Skip to content

fix(resources): handle empty/null/unknown IDs in Read methods #6690

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aditmeno wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(resources): handle empty/null/unknown IDs in Read methods #6690

aditmeno wants to merge 1 commit into from
+275 −15

Conversation

@aditmeno
Copy link

@aditmeno aditmeno commented Jan 26, 2026

Summary

This PR addresses issues where Terraform/OpenTofu runs refresh before create for new resources, causing API errors when trying to read non-existent resources.

Problem

When using tofu apply (or terraform apply) with the -refresh=true flag (which is the default), Terraform attempts to refresh the state of all resources before making changes. For resources that don't yet exist (i.e., resources being created for the first time), the Read method is called with an empty/null/unknown ID. Without proper handling, this causes the provider to make API calls with empty identifiers, resulting in errors.

Solution

  • Add early return checks in Read methods for 31 resources to gracefully handle null/unknown/empty resource identifiers by calling resp.State.RemoveResource(). This signals to Terraform that the resource needs to be created.

  • Fix calls_sfu_app: Consolidate app_id and uid fields (they were duplicates) by mapping the API's uid response to app_id with proper Computed+Optional schema and UseStateForUnknown plan modifier.

  • Fix zero_trust_access_service_token: Replace AlsoRequires validator with a custom ConfigValidator that only requires previous_client_secret_expires_at when client_secret_version > 1 (during rotation). The previous validator was problematic because client_secret_version has a default value of 1, so it's always set, incorrectly triggering the validator on initial creation.

Affected Resources

  • account, api_shield_operation, api_shield_schema, calls_sfu_app, calls_turn_app
  • connectivity_directory_service, d1_database, list_item, notification_policy
  • queue, queue_consumer, schema_validation_schemas, stream, stream_live_input
  • stream_watermark, turnstile_widget, web_analytics_site, worker
  • zero_trust_access_application, zero_trust_access_custom_page
  • zero_trust_access_service_token, zero_trust_device_custom_profile
  • zero_trust_device_managed_networks, zero_trust_dex_test, zero_trust_dlp_dataset
  • zero_trust_dns_location, zero_trust_tunnel_cloudflared, zone

Test Plan

  • Verify tofu plan / terraform plan works for new resources without errors
  • Verify tofu apply / terraform apply successfully creates resources
  • Verify existing resources continue to work (refresh/update/delete)
  • Test calls_sfu_app resource creation and verify app_id is properly populated
  • Test zero_trust_access_service_token initial creation without previous_client_secret_expires_at
  • Test zero_trust_access_service_token rotation with client_secret_version > 1 requires previous_client_secret_expires_at

@aditmeno
fix(resources): handle empty/null/unknown IDs in Read methods
c7672af 
This PR addresses issues where Terraform/OpenTofu runs refresh before create
for new resources, causing API errors when trying to read non-existent resources.

Changes:
- Add early return checks in Read methods for 31 resources to gracefully handle
  null/unknown/empty resource identifiers by calling resp.State.RemoveResource()
- Fix calls_sfu_app: consolidate app_id and uid fields (they were duplicates)
  by mapping the API's uid response to app_id with proper Computed+Optional schema
- Fix zero_trust_access_service_token: replace AlsoRequires validator with custom
  ConfigValidator that only requires previous_client_secret_expires_at when
  client_secret_version > 1 (during rotation), since the default value of 1
  always triggered the validator incorrectly on initial creation

Affected resources:
- account, api_shield_operation, api_shield_schema, calls_sfu_app, calls_turn_app
- connectivity_directory_service, d1_database, list_item, notification_policy
- queue, queue_consumer, schema_validation_schemas, stream, stream_live_input
- stream_watermark, turnstile_widget, web_analytics_site, worker
- zero_trust_access_application, zero_trust_access_custom_page
- zero_trust_access_service_token, zero_trust_device_custom_profile
- zero_trust_device_managed_networks, zero_trust_dex_test, zero_trust_dlp_dataset
- zero_trust_dns_location, zero_trust_tunnel_cloudflared, zone

Signed-off-by: Aditya Menon <[email protected]>
@aditmeno aditmeno force-pushed the fix/handle-empty-id-in-read-methods branch from 3ba7e46 to c7672af Compare January 29, 2026 07:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aditmeno