changing team ids on integrations does not change anything in opsgenie

[faust64]

Terraform Version

Terraform v1.2.7
on linux_amd64
+ provider registry.terraform.io/community-terraform-providers/ignition v2.1.3
+ provider registry.terraform.io/hashicorp/aws v4.33.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/external v2.2.2
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/null v3.1.1
+ provider registry.terraform.io/hashicorp/random v3.4.3
+ provider registry.terraform.io/hashicorp/time v0.8.0
+ provider registry.terraform.io/hashicorp/tls v4.0.3
+ provider registry.terraform.io/integrations/github v4.31.0
+ provider registry.terraform.io/opsgenie/opsgenie v0.6.15

Affected Resource(s)

• opsgenie_integration_action
• opsgenie_api_integration

Terraform Configuration Files

data "opsgenie_team" "my-team" {
  name = "My Team Name"
}

resource "opsgenie_api_integration" "opsgenie-securityhub" {
  name                           = "Amazon SecurityHub ${var.platform.meta_region}"
  type                           = "AmazonSecurityHub"
  enabled                        = true
  ignore_responders_from_payload = false
  suppress_notifications         = false
  owner_team_id                  = data.opsgenie_team.my-team.id
}

resource "opsgenie_api_integration" "opsgenie-cloudwatch" {
  name                           = "Amazon CloudWatch ${var.platform.meta_region}"
  type                           = "CloudWatchEvents"
  enabled                        = true
  ignore_responders_from_payload = false
  suppress_notifications         = false
  owner_team_id                  = data.opsgenie_team.my-team.id
}

resource "opsgenie_integration_action" "securityhub-action" {
  integration_id = opsgenie_api_integration.opsgenie-securityhub.id

  create {
    message                        = "[Amazon Security Hub - aws-eu-central-1-prod] {{title}}"
    name                           = "Amazon Security Hub -  aws-eu-central-1-prod"
    note                           = "{{note}}"
    source                         = "AmazonSecurityHub"
    tags                           = ["AmazonSecurityHub", "aws-eu-central-1-prod"]
    user                           = "AmazonSecurityHub"
    filter {
      type = "match-all"
    }
    responders {
      id   = data.opsgenie_team.my-team.id
      type = "team"
    }
  }

Debug Output

  # module.account_hardening.module.opsgenie_cloudwatch_integration.opsgenie_integration_action.cloudwatch-action will be updated in-place
  ~ resource "opsgenie_integration_action" "cloudwatch-action" {
        id             = "55159bae-6438-4042-a9c4-f88cec1d4bc5"
        # (1 unchanged attribute hidden)

      ~ create {
            name                                 = "Amazon CloudWatch - aws-eu-central-1-prod"
            tags                                 = [
                "AmazonCloudWatch",
                "aws-eu-central-1-prod",
            ]
            # (18 unchanged attributes hidden)

          ~ responders {
              ~ id   = "aaa" -> "bbb"
                # (1 unchanged attribute hidden)
            }

            # (1 unchanged block hidden)
        }
    }

  # module.account_hardening.module.opsgenie_securityhub_integration[0].opsgenie_api_integration.opsgenie-securityhub will be updated in-place
  ~ resource "opsgenie_api_integration" "opsgenie-securityhub" {
        id                             = "7391854f-37b8-4470-aaec-f5651bccf300"
        name                           = "Amazon SecurityHub aws-eu-central-1-prod"
      ~ owner_team_id                  = "aaa" -> "bbb"
        # (6 unchanged attributes hidden)
    }

  # module.account_hardening.module.opsgenie_securityhub_integration[0].opsgenie_integration_action.securityhub-action will be updated in-place
  ~ resource "opsgenie_integration_action" "securityhub-action" {
        id             = "7391854f-37b8-4470-aaec-f5651bccf300"
        # (1 unchanged attribute hidden)

      ~ create {
            name                                 = "Amazon Security Hub - aws-eu-central-1-prod"
            tags                                 = [
                "AmazonSecurityHub",
                "aws-eu-central-1-prod",
            ]
            # (18 unchanged attributes hidden)

          ~ responders {
              ~ id   = "aaa" -> "bbb"
                # (1 unchanged attribute hidden)
            }

            # (1 unchanged block hidden)
        }
    }

Panic Output

N/A

Expected Behavior

After applying such a plan, switching responder team from my integration, next plan should show no diff

Actual Behavior

After applying that plan, next plan still shows the exact same diff. In opsgenie, I can confirm my integration still uses the previous responder team. I suspect tainting the object would do. Although if we need to re-create, I would expect provider to do so without taints.

Steps to Reproduce

1. terraform plan / terraform apply
2. change the responder team
3. terraform plan / terraform apply
4. check next terraform plan: there should be no diff

Important Factoids

N/A

References

not that I know of

[PrayagS]

+1. We had an integration whose owner team ID changed in TF but it doesn't reflect on OpsGenie. The integration is still part of the old team.

[PrayagS]

This function is deliberately not updating the team field. Is it not supported by the OpsGenie API? https://github.com/opsgenie/terraform-provider-opsgenie/blob/93fbf594ffcb9b18fa20dcefefe3f4b46f1d69f4/opsgenie/resource_opsgenie_api_integration.go#L264

For now, I'm passing in -replace to force TF to recreate the integration.

[PrayagS]

It seems like a limitation from the API: https://docs.opsgenie.com/docs/integration-api#update-integration

[faust64]

Indeed. Well, if opsgenie docs says one thing, while their provider does another: for sure that's a bug

When some configuration for an object can't be updated by aws or azure provider (eg: changing zone/AZ attributes) , terraform plan would show object should be re-created. Would be nice to have a similar logic implemented in opsgenie provider.

Although for sure, we can replace, taint, ... it's not blocking, critical, ... I'm already thankful I found about that provider, while we used to configure opsgenie integrations manually not long ago ... Kudos to the maintainers

[PrayagS]

Although for sure, we can replace, taint, ... it's not blocking, critical, ... I'm already thankful I found about that provider, while we used to configure opsgenie integrations manually not long ago ... Kudos to the maintainers

+1. It shouldn't be a big change to fix the provider's behavior in this case. Let me look around.

If the maintainers can help out and poke me in the right direction, that would be great as well. TIA.

[PrayagS]

https://github.com/opsgenie/terraform-provider-opsgenie/blob/93fbf594ffcb9b18fa20dcefefe3f4b46f1d69f4/opsgenie/resource_opsgenie_api_integration.go#L51-L54

Setting ForceNew (https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-behaviors#forcenew) to true for the team ID field should do the trick as far as I think.

[PrayagS]

There is already a 2-year-old PR on this: https://github.com/opsgenie/terraform-provider-opsgenie/pull/146

[venky-hubgit]

It would be preferable to change the team name in the integeration resource without force recreating it, as this would change the API key and break the existing integerations. I have manually changed the team name in Opsgenie, so I believe it is possible to do so.

[koushik-swaminathan]

@PrayagS I was able to change the responder team in the integrations without any issues and I can see that it gets reflected on the UI as well. Can you confirm if you're still facing the issue? I'm using v0.6.26

[PrayagS]

@koushik-swaminathan Hey, we no longer use this provider so I can't really help with that as of now.

[venky-hubgit]

I can confirm its fixed now in v0.6.26.

[faust64]

same here, thanks!