Hello, i am setting up FusionAuth system configuration and have issue with cors_configuration. basically my config looks like this:

resource "fusionauth_system_configuration" "system" {
  audit_log_configuration {
    delete {
      enabled                  = var.fusionauth_system_audit_log_delete_enabled
      number_of_days_to_retain = var.fusionauth_system_audit_log_number_of_days_to_retain # 90
    }
  }
  cors_configuration {
    allowed_methods              = var.fusionauth_system_cors_enabled ? var.fusionauth_system_cors_allowed_methods : []
    allow_credentials            = var.fusionauth_system_cors_enabled ? var.fusionauth_system_cors_allow_credentials : false
    allowed_headers              = var.fusionauth_system_cors_enabled ? var.fusionauth_system_cors_allowed_headers : []
    allowed_origins              = var.fusionauth_system_cors_enabled ? var.fusionauth_system_cors_allowed_origins : []
    exposed_headers              = var.fusionauth_system_cors_enabled ? var.fusionauth_system_cors_exposed_headers : []
    preflight_max_age_in_seconds = var.fusionauth_system_cors_enabled ? var.fusionauth_system_cors_preflight_max_age_in_seconds : 0
    enabled                      = false# var.fusionauth_system_cors_enabled # disable by default
  }
}

but setting enabled flag to false has no effect on instance, its always set to true and cors are enabled because of that, did anyone encounter such an issue with it?

FusionAuth terraform provider version v0.1.72

When deploying an updated theme using terraform-provider-fusionauth, the following error occurs:

An argument named “account_delete_webauthn_passkey” is not expected here.

and other errors for missing WebAuthn related template files.

terraform-provider-fusionauth version: 0.1.54

terraform provider --> https://github.com/gpsinsight/terraform-provider-fusionauth

complete log with errors --> https://gist.github.com/chimericdream/f00180e066c99285994ee9f660d4d387

Additionally, the terraform plugin may required an update to support themes for versions 1.40.x. found here terraform-provider-fusionauth/fusionauth/resource_fusionauth_themes.go line 8
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"

Hey, thanks for the terraform modules, it really makes my life easier :). Thought I'll post an issue I had with it...:

This is the entity I'm trying to modify:

resource "fusionauth_entity" "backend-application" {
  for_each = {for record in local.backend_applications : record.app_name => record}

  tenant_id      = fusionauth_tenant.main.id
  entity_type_id = fusionauth_entity_type.api.id
  name           = "${each.key} (${var.environment})"
}

I accidentally created them with entity_type "api" and wanted to change it to "backend-application", like so:

resource "fusionauth_entity" "backend-application" {
  for_each = {for record in local.backend_applications : record.app_name => record}

  tenant_id      = fusionauth_tenant.main.id
  entity_type_id = fusionauth_entity_type.backend-application.id
  name           = "${each.key} (${var.environment})"
}

This is the error message I get: │ Error: unexpected status code: 400(Bad Request) Errors: A Tenant Id is required to complete this request. To complete this request, you may assign a Tenant to your API key, or add the X-FusionAuth-TenantId HTTP request header with the Tenant Id.

I am using a generic API key.

I expected the object to be either modified or recreated; especially since I provided a tenant_id in the entity itself.

This provider generally works well for me and is incredibly useful, however initially I encountered a small error which was non-obvious to debug:

If the API key used does not have the necessary endpoint permissions, the error presented does not explain the problem, e.g:

resource "fusionauth_lambda" "example" {
  name    = "example"
  type    = "SAMLv2Populate"
  enabled = true
  body    = <<EOT-
  function populate(samlResponse, user, registration) {
    console.log("testing");
  }
  EOT
}

Results in:

Error: CreateLambda err: EOF

  on fusionauth.tf line 1, in resource "fusionauth_lambda" "example":
   1: resource "fusionauth_lambda" "example" {

A descriptive error message in this and similar cases would be really useful.

