ResourceIdentity: Validate that identities do not change after Terraform stores it (#1137)

* add immutability validation to plan and apply

* add private key to import and validation to read

* add `MutableIdentity` resource behavior

* fix immutability

Author: austinvalle

internal/fromproto5/applyresourcechange.go

@@ -17,7 +17,7 @@ import (
 
 // ApplyResourceChangeRequest returns the *fwserver.ApplyResourceChangeRequest
 // equivalent of a *tfprotov5.ApplyResourceChangeRequest.
-func ApplyResourceChangeRequest(ctx context.Context, proto5 *tfprotov5.ApplyResourceChangeRequest, resource resource.Resource, resourceSchema fwschema.Schema, providerMetaSchema fwschema.Schema, identitySchema fwschema.Schema) (*fwserver.ApplyResourceChangeRequest, diag.Diagnostics) {
+func ApplyResourceChangeRequest(ctx context.Context, proto5 *tfprotov5.ApplyResourceChangeRequest, resource resource.Resource, resourceSchema fwschema.Schema, providerMetaSchema fwschema.Schema, resourceBehavior resource.ResourceBehavior, identitySchema fwschema.Schema) (*fwserver.ApplyResourceChangeRequest, diag.Diagnostics) {
 	if proto5 == nil {
 		return nil, nil
 	}
@@ -39,9 +39,10 @@ func ApplyResourceChangeRequest(ctx context.Context, proto5 *tfprotov5.ApplyReso
 	}
 
 	fw := &fwserver.ApplyResourceChangeRequest{
-		ResourceSchema: resourceSchema,
-		IdentitySchema: identitySchema,
-		Resource:       resource,
+		ResourceSchema:   resourceSchema,
+		ResourceBehavior: resourceBehavior,
+		IdentitySchema:   identitySchema,
+		Resource:         resource,
 	}
 
 	config, configDiags := Config(ctx, proto5.Config, resourceSchema)

internal/fromproto5/applyresourcechange_test.go

@@ -83,6 +83,7 @@ func TestApplyResourceChangeRequest(t *testing.T) {
 
 	testCases := map[string]struct {
 		input               *tfprotov5.ApplyResourceChangeRequest
+		resourceBehavior    resource.ResourceBehavior
 		resourceSchema      fwschema.Schema
 		resource            resource.Resource
 		providerMetaSchema  fwschema.Schema
@@ -309,13 +310,26 @@ func TestApplyResourceChangeRequest(t *testing.T) {
 				ResourceSchema: testFwSchema,
 			},
 		},
+		"resource-behavior": {
+			input:          &tfprotov5.ApplyResourceChangeRequest{},
+			resourceSchema: testFwSchema,
+			resourceBehavior: resource.ResourceBehavior{
+				MutableIdentity: true,
+			},
+			expected: &fwserver.ApplyResourceChangeRequest{
+				ResourceBehavior: resource.ResourceBehavior{
+					MutableIdentity: true,
+				},
+				ResourceSchema: testFwSchema,
+			},
+		},
 	}
 
 	for name, testCase := range testCases {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
-			got, diags := fromproto5.ApplyResourceChangeRequest(context.Background(), testCase.input, testCase.resource, testCase.resourceSchema, testCase.providerMetaSchema, testCase.identitySchema)
+			got, diags := fromproto5.ApplyResourceChangeRequest(context.Background(), testCase.input, testCase.resource, testCase.resourceSchema, testCase.providerMetaSchema, testCase.resourceBehavior, testCase.identitySchema)
 
 			if diff := cmp.Diff(got, testCase.expected, cmp.AllowUnexported(privatestate.ProviderData{})); diff != "" {
 				t.Errorf("unexpected difference: %s", diff)

