Skip to content

query: validate identity did not change when schema version does not change #37716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

query: validate identity did not change when schema version does not change #37716

wants to merge 2 commits into from
+96 −21

Conversation

dsa0x
Copy link
Member

@dsa0x dsa0x commented Oct 2, 2025
edited
Loading

This adds a validation for the resource identity, checking that the identity must not change during the PlanResourceChange, ReadResource, and ApplyResourceChange RPCs. Any change to the identity should be within the UpgradeResourceIdentity RPC, which always precedes the aforementioned ones.

Target Release

1.15.x

Rollback Plan

  • If a change needs to be reverted, we will roll out an update to the code within 7 days.

Changes to Security Controls

Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.

CHANGELOG entry

  • This change is user-facing and I added a changelog entry.
  • This change is not user-facing.

@dsa0x dsa0x added the no-changelog-needed Add this to your PR if the change does not require a changelog entry label Oct 2, 2025
@dsa0x dsa0x changed the title query: validate identity change when schema does not query: validate identity did not change when schema version does not change Oct 2, 2025
@dsa0x dsa0x marked this pull request as ready for review October 2, 2025 13:08
@dsa0x dsa0x requested a review from a team as a code owner October 2, 2025 13:08
@dbanck
Copy link
Member

dbanck commented Oct 6, 2025

It feels like we're reintroducing something that we explicitly removed in #36989. Are all provider authors onboard? I'm being extra cautious here since there have been multiple incidents related to resource identity validation.

@dsa0x
Copy link
Member Author

dsa0x commented Oct 6, 2025

Are all provider authors onboard?

No. I started an internal discussion on this last week, and would move this back to draft.

@dsa0x dsa0x marked this pull request as draft October 6, 2025 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
no-changelog-needed Add this to your PR if the change does not require a changelog entry
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dsa0x @dbanck