I'd happily submit a PR, but I'm not at all familiar with go

SAML is still cool!

PR to follow

Unless I'm mistaken there is a gap in functionality around group membership. Having looked at the state of the api around this I assume this is because its problematic.

There are at least three api methods for doing this but as far as I can tell none are yet implemented. They also have issues

• User -
  https://fusionauth.io/docs/v1/tech/apis/users#create-a-user - memberships is not supported for PUT
• Registration - https://fusionauth.io/docs/v1/tech/apis/registrations#create-a-user-and-registration-combined - not documented, works for a POST, probably suffers from the same issue around PUT
• Group - https://fusionauth.io/docs/v1/tech/apis/groups#add-users-to-a-group - probably the best way to add and remove.

Sadly you can't just list a group https://fusionauth.io/community/forum/topic/183/is-there-a-way-to-get-all-the-members-of-a-particular-group.

It kinda seems like this is impossible to do "terraform style" from the group perspective if you aren't running elastic search (we aren't).

So the best route is via the user block. There is some ugliness as any user group changes need to decomposed into calls to the group /api/group/member end point.

Thanks for the provider btw, this has saved me a lot of scripting!

The fusionauth_registration resource enforces that authentication_token is a UUID, but this is not a requirement of the fusionauth API. For reference, see the Fusionauth Registration API, in particular, the response JSON and this discussion that a 43 character random string provides 256bits of entropy for the authentication token.

Please allow string authentication tokens, not just UUIDs. UUIDS are within the requirements of the authentication_token option so the API works, but the generated tokens are unnecessarily limited in length and entropy.

Rerouting this from fusionauth-issues: FusionAuth/fusionauth-issues#1482
Seems to have a good repro.

Provider v.0.1.64

Steps to reproduce:

Create some number of fusionauth apps in TF (here, in a module):

resource "fusionauth_application" "app" {
  name = "${var.name}"
  
  tenant_id = var.tenant.tenant.tenant_id

  oauth_configuration {
    client_secret           = random_password.client_secret.result
    authorized_redirect_urls = [
       ...
    ]
    generate_refresh_tokens = true
    logout_behavior = "RedirectOnly"
    enabled_grants = [
      "authorization_code",
      "refresh_token"
    ]


  login_configuration {
    allow_token_refresh     = false
    generate_refresh_tokens = false
    require_authentication  = true
  }
}

terraform apply # creates all apps correctly

terraform apply -target module.app1.fusionauth_app.app # no changes, correct.
terraform apply -target module.app1.fusionauth_app.app -target module.app2.fusionauth_app.app # produces inconsistent results. Usually it seeks to recreate the app already in state, but not for all apps.

terraform state rm and import of problem apps fix that app, but other apps then exhibit the issue.

Please could this be added?

It would be particularly useful for configuring identity providers like fusionauth_idp_google where we may want to specify the ID of a default reconcile lambda (e.g. "Default Google Reconcile provided by FusionAuth"), but don't know its ID in advance without looking it up manually.

Debug Information

• Platform: Windows 10 (64-bit)
• Terraform Version: v1.0.5

Issue

Hello!

Currently, when pushing in user data the type is set to schema.TypeMap which converts to a map[string]interface{} but when attempting to push up user data with an array of values it complains that it needs to be of type map[string]string.

For example:

resource "fusionauth_user" "john_smith" {
  tenant_id               = data.fusionauth_tenant.default.id
  email                   = "[email protected]"
  first_name              = "John"
  last_name               = "Smith"
  send_set_password_email = true
  data = {
    stringTest : "3f9294e9-cfb1-4fe0-b516-58cfc70dc116"
    integerTest : 1 // note: as it stands, integers implicitly get converted to strings via Terraform
    arrayTest : ["item1", "item2"]
  }
  username_status = "ACTIVE"
}

Returns Terraform error:

│ Error: Incorrect attribute value type
│
│   on fusionauth_users.tf line 7, in resource "fusionauth_user" "john_smith":
│    7:   data = {
│    8:     stringTest : "3f9294e9-cfb1-4fe0-b516-58cfc70dc116"
│    9:     integerTest : 1
│   10:     arrayTest : ["item1", "item2"]
│   11:   }
│
│ Inappropriate value for attribute "data": element "arrayTest": string required.