internal/fromproto5/readresource.go

@@ -17,7 +17,7 @@ import (
 
 // ReadResourceRequest returns the *fwserver.ReadResourceRequest
 // equivalent of a *tfprotov5.ReadResourceRequest.
-func ReadResourceRequest(ctx context.Context, proto5 *tfprotov5.ReadResourceRequest, reqResource resource.Resource, resourceSchema fwschema.Schema, providerMetaSchema fwschema.Schema, identitySchema fwschema.Schema) (*fwserver.ReadResourceRequest, diag.Diagnostics) {
+func ReadResourceRequest(ctx context.Context, proto5 *tfprotov5.ReadResourceRequest, reqResource resource.Resource, resourceSchema fwschema.Schema, providerMetaSchema fwschema.Schema, resourceBehavior resource.ResourceBehavior, identitySchema fwschema.Schema) (*fwserver.ReadResourceRequest, diag.Diagnostics) {
 	if proto5 == nil {
 		return nil, nil
 	}
@@ -26,6 +26,7 @@ func ReadResourceRequest(ctx context.Context, proto5 *tfprotov5.ReadResourceRequ
 
 	fw := &fwserver.ReadResourceRequest{
 		Resource:           reqResource,
+		ResourceBehavior:   resourceBehavior,
 		IdentitySchema:     identitySchema,
 		ClientCapabilities: ReadResourceClientCapabilities(proto5.ClientCapabilities),
 	}

internal/fromproto5/readresource_test.go

@@ -83,6 +83,7 @@ func TestReadResourceRequest(t *testing.T) {
 
 	testCases := map[string]struct {
 		input               *tfprotov5.ReadResourceRequest
+		resourceBehavior    resource.ResourceBehavior
 		resourceSchema      fwschema.Schema
 		identitySchema      fwschema.Schema
 		resource            resource.Resource
@@ -251,13 +252,25 @@ func TestReadResourceRequest(t *testing.T) {
 				},
 			},
 		},
+		"resource-behavior": {
+			input:          &tfprotov5.ReadResourceRequest{},
+			resourceSchema: testFwSchema,
+			resourceBehavior: resource.ResourceBehavior{
+				MutableIdentity: true,
+			},
+			expected: &fwserver.ReadResourceRequest{
+				ResourceBehavior: resource.ResourceBehavior{
+					MutableIdentity: true,
+				},
+			},
+		},
 	}
 
 	for name, testCase := range testCases {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
-			got, diags := fromproto5.ReadResourceRequest(context.Background(), testCase.input, testCase.resource, testCase.resourceSchema, testCase.providerMetaSchema, testCase.identitySchema)
+			got, diags := fromproto5.ReadResourceRequest(context.Background(), testCase.input, testCase.resource, testCase.resourceSchema, testCase.providerMetaSchema, testCase.resourceBehavior, testCase.identitySchema)
 
 			if diff := cmp.Diff(got, testCase.expected, cmp.AllowUnexported(privatestate.ProviderData{})); diff != "" {
 				t.Errorf("unexpected difference: %s", diff)

internal/fromproto6/applyresourcechange.go

@@ -17,7 +17,7 @@ import (
 
 // ApplyResourceChangeRequest returns the *fwserver.ApplyResourceChangeRequest
 // equivalent of a *tfprotov6.ApplyResourceChangeRequest.
-func ApplyResourceChangeRequest(ctx context.Context, proto6 *tfprotov6.ApplyResourceChangeRequest, resource resource.Resource, resourceSchema fwschema.Schema, providerMetaSchema fwschema.Schema, identitySchema fwschema.Schema) (*fwserver.ApplyResourceChangeRequest, diag.Diagnostics) {
+func ApplyResourceChangeRequest(ctx context.Context, proto6 *tfprotov6.ApplyResourceChangeRequest, resource resource.Resource, resourceSchema fwschema.Schema, providerMetaSchema fwschema.Schema, resourceBehavior resource.ResourceBehavior, identitySchema fwschema.Schema) (*fwserver.ApplyResourceChangeRequest, diag.Diagnostics) {
 	if proto6 == nil {
 		return nil, nil
 	}
@@ -39,9 +39,10 @@ func ApplyResourceChangeRequest(ctx context.Context, proto6 *tfprotov6.ApplyReso
 	}
 
