNewIdentity,
 				Private:     testEmptyPrivate,

internal/fwserver/server_updateresource.go

@@ -190,7 +190,7 @@ func (s *Server) UpdateResource(ctx context.Context, req *UpdateResourceRequest,
 				"Unexpected Identity Change",
 				"During the update operation, the Terraform Provider unexpectedly returned a different identity then the previously stored one.\n\n"+
 					"This is always a problem with the provider and should be reported to the provider developer.\n\n"+
-					fmt.Sprintf("Planned Identity: %s\n", req.PlannedIdentity.Raw.String())+
+					fmt.Sprintf("Planned Identity: %s\n\n", req.PlannedIdentity.Raw.String())+
 					fmt.Sprintf("New Identity: %s", resp.NewIdentity.Raw.String()),
 			)
 

internal/privatestate/data.go

@@ -17,6 +17,13 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/internal/logging"
 )
 
+// ImportBeforeReadKey is an internal private field used to indicate that the current resource state and identity
+// were provided most recently by the ImportResourceState RPC. This indicates that the state is an import stub and identity
+// has not been stored in state yet.
+//
+// When detected, this key should be cleared before returning from the ReadResource RPC.
+var ImportBeforeReadKey = ".import_before_read"
+
 // Data contains private state data for the framework and providers.
 type Data struct {
 	// Potential future usage:

internal/proto5server/server_importresourcestate_test.go

@@ -60,6 +60,10 @@ func TestServerImportResourceState(t *testing.T) {
 		t.Fatalf("unexpected error calling tfprotov5.NewDynamicValue(): %s", err)
 	}
 
+	testEmptyPrivateBytes := privatestate.MustMarshalToJson(map[string][]byte{
+		privatestate.ImportBeforeReadKey: []byte(`true`),
+	})
+
 	testSchema := schema.Schema{
 		Attributes: map[string]schema.Attribute{
 			"id": schema.StringAttribute{
@@ -130,6 +134,7 @@ func TestServerImportResourceState(t *testing.T) {
 					{
 						State:    testStateDynamicValue,
 						TypeName: "test_resource",
+						Private:  testEmptyPrivateBytes,
 					},
 				},
 			},
@@ -183,7 +188,8 @@ func TestServerImportResourceState(t *testing.T) {
 			expectedResponse: &tfprotov5.ImportResourceStateResponse{
 				ImportedResources: []*tfprotov5.ImportedResource{
 					{
-						State: &testEmptyStateDynamicValue,
+						State:   &testEmptyStateDynamicValue,
+						Private: testEmptyPrivateBytes,
 						Identity: &tfprotov5.ResourceIdentityData{
 							IdentityData: testRequestIdentityValue,
 						},
@@ -271,6 +277,7 @@ func TestServerImportResourceState(t *testing.T) {
 			expectedResponse: &tfprotov5.ImportResourceStateResponse{
 				ImportedResources: []*tfprotov5.ImportedResource{
 					{
+						Private:  testEmptyPrivateBytes,
 						State:    testStateDynamicValue,
 						TypeName: "test_resource",
 					},
@@ -317,7 +324,8 @@ func TestServerImportResourceState(t *testing.T) {
 			expectedResponse: &tfprotov5.ImportResourceStateResponse{
 				ImportedResources: []*tfprotov5.ImportedResource{
 					{
-						State: &testEmptyStateDynamicValue,
+						State:   &testEmptyStateDynamicValue,
+						Private: testEmptyPrivateBytes,
 						Identity: &tfprotov5.ResourceIdentityData{
 							IdentityData: testImportedResourceIdentityDynamicValue,
 						},
@@ -366,7 +374,8 @@ func TestServerImportResourceState(t *testing.T) {
 						State:    testStateDynamicValue,
 						TypeName: "test_resource",
 						Private: privatestate.MustMarshalToJson(map[string][]byte{
-							"providerKey": []byte(`{"key": "value"}`),
+							privatestate.ImportBeforeReadKey: []byte(`true`),
+							"providerKey":                    []byte(`{"key": "value"}`),
 						}),
 					},
 				},