Unless there is a "JSON object" type that doesn't require a schema in terraform that I don't know about...

I'm wondering if it might be a good idea to take a similar approach to the AWS provider and change the expected type to a JSON string. Using jsonencode we can still keep the Terraform HCL goodness and it will also keep config migration simple.

The above example would become:

resource "fusionauth_user" "john_smith" {
  tenant_id               = data.fusionauth_tenant.default.id
  email                   = "[email protected]"
  first_name              = "John"
  last_name               = "Smith"
  send_set_password_email = true
- data = {
+ data = jsonencode({ 
    stringTest : "3f9294e9-cfb1-4fe0-b516-58cfc70dc116"
    integerTest : 1
    arrayTest : ["item1", "item2"]
- }
+ })
  username_status = "ACTIVE"
}

I am happy to submit PRs for this 😃

Typo in doc header:

https://registry.terraform.io/providers/gpsinsight/fusionauth/latest/docs/data-sources/tenant

Tentan Resource --> Tenant Resourse

Continuing from the work started in #170 , the same support at the application level is required.

application.multiFactorConfiguration.loginPolicy: Required

Would be great if we could add the FA generic connector to this terraform provider.

I am putting together a PR for this now.

I've been troubleshooting the following issue in FusionAuth/fusionauth-issues#1787 and discovered that the API key generated via terraform does not work when used with the JWT vend API. If I manually enter the API key as a new entry in the UI, it does work.

Is there a potential for the code that generates the API key to include invalid / "hidden" characters? See the last comment for details.

PR to follow

This was added in 1.28.0 and allows you to specify either urn:oasis:names:tc:SAML:2.0:nameid-format:persistent or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

lol, realised that I can now create a generic connector, but I can't actually configure it in the tenant. This is done using the connector policies attribute of the tenant.

Will submit a PR to implement this.

This might be a Fusion Auth bug - either in the API, or in their website/app.

I created a new theme using

resource "fusionauth_theme" "new_theme_2" {
  name = "clone theme"
  source_theme_id = "75a068fd-e94b-451a-9aeb-3ddb9a3b5987"
}

Where that ID is the FusionAuth theme on my local (not sure if this constant). The new theme contained the following markup for "OAuth two-factor enable" snippet, which appears to be the actual template for "OAuth two-factor enable complete"

Starting as below (42 lines total)

[#ftl/]
[#-- @ftlvariable name="application" type="io.fusionauth.domain.Application" --]
[#-- @ftlvariable name="client_id" type="java.lang.String" --]
[#-- @ftlvariable name="currentUser" type="io.fusionauth.domain.User" --]
[#-- @ftlvariable name="recoveryCodes" type="java.util.List<java.lang.String>" --]
[#-- @ftlvariable name="tenant" type="io.fusionauth.domain.Tenant" --]
[#-- @ftlvariable name="tenantId" type="java.util.UUID" --]
[#-- @ftlvariable name="version" type="java.lang.String" --]
[#import "../_helpers.ftl" as helpers/]

[@helpers.html]
  [@helpers.head]
    [#-- Custom <head> code goes here --]
  [/@helpers.head]
  [@helpers.body]

    [@helpers.header]
      [#-- Custom header code goes here --]
    [/@helpers.header]