 	fw := &fwserver.ApplyResourceChangeRequest{
-		ResourceSchema: resourceSchema,
-		IdentitySchema: identitySchema,
-		Resource:       resource,
+		ResourceSchema:   resourceSchema,
+		ResourceBehavior: resourceBehavior,
+		IdentitySchema:   identitySchema,
+		Resource:         resource,
 	}
 
 	config, configDiags := Config(ctx, proto6.Config, resourceSchema)

internal/fromproto6/applyresourcechange_test.go

@@ -83,6 +83,7 @@ func TestApplyResourceChangeRequest(t *testing.T) {
 
 	testCases := map[string]struct {
 		input               *tfprotov6.ApplyResourceChangeRequest
+		resourceBehavior    resource.ResourceBehavior
 		resourceSchema      fwschema.Schema
 		resource            resource.Resource
 		providerMetaSchema  fwschema.Schema
@@ -309,13 +310,26 @@ func TestApplyResourceChangeRequest(t *testing.T) {
 				ResourceSchema: testFwSchema,
 			},
 		},
+		"resource-behavior": {
+			input:          &tfprotov6.ApplyResourceChangeRequest{},
+			resourceSchema: testFwSchema,
+			resourceBehavior: resource.ResourceBehavior{
+				MutableIdentity: true,
+			},
+			expected: &fwserver.ApplyResourceChangeRequest{
+				ResourceBehavior: resource.ResourceBehavior{
+					MutableIdentity: true,
+				},
+				ResourceSchema: testFwSchema,
+			},
+		},
 	}
 
 	for name, testCase := range testCases {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
-			got, diags := fromproto6.ApplyResourceChangeRequest(context.Background(), testCase.input, testCase.resource, testCase.resourceSchema, testCase.providerMetaSchema, testCase.identitySchema)
+			got, diags := fromproto6.ApplyResourceChangeRequest(context.Background(), testCase.input, testCase.resource, testCase.resourceSchema, testCase.providerMetaSchema, testCase.resourceBehavior, testCase.identitySchema)
 
 			if diff := cmp.Diff(got, testCase.expected, cmp.AllowUnexported(privatestate.ProviderData{})); diff != "" {
 				t.Errorf("unexpected difference: %s", diff)

internal/fromproto6/readresource.go

@@ -17,7 +17,7 @@ import (
 
 // ReadResourceRequest returns the *fwserver.ReadResourceRequest
 // equivalent of a *tfprotov6.ReadResourceRequest.
-func ReadResourceRequest(ctx context.Context, proto6 *tfprotov6.ReadResourceRequest, reqResource resource.Resource, resourceSchema fwschema.Schema, providerMetaSchema fwschema.Schema, identitySchema fwschema.Schema) (*fwserver.ReadResourceRequest, diag.Diagnostics) {
+func ReadResourceRequest(ctx context.Context, proto6 *tfprotov6.ReadResourceRequest, reqResource resource.Resource, resourceSchema fwschema.Schema, providerMetaSchema fwschema.Schema, resourceBehavior resource.ResourceBehavior, identitySchema fwschema.Schema) (*fwserver.ReadResourceRequest, diag.Diagnostics) {
 	if proto6 == nil {
 		return nil, nil
 	}
@@ -26,6 +26,7 @@ func ReadResourceRequest(ctx context.Context, proto6 *tfprotov6.ReadResourceRequ
 
 	fw := &fwserver.ReadResourceRequest{
 		Resource:           reqResource,
+		ResourceBehavior:   resourceBehavior,
 		IdentitySchema:     identitySchema,
 		ClientCapabilities: ReadResourceClientCapabilities(proto6.ClientCapabilities),
 	}

