Description
When jamfpro_webhook is configured with a smart-group event and smart_group_id is sourced from another resource being created in the same apply (e.g. a jamfpro_smart_computer_group_v2.this.id reference), plan fails with:
Error: in 'jamfpro_webhook.': when 'event' is set to 'SmartGroupComputerMembershipChange', 'smart_group_id' must be provided and must be a valid non-zero integer
The smart group is correctly ordered before the webhook in the dependency graph, but the validator runs at plan time and the smart group's .id is (known after apply) at that point — diff.GetOk("smart_group_id") returns 0 / false, which the validator can't distinguish from "user forgot to set the field."
This makes it impossible to provision the smart group and the webhook in the same apply, which is the natural pattern for any module that creates both resources together.
Steps to Reproduce
resource "jamfpro_smart_computer_group_v2" "unassigned" {
name = "Devices Without Foo"
criteria {
name = "Foo"
search_type = "is"
value = ""
}
}
resource "jamfpro_webhook" "on_membership_change" {
name = "Foo - Membership Change"
enabled = true
url = "https://example.com/webhook"
content_type = "application/json"
event = "SmartGroupComputerMembershipChange"
smart_group_id = jamfpro_smart_computer_group_v2.unassigned.id
}terraform apply fails at plan with the validator error.
Expected Behavior
Plan succeeds. The smart_group_id value is checked at apply time once the smart group has been created and the value is known.
Actual Behavior
Plan fails because validateSmartGroupIDRequirement rejects unknown values as if they were unset.
Environment
- Terraform Version: 1.9.0
- Provider Version: 0.37.0
- Terragrunt Version: 0.67.16
Possible Solution
In internal/services/webhook/resource_custom_diff.go, defer validation when the value is going to be computed. The Plugin SDK exposes schema.ResourceDiff.NewValueKnown(key string) bool for exactly this case — return early when the value isn't known yet so the validator only runs when it can give an accurate verdict:
for _, reqEvent := range requiredEvents {
if event.(string) == reqEvent {
// Skip validation when the value is going to be computed at apply time.
if !diff.NewValueKnown("smart_group_id") {
break
}
smartGroupID, smartGroupIDOk := diff.GetOk("smart_group_id")
if !smartGroupIDOk || smartGroupID == 0 {
return fmt.Errorf(...)
}
break
}
}The same pattern likely applies to the validateAuthenticationRequirements checks for username / password if those are ever sourced from other resources, but smart_group_id is the practical blocker today.
PR with this fix to follow.
Description
When
jamfpro_webhookis configured with a smart-group event andsmart_group_idis sourced from another resource being created in the same apply (e.g. ajamfpro_smart_computer_group_v2.this.idreference), plan fails with:The smart group is correctly ordered before the webhook in the dependency graph, but the validator runs at plan time and the smart group's
.idis(known after apply)at that point —diff.GetOk("smart_group_id")returns0/false, which the validator can't distinguish from "user forgot to set the field."This makes it impossible to provision the smart group and the webhook in the same apply, which is the natural pattern for any module that creates both resources together.
Steps to Reproduce
terraform applyfails at plan with the validator error.Expected Behavior
Plan succeeds. The
smart_group_idvalue is checked at apply time once the smart group has been created and the value is known.Actual Behavior
Plan fails because
validateSmartGroupIDRequirementrejects unknown values as if they were unset.Environment
Possible Solution
In
internal/services/webhook/resource_custom_diff.go, defer validation when the value is going to be computed. The Plugin SDK exposesschema.ResourceDiff.NewValueKnown(key string) boolfor exactly this case — return early when the value isn't known yet so the validator only runs when it can give an accurate verdict:The same pattern likely applies to the
validateAuthenticationRequirementschecks forusername/passwordif those are ever sourced from other resources, butsmart_group_idis the practical blocker today.PR with this fix to follow.