    [@helpers.main title=theme.message('two-factor-recovery-codes')]
      [#setting url_escaping_charset='UTF-8']
      <form action="${request.contextPath}/oauth2/two-factor-enable-complete" method="POST" class="full">
        [@helpers.oauthHiddenFields/]
        <p class="mt-0"> ${theme.message("{description}oauth2-recovery-codes-1")} </p>
        <fieldset>
          <div class="code d-flex" style="justify-content: center; flex-wrap: wrap; gap: 5px 15px;">
            [#list recoveryCodes as code]<div>${code}</div>[/#list]
          </div>
          <p> ${theme.message("{description}oauth2-recovery-codes-2")}  </p>
        </fieldset>
        <div class="form-row">
          [@helpers.button text=theme.message('done')/]
        </div>
      </form>
    [/@helpers.main]

    [@helpers.footer]
      [#-- Custom footer code goes here --]
    [/@helpers.footer]
  [/@helpers.body]
[/@helpers.html]

As per https://fusionauth.io/docs/v1/tech/apis/themes/, this will help maintain compatibility with future fusionauth updates.

When configuring the following value on a tenant:

  event_configuration {
    event            = "user.email.verified"
    enabled          = true
    transaction_type = "AbsoluteMajority"
  }

Although the event becomes enabled the transaction type is not set and remains at 'No webhooks are required to succeed'.

I don't know if there is a good way to ensure these are kept in sync or not. We could try to open an issue or (eventually) a PR when we update things like this.

• schema_fusionauth_application.go
  • FormConfiguration
  • Update SAML v2 configuration
• schema_fusionauth_tenant.go
  • FormConfiguration
  • Missing the SAML v2 AuthN Request Id for the external Id configuration

I'm wondering if there is a way to keep these in sync in a more programatic way. When we build client libraries, we generate a JSON DSL from our Java client that we use to build client libraries. Here are the corresponding Application file:
https://github.com/FusionAuth/fusionauth-client-builder/blob/master/src/main/domain/io.fusionauth.domain.Application.json
https://github.com/FusionAuth/fusionauth-client-builder/blob/master/src/main/domain/io.fusionauth.domain.Application%24SAMLv2Configuration.json

I could share our Kotlin script that generates these if that is helpful. With these JSON files, would you have enough to build the corresponding resource schema files, if not, what else would you need?

Thanks!!!

Please could support for the OauthConfiguration.RequireRegistration field in fusionauth Applications be added?

By itself it's a fairly easy change to make, along the lines of the following in resource_fusionauth_application_helpers.go:

// func buildResourceDataFromApplication
err = data.Set("oauth_configuration", []map[string]interface{}{
		{
			// Other fields omitted for brevity
			"require_registration":          a.OauthConfiguration.RequireRegistration,
		},
})

// func buildApplication
a := fusionauth.Application{
		// Other fields omitted
		OauthConfiguration: fusionauth.OAuth2Configuration{
			// Other fields omitted
			RequireRegistration:         data.Get("oauth_configuration.0.require_registration").(bool),
		},
}

The difficulty comes from the fact that this requires updating to the latest version of the Terraform Go client (field added in this commit), which introduces breaking changes to User two-factor auth (the twoFactorDelivery, twoFactorEnabled & twoFactorSecret fields are deprecated & were removed in v1.26.0).

I've attempted to make the changes myself - the RequireRegistration field works as expected but I keep running into issues determining whether to apply changes to two factor methods (this is my first time making any serious changes to a terraform provider). I'll happily submit a draft PR if nobody is already working on these changes & you think it would help

A bunch of permissions endpoints have been added to fusion that are not supported by the provider. PR to follow.

#103 introduced a change that we can't explain. Changing the key_id in a SAML v2 (both SP and IDP initiated) identity provider resource will trigger the recreation of it which results in a new one with a different ID and therefore requires updating the configuration of the IdP on the other side as well. This is because the identity provider ID is part of the Issuer and also contained in the metadata returned by FusionAuth's metadata URL.

Why was this change made? The merge request and the commits in #103 don't say anything about the why. The FusionAuth admin interface also allows changing this by selecting a different key.

