Adopt import-only resources

[sidekick-eimantas]

Current Terraform and Cloudflare provider version

4.17.0

Description

Just setting up a cf deployment for the first time and some of the resources like cloudflare_access_organization that are import only are a bit of a PITA to deal with. It would be great if this provider could adopt the resources in question at apply time so import is not required.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy_default_target_group for example

Use cases

Easier to set up initial cf deployment

Potential Terraform configuration

...

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy_default_target_group
https://registry.terraform.io/providers/hashicorp/aws/3.9.0/docs/resources/default_network_acl
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[jacobbednarz]

thanks for the issue! unfortunately, this isn't something we're interested in replicating or solving in the provider design itself. as an alternative, you can use cf-terraforming or manually import the resources using the inbuilt primitives.

[sidekick-eimantas]

That's a very interesting reply from a vendor trying to sell their services. I would have expected that this would be left up, to gauge customer interest in the feature before making a decision.
Has this already been discussed somewhere else before?

[jacobbednarz]

interesting in what way? it has nothing to do with selling services or gauging interest. the pattern used by those "import only" resources is not something that exists in Cloudflare so there is no reason why we would replicate it or include it as part of the provider.

all resources in the provider can be edited and maintained (including access organizations), unlike your AWS examples. it is up to the user to determine which resources they manage and by which integration.

if you want to get the state of resources that were created automatically on your behalf (such as access organization), you can either manually import the resource with the default configuration from the API or use cf-terraforming to do it for you.

[sidekick-eimantas]

The reason the AWS provider adopts some of the resources is because they're pre-created by default by AWS. They're not import-only - they're pre-created but the expectation is for the consumer to manage them. Which makes it inconvenient to manage them in IAC, hence the adoption pattern. My understanding is that Cloudflare likewise pre-creates some resources, such as the cloudflare_access_organization, when a customer signs up.

Ofcourse, we can manually import the resources or use cf-terraforming (which is great btw, more companies should provide such tools), but this provider adopting them would provide much higher QOL than the alternative.