Skip to content

ResourceIdentity: Validate that identities do not change after Terraform stores it #1478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 15, 2025
Merged

ResourceIdentity: Validate that identities do not change after Terraform stores it #1478

merged 4 commits into from
May 15, 2025

Conversation

ansgarm
Copy link
Member

@ansgarm ansgarm commented May 12, 2025
edited
Loading

PR description shamelessly stolen from hashicorp/terraform-plugin-framework#1137

This PR re-introduces the validation that previously lived in Terraform core (removed in hashicorp/terraform#36989), which ensures that resource identities do not change after Terraform core stores them in state.

The one tricky part of this PR is ReadResource, which the protocol currently does not have sufficient information for us to determine if the state we are refreshing has already been stored (typical use-case) or if we are importing the resource. Rather than loosening how strict the validation is, I added a temporary key to a framework reserved private field, which Terraform passes between ImportResourceState -> ReadResource. Once we've read that field, we can skip validation of the identity, clear the private field, then following refreshes will validate as normal.

@ansgarm ansgarm force-pushed the add-immutable-validation branch 2 times, most recently from e9587a1 to e170b2a Compare May 14, 2025 10:20
@ansgarm ansgarm marked this pull request as ready for review May 14, 2025 10:51
@ansgarm ansgarm requested a review from a team as a code owner May 14, 2025 10:51
@ansgarm ansgarm force-pushed the add-immutable-validation branch from fce3e26 to 6b8733e Compare May 14, 2025 10:51
@ansgarm ansgarm force-pushed the add-immutable-validation branch from 6b8733e to 929b999 Compare May 14, 2025 10:53
@austinvalle austinvalle added this to the v2.37.0 milestone May 14, 2025
@austinvalle austinvalle added the enhancement New feature or request label May 14, 2025
austinvalle
austinvalle previously approved these changes May 14, 2025
View reviewed changes
Copy link
Member

@austinvalle austinvalle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I left some nits and suggestions for potential tests. If you want to push any changes just re-request and i'll re-approve 👍🏻

@ansgarm ansgarm requested review from austinvalle May 14, 2025 15:17
austinvalle
austinvalle approved these changes May 14, 2025
View reviewed changes
Copy link
Member

@austinvalle austinvalle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@ansgarm ansgarm merged commit 104e551 into main May 15, 2025
22 checks passed
@ansgarm ansgarm deleted the add-immutable-validation branch May 15, 2025 10:22
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 14, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@austinvalle austinvalle Awaiting requested review from austinvalle

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.37.0
Development

Successfully merging this pull request may close these issues.
2 participants
@ansgarm @austinvalle