Resource Identity: Add identity data to existing RPCs and add two new identity related RPCs"

[ansgarm]

This PR adds initial support for Resource Identity to the SDKv2. It's in an early stage, meaning it's only lightly tested and mostly covering the happy path.

• update plugin go
• initial generate of RPC + small shim test
• wip - resource identity schema
• Added initial testing for getresourceidentityschemas
• Added initial attempt for GetResourceIdentitySchemas and UpgradeResourceIdentity.
• start implementing identity in ReadResource – test doesn't work yet, but getting close
• Added more for GetResourceIdentitySchemas and UpgradeResourceIdentity.
• Copied CoreIdentitySchema to CoreResourceIdentitySchema and started ConfigIdentitySchemaToProto and coreConfigIdentitySchema to use in GetResourceIdentitySchemas
• Continuing addition of functions for Resource Identity
• Added TODO for internal validation later
• Tests for GetResourceIdentity passing
• Initial test written for UpgradeResourceIdentity passing
• make ReadResource test pass
• use the right identity upgraders
• support get, set for identity data
• support get, set for identity data in diffs in PlanResourceChange customize diff functions
• Added to the internal validation in schema and corresponding tests, need to check if the expected behavior is correct
• Added TestUpgradeResourceIdentity_removedAttr and TestUpgradeResourceIdentity_jsonStateBigInt however BigInt doesn't work just yet
• safeguard empty identity sent by Terraform
• implement identity in ApplyResourceChange
• allow using Identity() when there wasn't one yet
• fix check for previous state
• Added scaffolding for internalIdentityValidate in resource.go to validate resource identities
• update terraform-plugin-go to latest main
• fix diff possibly being empty
• update RawIdentity to RawState as the former was retired
• update code comments and remove obsolete todos

[austinvalle]

Took a first look, good stuff so far!

[austinvalle]

It would be nice to validate the identity schema separate from the other schemas, it would make logic like this a little cleaner.

Would this allow you to create invalid resource schemas that use OptionalForImport or RequiredForImport, and therefore have Required, Optional, and Computed as false?

[SBGoods]

Technically, this internalValidate() should be schema type agnostic. I don't think it's even possible to pass information about the schema type to this method without some major refactoring. If we have resource identity schema-specific validation that might need to be a separate method that's called in (*provider).InternalValidate(). This is where the validation that blocks write-only attributes in non-managed resource schemas is:

terraform-plugin-sdk/helper/schema/provider.go

Lines 235 to 238 in 19e5b30

	dataSourceSchema := schemaMap(r.SchemaMap())
	if dataSourceSchema.hasWriteOnly() {
	validationErrors = append(validationErrors, fmt.Errorf("data source %s cannot contain write-only attributes", k))
	}

[ansgarm]

We'll implement validation in a follow-up PR – I'll leave this discussion open for reference.

[SBGoods]

Looks pretty good so far! Left a couple of comments

[SBGoods]

Technically, this internalValidate() should be schema type agnostic. I don't think it's even possible to pass information about the schema type to this method without some major refactoring. If we have resource identity schema-specific validation that might need to be a separate method that's called in (*provider).InternalValidate(). This is where the validation that blocks write-only attributes in non-managed resource schemas is:

terraform-plugin-sdk/helper/schema/provider.go

Lines 235 to 238 in 19e5b30

	dataSourceSchema := schemaMap(r.SchemaMap())
	if dataSourceSchema.hasWriteOnly() {
	validationErrors = append(validationErrors, fmt.Errorf("data source %s cannot contain write-only attributes", k))
	}

[ansgarm]

I think we can keep this small improvement

[austinvalle]

LGTM 🚀

We should follow up this PR with a bump to the terraform-plugin-go@v0.27.0-alpha.1 and maybe a pre-release changelog similar to the framework one -> https://github.com/hashicorp/terraform-plugin-framework/blob/main/.changes/1.15.0-alpha.1.md

[austinvalle]

I'm not 100% sure what you mean by this comment, but in general we'll always need the identity schema to decode identity data from the protocol (any DynamicValue in the protocol needs a schema to decode to avoid losing any type/value information)

Perhaps all of this logic can eventually be extracted to a function that transforms a *tfprotov5.ResourceIdentityData into a flatmap, but not sure we can avoid the usage of the schema.

[ansgarm]

Oh, that comment is mostly there to indicate that this code is repeated multiple times – so extracting it into a function might make sense, but yeah, schema would need to be passed into it to work.

[austinvalle]

I agree, we should generally trying to return some nice error if we encounter identity data unexpectedly

[austinvalle]

Weird, I didn't know that planned state was also kind of side-car'd with prior state 😅

[ansgarm]

This might be copy-pasted in error – I don't recall if it was needed

[austinvalle]

Nothing I think needs immediate action before we merge this PR, just some thoughts

I'm actually not sure where the logic to "delete" the resource (send back a null value) happens in SDKv2, but I think we'll want to make sure we send a null identity object back if we're destroying.

For example, here it is in framework: https://github.com/hashicorp/terraform-plugin-framework/blob/f01eb331c102f536ee3b93c7a6066edbabb815fb/internal/fwserver/server_deleteresource.go#L116-L134

I also don't know if core cares about what we send back, but this might be something we run into if they do. Perhaps a follow-up! (Once we start using terraform-plugin-testing to test identity, we'll find out quick if this is a problem 😆 )

[austinvalle]

These are great tests to have here! ❤️

I'd say once we start getting more complex then this, we can start implementing terraform-provider-corner tests, since they'll hit the plan/apply combo

[austinvalle]

➕ to eventually returning errors in situations like this. This would indicate that either Terraform has a bug or the SDK has a bug, so we want to explicitly call that out.

[ansgarm]