Terraform Apply should output machine readable resource id in case of collision

[cveld]

Terraform Version

Terraform v1.3.3 on windows_amd64

Use Cases

I would like to have an automated, interactive import tool for existing resources.

Attempted Solutions

terraform apply -json outputs the following:

{
  "@level": "error",
  "@message": "Error: A resource with the ID \"https://myvault.vault.azure.net/secrets/mysecret/21d7a053a26441bd80e25a1787e57d4f\" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for \"azurerm_key_vault_secret\" for more information.",
  "@module": "terraform.ui",
  "@timestamp": "2022-11-09T14:11:16.203583+01:00",
  "diagnostic": {
    "severity": "error",
    "summary": "A resource with the ID \"https://myvault.vault.azure.net/secrets/mysecret/21d7a053a26441bd80e25a1787e57d4f\" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for \"azurerm_key_vault_secret\" for more information.",
    "detail": "",
    "address": "module.Infrastructure.module.library.module.logicapp[\"email\"].azurerm_key_vault_secret.url",
    "range": {
      "filename": "..\\..\\..\\Solutions\\library\\Modules\\azure-logicapp\\v1.0.0\\Main.tf",
      "start": {
        "line": 69,
        "column": 43,
        "byte": 2650
      },
      "end": {
        "line": 69,
        "column": 44,
        "byte": 2651
      }
    },
    "snippet": {
      "context": "resource \"azurerm_key_vault_secret\" \"url\"",
      "code": "resource \"azurerm_key_vault_secret\" \"url\" {",
      "start_line": 69,
      "highlight_start_offset": 42,
      "highlight_end_offset": 43,
      "values": [

      ]
    }
  },
  "type": "diagnostic"
}

The address can be easily parsed, but the target id must be extracted from the error message that is thrown by the provider.

Proposal

The provider should be able to report the target id via a structured way so that terraform apply can report this id. Automated tooling can then process this data easily.

Additionally, terraform apply could potentially provide an interactive shell with which you can quickly import any collision that is detected.

References

No response

[apparentlymart]

Thanks for this feature request, @cveld.

The error message you showed here seems to have been generated by the hashicorp/azurerm provider rather than by Terraform Core, so the text here is entirely under the provider's control, and Terraform Core is in exactly the same position as you of not being able to extract a machine-readable ID from this message.

Therefore I think this request suggests a change to the provider plugin protocol for the PlanResourceChange and ApplyResourceChange RPC requests to allow providers to return certain kinds of machine-readable "fix it hints" alongside any error messages, which Terraform Core could then react to either by presenting some extra UI of its own (when running in human-readable mode) or export that data via the JSON streaming output you are consuming here.

I think a trick here will be to avoid fixing in the wire protocol something that might block future improvements to Terraform's import mechanisms. terraform import is currently explicitly excluded from the v1.x Compatibility Promises because we know its design is very limited and will probably need to change in breaking ways to achieve a more robust import process; adding new features to the provider protocol which assume the current import model might undermine those efforts. I think we'll need to revisit any historical notes about the plans for import to see if there are any design hazards we'd need to keep in mind while developing this.

Thanks again!