internal/fromproto6/readresource_test.go

@@ -83,6 +83,7 @@ func TestReadResourceRequest(t *testing.T) {
 
 	testCases := map[string]struct {
 		input               *tfprotov6.ReadResourceRequest
+		resourceBehavior    resource.ResourceBehavior
 		resourceSchema      fwschema.Schema
 		identitySchema      fwschema.Schema
 		resource            resource.Resource
@@ -251,13 +252,25 @@ func TestReadResourceRequest(t *testing.T) {
 				},
 			},
 		},
+		"resource-behavior": {
+			input:          &tfprotov6.ReadResourceRequest{},
+			resourceSchema: testFwSchema,
+			resourceBehavior: resource.ResourceBehavior{
+				MutableIdentity: true,
+			},
+			expected: &fwserver.ReadResourceRequest{
+				ResourceBehavior: resource.ResourceBehavior{
+					MutableIdentity: true,
+				},
+			},
+		},
 	}
 
 	for name, testCase := range testCases {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
-			got, diags := fromproto6.ReadResourceRequest(context.Background(), testCase.input, testCase.resource, testCase.resourceSchema, testCase.providerMetaSchema, testCase.identitySchema)
+			got, diags := fromproto6.ReadResourceRequest(context.Background(), testCase.input, testCase.resource, testCase.resourceSchema, testCase.providerMetaSchema, testCase.resourceBehavior, testCase.identitySchema)
 
 			if diff := cmp.Diff(got, testCase.expected, cmp.AllowUnexported(privatestate.ProviderData{})); diff != "" {
 				t.Errorf("unexpected difference: %s", diff)

internal/fwserver/server_applyresourcechange.go

@@ -17,15 +17,16 @@ import (
 // ApplyResourceChangeRequest is the framework server request for the
 // ApplyResourceChange RPC.
 type ApplyResourceChangeRequest struct {
-	Config          *tfsdk.Config
-	PlannedPrivate  *privatestate.Data
-	PlannedState    *tfsdk.Plan
-	PlannedIdentity *tfsdk.ResourceIdentity
-	PriorState      *tfsdk.State
-	ProviderMeta    *tfsdk.Config
-	ResourceSchema  fwschema.Schema
-	IdentitySchema  fwschema.Schema
-	Resource        resource.Resource
+	Config           *tfsdk.Config
+	PlannedPrivate   *privatestate.Data
+	PlannedState     *tfsdk.Plan
+	PlannedIdentity  *tfsdk.ResourceIdentity
+	PriorState       *tfsdk.State
+	ProviderMeta     *tfsdk.Config
+	ResourceSchema   fwschema.Schema
+	IdentitySchema   fwschema.Schema
+	Resource         resource.Resource
+	ResourceBehavior resource.ResourceBehavior
 }
 
 // ApplyResourceChangeResponse is the framework server response for the
@@ -101,15 +102,16 @@ func (s *Server) ApplyResourceChange(ctx context.Context, req *ApplyResourceChan
 	logging.FrameworkTrace(ctx, "ApplyResourceChange running UpdateResource")
 
 	updateReq := &UpdateResourceRequest{
-		Config:          req.Config,
-		PlannedPrivate:  req.PlannedPrivate,
-		PlannedState:    req.PlannedState,
-		PlannedIdentity: req.PlannedIdentity,
-		PriorState:      req.PriorState,
-		ProviderMeta:    req.ProviderMeta,
-		ResourceSchema:  req.ResourceSchema,
-		IdentitySchema:  req.IdentitySchema,
-		Resource:        req.Resource,
+		Config:           req.Config,
+		PlannedPrivate:   req.PlannedPrivate,
+		PlannedState:     req.PlannedState,
+		PlannedIdentity:  req.PlannedIdentity,
+		PriorState:       req.PriorState,
+		ProviderMeta:     req.ProviderMeta,
+		ResourceSchema:   req.ResourceSchema,
+		IdentitySchema:   req.IdentitySchema,
+		Resource:         req.Resource,
+		ResourceBehavior: req.ResourceBehavior,
 	}
 	updateResp := &UpdateResourceResponse{}