Fix API Gateway v1 external name oscillation causing perpetual delete/recreate

aditmeno · erhancagirici · commit b8b1ff8d4f65 · 2026-03-13T14:51:05.000+03:00
The 7 API Gateway v1 resources using FormattedIdentifierFromProvider("/", ...) had a mismatch between GetExternalNameFn (which reads tfstate["id"]) and GetIDFn (which joins parameters with "/"). The Terraform AWS provider stores internal IDs in a different format (prefixed, dash-separated) than the import format (slash-separated), causing the external-name annotation to change every reconciliation and triggering perpetual delete/recreate cycles and AWS 429 throttling. Fixes: #1974 Signed-off-by: Aditya Menon <amenon@canarytechnologies.com>
diff --git a/config/externalname.go b/config/externalname.go
@@ -272,17 +272,17 @@ var TerraformPluginSDKExternalNameConfigs = map[string]config.ExternalName{
 	// API Gateway domain names can be imported using their name
 	"aws_api_gateway_domain_name": config.IdentifierFromProvider,
 	// aws_api_gateway_gateway_response can be imported using REST-API-ID/RESPONSE-TYPE
-	"aws_api_gateway_gateway_response": FormattedIdentifierFromProvider("/", "rest_api_id", "response_type"),
+	"aws_api_gateway_gateway_response": apiGatewayFormattedIdentifier("aggr", "rest_api_id", "response_type"),
 	// aws_api_gateway_integration can be imported using REST-API-ID/RESOURCE-ID/HTTP-METHOD
-	"aws_api_gateway_integration": FormattedIdentifierFromProvider("/", "rest_api_id", "resource_id", "http_method"),
+	"aws_api_gateway_integration": apiGatewayFormattedIdentifier("agi", "rest_api_id", "resource_id", "http_method"),
 	// aws_api_gateway_integration_response can be imported using REST-API-ID/RESOURCE-ID/HTTP-METHOD/STATUS-CODE
-	"aws_api_gateway_integration_response": FormattedIdentifierFromProvider("/", "rest_api_id", "resource_id", "http_method", "status_code"),
+	"aws_api_gateway_integration_response": apiGatewayFormattedIdentifier("agir", "rest_api_id", "resource_id", "http_method", "status_code"),
 	// aws_api_gateway_method can be imported using REST-API-ID/RESOURCE-ID/HTTP-METHOD
-	"aws_api_gateway_method": FormattedIdentifierFromProvider("/", "rest_api_id", "resource_id", "http_method"),
+	"aws_api_gateway_method": apiGatewayFormattedIdentifier("agm", "rest_api_id", "resource_id", "http_method"),
 	// aws_api_gateway_method_response can be imported using REST-API-ID/RESOURCE-ID/HTTP-METHOD/STATUS-CODE
-	"aws_api_gateway_method_response": FormattedIdentifierFromProvider("/", "rest_api_id", "resource_id", "http_method", "status_code"),
+	"aws_api_gateway_method_response": apiGatewayFormattedIdentifier("agmr", "rest_api_id", "resource_id", "http_method", "status_code"),
 	// aws_api_gateway_method_settings can be imported using REST-API-ID/STAGE-NAME/METHOD-PATH
-	"aws_api_gateway_method_settings": FormattedIdentifierFromProvider("/", "rest_api_id", "stage_name", "method_path"),
+	"aws_api_gateway_method_settings": apiGatewayFormattedIdentifier("", "rest_api_id", "stage_name", "method_path"),
 	// aws_api_gateway_model can be imported using REST-API-ID/NAME
 	"aws_api_gateway_model": config.IdentifierFromProvider,
 	// aws_api_gateway_request_validator can be imported using REST-API-ID/REQUEST-VALIDATOR-ID
@@ -294,7 +294,7 @@ var TerraformPluginSDKExternalNameConfigs = map[string]config.ExternalName{
 	// aws_api_gateway_rest_api_policy can be imported by using the REST API ID
 	"aws_api_gateway_rest_api_policy": FormattedIdentifierFromProvider("", "rest_api_id"),
 	// aws_api_gateway_stage can be imported using REST-API-ID/STAGE-NAME
-	"aws_api_gateway_stage": FormattedIdentifierFromProvider("/", "rest_api_id", "stage_name"),
+	"aws_api_gateway_stage": apiGatewayFormattedIdentifier("ags", "rest_api_id", "stage_name"),
 	// AWS API Gateway Usage Plan can be imported using the id
 	"aws_api_gateway_usage_plan": config.IdentifierFromProvider,
 	// AWS API Gateway Usage Plan Key can be imported using the USAGE-PLAN-ID/USAGE-PLAN-KEY-ID
@@ -3376,6 +3376,59 @@ func apiGatewayAccount() config.ExternalName {
 	return e
 }
 
+// apiGatewayFormattedIdentifier constructs external name configs for API Gateway
+// v1 resources where the Terraform internal ID format (tfstate["id"]) differs
+// from the import format. The internal format uses a prefix and dash separators
+// (e.g., "agm-{restApiId}-{resourceId}-{httpMethod}") while the import format
+// uses slash separators (e.g., "{restApiId}/{resourceId}/{httpMethod}").
+// This function ensures GetExternalNameFn and GetIDFn produce consistent values
+// to prevent external name oscillation. Pass an empty prefix for resources
+// like method_settings that have no prefix.
+func apiGatewayFormattedIdentifier(prefix string, keys ...string) config.ExternalName {
+	e := config.IdentifierFromProvider
+	e.GetExternalNameFn = func(tfstate map[string]interface{}) (string, error) {
+		id, ok := tfstate["id"]
+		if !ok {
+			return "", errors.New("id not found in tfstate")
+		}
+		idStr, ok := id.(string)
+		if !ok {
+			return "", errors.New("id is not a string")
+		}
+		// Strip the prefix (e.g., "agm-") if present
+		if prefix != "" {
+			idStr = strings.TrimPrefix(idStr, prefix+"-")
+		}
+		// Split into exactly len(keys) parts so the last component
+		// preserves any dashes it may contain (e.g., method_path)
+		parts := strings.SplitN(idStr, "-", len(keys))
+		if len(parts) != len(keys) {
+			return "", errors.Errorf("unexpected id format for %s: %s", prefix, id)
+		}
+		return strings.Join(parts, "/"), nil
+	}
+	e.GetIDFn = func(_ context.Context, _ string, parameters map[string]interface{}, _ map[string]interface{}) (string, error) {
+		vals := make([]string, len(keys))
+		for i, key := range keys {
+			val, ok := parameters[key]
+			if !ok {
+				return "", errors.Errorf("%s cannot be empty", key)
+			}
+			s, ok := val.(string)
+			if !ok {
+				return "", errors.Errorf("%s needs to be string", key)
+			}
+			vals[i] = s
+		}
+		id := strings.Join(vals, "-")
+		if prefix != "" {
+			return prefix + "-" + id, nil
+		}
+		return id, nil
+	}
+	return e
+}
+
 // fullARNTemplate builds a templated string for constructing a terraform id component which is an ARN, which includes
 // the aws partition, service, region, account id, and resource. This is by far the most common form of ARN.
 // e.g. arn:aws:ec2:ap-south-1:123456789012:instance/i-1234567890ab