This wouldn't be a problem if one could just set the idp_id attribute on an existing identity provider. That currently doesn't work because in the Terraform state the idp_id is null if not set and setting it to the ID the identity provider currently has will also recreate the resource. We patched the Terraform state by hand this week to get around that (setting the idp_id attribute to the current ID of the identity provider).

Thank you for this project – we'd be lost without it!

When importing a tenant, the provider knew nothing the user.identity-provider.link and user.identity-provider.unlink events, which were added in 1.36.0

Whilst it's not functionality I need, thought I'd take a spin at adding these. PR #149

Related to #113

Because we use a PUT request to update a tenant, we currently remove any existing webhooks.

Webhooks are not part of the Tenant struct, but are attached on the TenantRequest struct (see FusionAuth/fusionauth-issues#1984). Since we are already managing webhooks via the fusionauth_webhook resource, I don't think it's a good idea to add them to the tenant resource - furthermore, webhooks aren't available on the TenantResponse struct anyway.

If we use PatchTenant instead of UpdateTenant, this problem will go away. PR to follow.

This would be great since without it you can't really protect against brute force attacks.

I'll put together a PR if I have time.

It would be useful to be able to enable existing identity providers for new applications, without having control over the creation of the the IDP (e.g. the IDP may already exist and not be managed in the same Terraform configuration as the application) - in particular for the Google IDP in my case (I'm aware not all IDPs have been implemented yet in this provider).

I don't know if there are any FusionAuth or Terraform internals that make this unfeasible, but perhaps this could be accomplished by treating the application_configuration block within the IDP resourcce as a separate resource instead?

In conjunction with this, since FusionAuth appears to only allow a single instance of each type of IDP, an IDP data source would be a useful way of configuring this without needing to know the IDP ID in advance.

Example usage of proposed solution:

# Either a separate data source for each IDP type
data "fusionauth_idp_google" "google" {}

# Or a single data source with a "type" attribute
data "fusionauth_idp" "google" {
  type = "google"
}

resource "fusionauth_idp_application_configuration" "myapp_google" {
  idp_id         = data.fusionauth_idp.google.id # or data.fusionauth_idp_google.google.id, depending on implementation
  application_id = fusionauth_application.myapp.id
  enabled        = true
}

Hello

I`am trying to create webhook via terraform and gpsinsight/fusionauth v0.1.57

Terraform looks like this

resource "fusionauth_webhook" "services_registration" {
   application_ids = [
     fusionauth_application.my_app.id
   ]
  connect_timeout = 5000
  read_timeout    = 2000
  url             = join("",[var.host,":8595","/api/users"])
  description     = "Service Integration"
  events_enabled {
    user_create = true
  }
   global                       = false
   headers                      = { "Authorization" : "Api 001" }
}

Api call result:

Error: unexpected status code: 400(Bad Request) Errors: webhook.eventsEnabled: Invalid JSON in the request body. The property was [webhook.eventsEnabled]. The error was [Possible conversion error]. The detailed exception was [Cannot deserialize Map key of type `io.fusionauth.domain.event.EventType` from String "audit-log.create": not a valid representation
│  at [Source: (org.apache.catalina.connector.CoyoteInputStream); line: 1, column: 97] (through reference chain: io.fusionauth.domain.api.WebhookRequest["webhook"]->io.fusionauth.domain.Webhook["eventsEnabled"])].

Does any one can help me with this ?

If you auto-generate a form id, terraform apply will always try and set form_id back to null. For other resources (e.g. application), we work around this by just not setting the second id field (e.g. the application_id is "", but the id holds the actual id).

PR to follow.

