Using import for fusionauth_tenant and fusionauth_application creates errors

[Aaron-Ritter]

I am not able to import neither Default fusionauth_tenant or FusionAuth fusionauth_application with terraform plan -generate-config-out=generated_resources.tf as its causing the errors below.

To import I created import.tf with the following configuration:

import {
  to = fusionauth_tenant.default
  id = "Tenant Default ID"
}

import {
  to = fusionauth_application.FusionAuth
  id = "Applicatoin FusionAuth ID"
}

Planning failed. Terraform encountered an error while generating this plan.

│ Warning: Config generation is experimental
│ Generating configuration during import is currently experimental, and the generated configuration format may change in future versions.

│ Warning: Argument is deprecated
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)
│ In version 1.20.0 and beyond, Callback URLs can be managed via authorized_redirect_urls.

│ Error: expected "access_control_configuration.0.ui_ip_access_control_list_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "samlv2_configuration.0.default_verification_key_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "samlv2_configuration.0.logout.0.default_verification_key_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "samlv2_configuration.0.logout.0.key_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "samlv2_configuration.0.logout.0.single_logout.0.key_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "multi_factor_configuration.0.email_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "multi_factor_configuration.0.sms_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "email_configuration.0.email_verification_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "email_configuration.0.forgot_password_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "email_configuration.0.login_new_device_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "email_configuration.0.login_id_in_use_on_create_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "email_configuration.0.password_update_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "email_configuration.0.login_suspicious_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "email_configuration.0.passwordless_email_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "email_configuration.0.two_factor_method_remove_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "email_configuration.0.email_update_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "email_configuration.0.email_verified_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "email_configuration.0.login_id_in_use_on_update_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "email_configuration.0.password_reset_success_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "email_configuration.0.set_password_email_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "email_configuration.0.two_factor_method_add_template_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "form_configuration.0.self_service_form_id" to be a valid UUID, got
│   with fusionauth_application.FusionAuth,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "multi_factor_configuration.0.sms.0.messenger_id" to be a valid UUID, got
│   with fusionauth_tenant.default,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected "multi_factor_configuration.0.sms.0.template_id" to be a valid UUID, got
│   with fusionauth_tenant.default,
│   on generated_resources.tf line 1:
│   (source code not available)

│ Error: expected password_validation_rules.0.breach_detection.0.match_mode to be one of [High Medium Low], got
│   with fusionauth_tenant.default,
│   on generated_resources.tf line 163:
│   (source code not available)

│ Error: expected password_validation_rules.0.breach_detection.0.on_login to be one of [Off RecordOnly NotifyUser RequireChange], got
│   with fusionauth_tenant.default,
│   on generated_resources.tf line 163:
│   (source code not available)

[mooreds]

@Aaron-Ritter I don't understand the issue. The default tenant and client will always exist. Are you saying you want to import them into Terraform and manage them that way? Are there workarounds?

I also see Config generation is experimental in those error messages, so maybe this Terraform feature isn't fully ready yet?

[Aaron-Ritter]

If you want to manage the configuration through terraform you have to first import it, and the reproducible way of import would be based on config rather than the cli terraform import command e.g. if you copy the config and run it for a new environment you'll have everything contained.

Correct the -generate-config-out= has issues with more complex configurations and is therefore experimental, I'll run the CLI import and see if that's the difference.

If not managed by Terraform you can just use the data source configuration instead (which is working) and again achieve a fully contained configuration with all components.

[Aaron-Ritter]

When running terraform import fusionauth_tenant.default "tenant-id" the imported configuration available with terraform show is equally empty for the arguments in the warning output above.

Based on the fact that the actual configuration has SMS MFA setting disabled my assumption is the issue is in the provider, as it shouldn't even define these attributes or ignore them as SMS MFA is disabled.

A workaround is to change the generated configuration manually but that's not really the point of the import function.

[mooreds]

Sorry @Aaron-Ritter , I'm still not sure I understand the issue. Can you rephrase it, please?

[Aaron-Ritter]

@mooreds I did some further research and hope this will clarify it:

The config driven import was only recently introduced as a concept in Terraform. All thought the declarative import is not experimental, only --generate-config-out is experimental as it got introduced to generate complex initial configurations instead of manually defining them in the .tf files. Before this terraform import command was used.

In my additional tests I discovered that if I declare the import and resource section manually in my main.tf file, I wont run in to the error I experienced with the generated version. Because I only define what's necessary (Required).

Having said that, the underlying issue of my errors reported earlier is not related to --generate-config-out but the fact that when executing import it imports configuration settings which should not be imported in the first place.

The Tenant MFA SMS example shown in the previous post is a good example to show what's happening: Defining or importing a tenant resource will always define in the terraform state the following:

resource "fusionauth_tenant" "Default" {
    multi_factor_configuration         = [
        {
            authenticator = [
                {
                    enabled = true
                },
            ]
            email         = [
                {
                    enabled     = false
                    template_id = "34e24bf4-6c6d-41a0-b8ae-9a480d24f1c9"
                },
            ]
            login_policy  = "Enabled"
            sms           = [
                {
                    enabled      = false
                    messenger_id = ""
                    template_id  = ""
                },
            ]
        },
    ]
}

This shows that despite multi_factor_configuration sms is enabled = false it is still defining messenger_id = "" template_id = "", which is what's actually defined in the Default tenant but not actively used, and from a attribute validation perspective clearly wrong but ignored because sms is disabled.

Which is why, if copy pasted in to your main.tf it is an invalid configuration and therefore producing the errors:

• Error: expected "multi_factor_configuration.0.sms.0.messenger_id" to be a valid UUID
• Error: expected "multi_factor_configuration.0.sms.0.template_id" to be a valid UUID

Which ultimately is not much different from what --generate-config-out is doing.

What I am not familiar with and don't know is how to handle is the scenario of "importing and handling only live/used configuration" or "not validating inactive configuration" in the Terraform Provider.

[mooreds]

@Aaron-Ritter can you spend maybe 6 hours taking a look at this and seeing if you can see an easy fix, whether to the golang FusionAuth client or to the terraform provider? Feel free to share any findings, up to and including a PR. If there's no easy fix, well then we have this bug description for the future.

FYI, this pattern of data showing when an overriding option is disabled is very common as we like to save configuration once entered.