terraform-provider-newrelic icon indicating copy to clipboard operation
terraform-provider-newrelic copied to clipboard

Published 20 hours ago verified publisher icon newrelic

After importing newrelic_notification_destination of type SLACK it tries to delete auth_token

Open alisson276 opened this issue 2 years ago • 1 comments

Terraform Version

Terraform v1.3.0
on linux_arm64

Affected Resource(s)

Please list the resources as a list, for example:

  • newrelic_notification_destination

Terraform Configuration

Please include your provider configuration (sensitive details redacted) as well as the configuration of the resources and/or data sources related to the bug report.

terraform {
  required_providers {
    newrelic = {
      source  = "newrelic/newrelic"
      version = "~> 3.3"
    }
  }
}

provider "newrelic" {
  account_id = **********
  api_key = **********
  region = "US"
}

resource "newrelic_notification_destination" "slack" {
  name = "*********"
  type = "SLACK"

  auth_token {
    prefix = "Bearer"
  }

  property {
        key   = "scope"
        label = "Permissions"
        value = "app_mentions:read,channels:join,channels:read,chat:write,chat:write.public,commands,groups:read,links:read,links:write,team:read,users:read"
    }
    property {
        key   = "teamName"
        label = "Team Name"
        value = "******"
    }
}

Actual Behavior

I've imported the slack newrelic_notification_destination like described in the documentation. Then I did a terraform state show newrelic_notification_destination.slack and I've made the required changes in my main.tf. The final resource is like the mentioned before (including the auth_token block).

After this, I did a plan and it shows me an error saying:

 Error: Missing required argument
│ 
│   on main.tf line 10, in resource "newrelic_notification_destination" "slack":
│   10:   auth_token {
│ 
│ The argument "token" is required, but no definition was found.

If I remove the block auth_token then it says me it will be removed (what I think it shouldn't be)

Expected Behavior

The auth_token.token should be optional in the resource when the type is slack or shouldn't be imported.

alisson276 avatar Sep 26 '22 09:09 alisson276

Hi @alisson276, thanks for raising the issue. We will prioritise it.

NSSPKrishna avatar Sep 26 '22 12:09 NSSPKrishna

@NSSPKrishna Has this issue already been resolved?

yuto727 avatar Nov 15 '22 13:11 yuto727

Hi @alisson276 , Thank you for your feedback and we'll address this issue. In the meanwhile, you can add the following code to your imported Slack destination resource:

  lifecycle {
    ignore_changes = [auth_token]
  }

For example:

resource "newrelic_notification_destination" "slack" {
  lifecycle {
    ignore_changes = [auth_token]
  }

  name = "*********"
  type = "SLACK"

  auth_token {
    prefix = "Bearer"
  }

  property {
        key   = "scope"
        label = "Permissions"
        value = "app_mentions:read,channels:join,channels:read,chat:write,chat:write.public,commands,groups:read,links:read,links:write,team:read,users:read"
    }
    property {
        key   = "teamName"
        label = "Team Name"
        value = "******"
    }
}

lzaga-newrelic avatar Dec 01 '22 12:12 lzaga-newrelic

Instructions suggest not to copy state (as OP did)?

Instead, leave the resource empty - but the validation fails on required attributes...?

JBallin avatar Jan 01 '23 02:01 JBallin

For now, here's my workaround:

resource "newrelic_notification_destination" "slack" {
  lifecycle {
    # attributes are only being set to pass validation (not actually used)
    # https://github.com/newrelic/terraform-provider-newrelic/issues/2025
    ignore_changes  = all
    # destination requires manual import & therefore should not be destroyed
    prevent_destroy = true
  }

  type = "SLACK"
  name = ""
  property {
    key   = ""
    value = ""
  }
}

Docs: lifecycle

JBallin avatar Jan 01 '23 03:01 JBallin

Hi everyone, The token in auth_token attribute doesn't return from our API, because it’s sensitive data. After deeper investigation, ignore_changes is the only way to avoid this issue (as mentioned below). We'll add this information to the docs.

  lifecycle {
    ignore_changes = [auth_token]
  }

For example:

resource "newrelic_notification_destination" "slack" {
  lifecycle {
    ignore_changes = [auth_token]
  }

  name = "*********"
  type = "SLACK"

  auth_token {
    prefix = "Bearer"
  }

  property {
        key   = "scope"
        label = "Permissions"
        value = "app_mentions:read,channels:join,channels:read,chat:write,chat:write.public,commands,groups:read,links:read,links:write,team:read,users:read"
    }
    property {
        key   = "teamName"
        label = "Team Name"
        value = "******"
    }
}

lzaga-newrelic avatar Jan 04 '23 09:01 lzaga-newrelic

After deeper investigation, ignore_changes is the only way to avoid this issue (as mentioned below).

Disagree. The provider can be taught to automatically ignore changes for the relevant fields when the type is SLACK so that users do not have to add a lifecycle block.

zeffron avatar Jan 04 '23 17:01 zeffron

Agree with @zeffron that this is just an edge case in your validation not taking slack destinations into account - meaning that the validation itself needs to be fixed, not the resource configuration.

I like @zeffron's idea of allowing empty when type === "SLACK" and updating docs to recommend this:

resource "newrelic_notification_destination" "slack" {
  type = "SLACK"
}

Extra credit: If there was a way to automatically prevent destroy, that may be useful? Although I guess this would already be the case if it was in use by a workflow...?

JBallin avatar Jan 05 '23 00:01 JBallin

Extra credit: If there was a way to automatically prevent destroy, that may be useful? Although I guess this would already be the case if it was in use by a workflow...?

I think this is doable, but I don't know if it really fits well with the Terraform paradigm. Terraform can't distinguish between a resource that was made manually and then imported explicitly for this configuration (in which case destroy might be correct behavior) and one where it's being imported for reuse, or where it will be needed again post destroy. Having the user explicitly set the lifecycle to prevent destruction does seem appropriate to me because knowing if destruction is desired or not does require extra information from the user. Might be possible to default to not destroying and require setting prevent_destroy to false (if that's even possible?), but that seems very esoteric.

zeffron avatar Jan 05 '23 00:01 zeffron

Right it wouldn't be explicit, which is confusing. Maybe a note in the docs is enough.

JBallin avatar Jan 05 '23 01:01 JBallin

Throwing 2c in here, would being able to reference the destination as data instead of resource be better? Seems like it would fit better with the ethos of referencing something created outside of the modules control.

TheQueenIsDead avatar Jan 08 '23 23:01 TheQueenIsDead

Tried data:

│ Error: Invalid data source
│ 
│   on main.tf line 1, in data "newrelic_notification_destination" "slack":
│    1: data "newrelic_notification_destination" "slack" {
│ 
│ The provider newrelic/newrelic does not support data source
│ "newrelic_notification_destination".
│ 
│ Did you intend to use the managed resource type
│ "newrelic_notification_destination"? If so, declare this using a "resource"
│ block instead of a "data" block.

JBallin avatar Jan 09 '23 05:01 JBallin

Hi everyone, We are working on creating destinations as data sources as well.

lzaga-newrelic avatar Jan 09 '23 07:01 lzaga-newrelic

@lzaga-newrelic - do we have a date when destinations as data source will go live? Thanks!

MAN98 avatar Jan 26 '23 07:01 MAN98

Hi @MAN98 , We are working on that right now. Hopefully, next week you'll see it in the next version of the provider. I'll update here as well.

lzaga-newrelic avatar Jan 29 '23 10:01 lzaga-newrelic

Thanks for the prompt response @lzaga-newrelic ^_^

MAN98 avatar Jan 30 '23 16:01 MAN98