terraform-provider-newrelic icon indicating copy to clipboard operation
terraform-provider-newrelic copied to clipboard

Published 20 hours ago verified publisher icon newrelic

Unclear what account_id does, it seems to have no effect

Open gitcos opened this issue 3 years ago • 7 comments

Created a small self-contained terraform configuration for a New Relic synthetic. Put my REST API user key in environment variable NEW_RELIC_API_KEY.

When I run 'terraform apply' the synthetic is successfully created in the NR account associated with that REST API key. However, it does not seem to matter if I put a different account's numeric ID as the account_id in the .tf file. Whatever account ID I put in the .tf file is ignored; the resources are always deployed to the account matching my API key. No warning is given of that does not match the account_id in the .tf file.

I experimented by using two different REST API keys, for two different NR accounts, and running terraform apply and terraform destroy with each key. For each key, I did the above with the correct account_id in the .tf file, and also with the other account's ID in the .tf file. In each case, the account_id did not have any apparent effect, and terraform always acted on the account associated with the API key I had in my environment at the time.

I did not have a NEW_RELIC_ACCOuNT_ID variable set, nor any other environment variables with "RELIC" in their name.

main.tf (with account ID redacted):

terraform {
  required_providers {
    newrelic = {
      source = "newrelic/newrelic"
    }
  }
}

provider "newrelic" {
  region = "us"
  account_id = xxxxxxx  # Numeric ID of New Relic account
}

resource "newrelic_synthetics_monitor" "example" {
  type      = "SCRIPT_API"
  name      = "Example"
  frequency = 10
  status    = "ENABLED"
  locations = ["AWS_US_EAST_1"]
}

resource "newrelic_synthetics_monitor_script" "example" {
  monitor_id = newrelic_synthetics_monitor.example.id
  text       = file("example_api_script.js")
}

% terraform -v Terraform v1.1.4 on darwin_amd64

  • provider registry.terraform.io/newrelic/newrelic v2.35.1

Actual Behavior

Resources added or destroyed in NR account that does not match the account_id in the .tf file. No warning or error message.

Expected Behavior

Uncertain, because your documentation does not actually explain what effect account_id is supposed to have. My guess is that account_id should set which NR account terraform should act on. In that case, I would expect a clear error telling me that my API key does not give access to the account in question, and a failure. However, it is possible that account_id has some other meaning, and that would not be the right behavior.

One thing I do expect is much better documentation for the newrelic terraform provider. It is very thin and perfunctory and omits more than it covers. Many arguments and behaviors are not adequately documented. Your terraform provider documentation needs serious work; it is barely usable in its current state. While this bug highlights just one example, I have been frustrated repeatedly by omissions and ambiguities throughout this documentation.

https://registry.terraform.io/providers/newrelic/newrelic/latest/docs/guides/provider_configuration just says that account_id is "Your New Relic account ID." and is required, and links to a page on how to find account IDs. It says nothing about what this argument is for, or what effect it should have. (The same can be said about most of the argument documentation on all pages in that reference)

gitcos avatar Feb 02 '22 14:02 gitcos

@gitcos I understand that it's confusing. The synthetics resource uses our legacy REST API which only requires an API key. Other resources use our GraphQL API which requires an account ID in many cases. The account ID you provide in the configuration block is used throughout those resources unless you specify an account ID on the resource. Hope this helps! We have plans to audit and update our documentation soon.

mbazhlekova avatar Feb 02 '22 17:02 mbazhlekova

Let me paraphrase what I think you're saying:

  • Some resource types use a REST API key, while other resource types use the GraphQL API and those do NOT use the REST API key at all. This is not under the user's control at all, it is strictly based on which type of resource.
  • For any resources for which terraform uses GraphQL, the account_id argument to the provider is used to determine which NR account to find/create/modify them in. For any resources that use the REST API key, the account_id argument is completely ignored, and the API key determines which account is used.

Before I say any more, can you please confirm for me that I have understood you correctly, and the above two statements are completely accurate? Or, if they are not, please explain better. Thanks.

gitcos avatar Feb 02 '22 17:02 gitcos

Our GraphQL API also requires an API Key to make requests and many endpoints also require an account ID argument but not all. An example would be the alert policy resource which has an account ID argument. If you set one in your configuration block we'll use it for all your resource unless you specify a different account ID in the resource block. The entity tags resource however doesn't require an account ID and it's also a GraphQL API. It's varies on an API to API basis. Some APIs allow you to create resources under different child accounts of the parent account tied to the API Key which is why you can specify an account ID on the resource.

mbazhlekova avatar Feb 03 '22 15:02 mbazhlekova

Okay, that does not really clarify things. It sounds like what I wrote above was wrong, but you still didn't explain what would be right. Let me try again to paraphrase, again just guessing here because neither the documentation nor your explanations attempt to explain what account_id actually does. And you did not even say which of my two statements were true or false, above. Although you did say one piece of the first statement is false. Trying again:

  • Some resource types use a REST API, while other resource types use the GraphQL API. This is not under the user's control at all, it is strictly based on which type of resource.
  • Some queries to the GraphQL API require an account ID to be provided in the query. When terraform makes one of those queries, if the resource definition does not have its own account_id set, terraform will take the account_id from the provider block and send that to the API.
  • For any API calls which do not require an account ID, the account_id argument in a .tf file is completely ignored and has no effect.
  • For any API calls which do require an account ID, the effect of providing that account ID is dependent on the particular API endpoint.

Can you clearly state which, if any, of these statements are incorrect? If none of them are incorrect, can you very clearly state that all four of them are true and accurate?

gitcos avatar Feb 03 '22 15:02 gitcos

All of those are true

mbazhlekova avatar Feb 03 '22 15:02 mbazhlekova

Great, thanks for confirming!

Based on that, I think two changes are warranted:

  1. Improve the documentation at https://registry.terraform.io/providers/newrelic/newrelic/latest/docs/guides/provider_configuration to explain what account_id is for and what it does, along the lines I just did in my previous comment.

  2. Detect which account is actually being used (based on the API key provided) and a) include that account ID in the plan output in some way; b) issue a clear warning if it differs from the account_id argument in the provider block.

gitcos avatar Feb 03 '22 15:02 gitcos

Thanks @gitcos We have a story to improve this in our documentation.

kidk avatar Feb 10 '22 09:02 kidk