After upgrading to 1.40.2, we get the error:

╷
│ Error: unexpected status code: 400(Bad Request) Errors: Invalid [Content-Type] HTTP request header value of [text/plain]. Supported values for this request include [application/json].
│ 
│   with fusionauth_key.tenant_jwt_access_token_signing_key,
│   on main.tf line 32, in resource "fusionauth_key" "tenant_jwt_access_token_signing_key":
│   32: resource "fusionauth_key" "tenant_jwt_access_token_signing_key" {
│ 

when running terraform apply after the initial apply.

There are some new additions to tenants which means that the provider currently fails to update tenants with external_identifier_configurations:

https://fusionauth.io/docs/v1/tech/apis/tenants/

e.g.

tenant.externalIdentifierConfiguration.twoFactorOneTimeCodeIdGenerator.type [String] Required defaults to randomAlphaNumeric Available since 1.27.0

    The type of the secure generator used for generating the two factor one time code Id. Possible values are:

        randomAlpha

        randomAlphaNumeric

        randomBytes

        randomDigits

I'll have a look at adding the missing functionality next week

Hey everyone,

after upgrading our fusionauth deployment from 1.41.3 to 1.42.1, we received the following error when using the provider with version 0.1.79.

unexpected status code: 400(Bad Request) Errors: tenant.multiFactorConfiguration.loginPolicy: The [tenant.multiFactorConfiguration.loginPolicy] property is invalid. You must enable at least method in order to set this property equal to [Enabled] or [Required].

We have not specified the multi_factor_configuration block in our tenant resource. (https://registry.terraform.io/providers/gpsinsight/fusionauth/latest/docs/resources/tenant#multi_factor_configuration)

The samlv2_configuration block in the fusionauth_application resource specifies callback_url as deprecated, but also as required.

Running terraform apply with callback_url specified results in:

Warning: "samlv2_configuration.0.callback_url": [DEPRECATED] Deprecated in version 1.20

There doesn't appear to be any guidance in the docs as to what callback_url should be replaced with if it is deprecated.

Please could you provide some clarification on this?

I'm currently using this provider to create FusionAuth Applications and simultaneously configure clients to use those Applications. Currently, if no value is specified for oauth_configuration.client_secret for an Application, any dependent Terraform resources which refer to the client secret receive a null value when the Application is first created (initial terraform apply), and a second terraform apply is required to populate the dependent resources with the correct client_secret value.

I'm aware I can specify the client_secret value myself, solving the issue. It would be great, however, if the provider could populate client_secret with the value created by FusionAuth so that dependent resources receive the correct value when no user-specified value is provided.

I'm not sure if this is an issue with this project or just fusionauth itself. This is with provider 0.1.67 and fusionauth 1.36.0.

If you create an api key like this:

resource "fusionauth_api_key" "key_name" {
  description = "some description"
  key         = xxxxxxxxxx
}

You will get an api key that does not work and always gives a 401. The fusionauth documentation suggests "An Empty permissions object mean that this is a super key that authorizes this key for all the endpoints." https://fusionauth.io/docs/v1/tech/apis/api-keys#create-an-api-key

If you request the api key using the api:

{
    "apiKey": {
        "id": "xxxxxxxxxxxxxxxx
        "insertInstant": 1000000000,
        "key": "xxxxxxxxxxxx",
        "keyManager": false,
        "lastUpdateInstant": 1000000000,
        "metaData": {
            "attributes": {
                "description": "xxxxxxxxxx"
            }
        },
        "permissions": {}
    }
}

The problem is the existance of the "permissions": {} key. If you edit the api key in the front end and resave (no changes) the "permissions": {} part disappears and the api key starts working.

Also the documentation is a bit mangled after about here permissions_endpoints
https://registry.terraform.io/providers/gpsinsight/fusionauth/latest/docs/resources/api_key

Seems like it's currently not possible to terraform import an application_role, it gives an error even when the role definitely exists for the specified application. I believe this is due to the fact it's using ImportStatePassthroughContext but relies on the application_id to retrieve the roles.

Per the documentation, for the passthrough function to work the read method must be able to load the resource using only data.Id(). Because the read method is relying on application_id, it doesn't work. Seems like a custom import function is required to support this properly?

I assume the same issue applies to entity_type_permission which is where the read function appears to have been copied from, but I haven't tested that.

The fusionauth_email resource requires the from_email and default_from_name args but the fields are optional in the API.

Is there any reason that we use http.MethodPut instead of http.MethodPatch for updating? In a recent update, this caused the provider to change the settings of a fusionauth_idp_saml_v2 resource, since there was a new field the provider didn't know about and hence it didn't see the diff it was applying. Using http.MethodPatch would prevent this happening.

Fusionauth doesn't allow the key field of an API key to be updated. We should mark this as ForceNew so that Terraform can rotate API keys. PR to follow.

My use case:
I'm attempting to duplicate fusionauth's default theme in order to add localizations plus some small customizations down the road. (Since the default theme can't be modified).

My setup:

resource "fusionauth_theme" "mytheme" {
  name = "mytheme"
  source_theme_id = "75a068fd-e94b-451a-9aeb-3ddb9a3b5987" # default theme magic number: https://github.com/FusionAuth/fusionauth-issues/issues/459
}

fusionauth_theme doesn't seem to care about source_theme_id whatsoever:

This behavior is similar to: https://github.com/FusionAuth/fusionauth-issues/issues/460 .

So I dug into the code (no familiarity with terraform providers), and it seems createTheme doesn't really implement source_theme_id at all (although it is defined in the schema).

The documentation for keys has a section called Import a Key, which supports certificates and secrets. It would be a welcome addition to the Terraform provider.

There are a handful of breaking changes in the latest version of FusionAuth... I'll send through a PR that gets the provider working again but there is still some work missing on the changes to webhooks.

We haven't given any thought to guarantees around versioning and this provider we're just trying to keep up with latest as time permits.

haha! time. I hear that.

I guess the main thing would be to follow the Terraform guide around deprecations.

Since being on v0, you can use the semver minor as the 'major', so the flow would look like:

• Fusionauth (FA) v1.40.0 is released
• Deprecated fields marked as such in terraform-provider-fusionauth with new patch release v0.1.4X
• New version [email protected] released with deprecated fields removed (and migration paths added).
• Profit 💰

The migration paths would become the pain re: maintenance/upgrading terraform state correctly as things change over time. I'm yet to work out how that works via #63 in regards to changing the schema type of user.data from schema.TypeMap to schema.TypeString.

Originally posted by @matthewhartstonge in #68 (comment)

What's the correct way to make a derived theme? (ie: start by copying another, then make some changes)

If I do

resource "fusionauth_theme" "example_theme_custom" {
  name            = "my custom theme"
  source_theme_id = "75a068fd-e94b-451a-9aeb-3ddb9a3b5987" # default theme magic number: https://github.com/FusionAuth/fusionauth-issues/issues/459
  helpers = file("${path.module}/theme_templates/helpers.ftl")
}

The "helpers" page of the theme settings isn't used, only the source theme. If I remove the source_theme_id afterwards, and reapply the TF, then the helpers setting is changed.

Shouldn't the explicit settings override the values from the source-theme?

The last couple of minor releases have introduced some new templates which break compatibility with the provider 😢

We need:

• theme.templates.accountEdit:
• theme.templates.accountIndex
• theme.templates.accountTwoFactorDisable
• theme.templates.accountTwoFactorEnable
• theme.templates.accountTwoFactorIndex
• theme.templates.index
• theme.templates.oauth2TwoFactorMethods

I'll try and bash this out now.

If wanting to create a FusionAuth user to sync correctly with a pre-existing User in another existing user solution, it would be great to be able to specify the user's id to be able to create a happy binding.

We manually inject system level users ...

Will work on a PR for this. 👌

The fusionauth_tenant resource does not currently support configuring rate limiting via tenant.rateLimitConfiguration.