Unsupported Resource Metadata
Provider-local unsupported_resources.json files document resources that Terraformer should not import broadly without additional provider-specific work. They are evidence records, not a backlog of unimplemented resources.
Keep these files next to the provider implementation, for example providers/aws/unsupported_resources.json. Omit the file when a provider has no evidence-backed unsupported resources yet.
When To Add An Entry
Section titled “When To Add An Entry”Add an entry when investigation shows that broad import would produce misleading, unsafe, duplicate, or non-refreshable Terraform configuration. Common cases include write-only secrets, operation-style resources, runtime-generated resources, provider-managed resources, and resources whose provider read path cannot reconstruct required configuration after import.
Do not add speculative entries. Do not use metadata as a substitute for investigating importability. Do not mark a resource unsupported only because Terraformer has not implemented it yet. Do not include secrets, tokens, customer data, or other sensitive values in reason, evidence, or references.
Schema
Section titled “Schema”Each provider file uses version 1 and a resources array:
{ "version": 1, "resources": [ { "resource": "provider_resource_name", "service_family": "service-or-api-family", "reason": "Short explanation of why broad import is unsafe or deferred.", "evidence": "Concrete evidence from provider docs, API behavior, code, or issue analysis.", "status": "unsupported", "references": [ "https://registry.terraform.io/providers/example/example/latest/docs/resources/resource_name" ] } ]}Required fields for each resource entry:
| Field | Requirement |
|---|---|
resource | Non-empty Terraform resource type or native resource identifier. |
service_family | Non-empty service, API group, or ownership family. |
reason | Non-empty short explanation of the import limitation. |
evidence | Non-empty concrete support for the classification. |
status | Non-empty value from the status table below. |
references | Non-empty string array. Each reference must be non-empty. |
Status Values
Section titled “Status Values”| Status | Meaning |
|---|---|
unsupported | Import is known to be unsafe or not viable with the current provider/API behavior. |
deferred | Needs a dedicated follow-up because ownership, API shape, feature gates, or framework support require more design. |
not-importable | Terraform provider or resource semantics do not expose a usable import/read path. |
cloudflare-managed | Cloudflare owns or manages the configuration, so Terraformer should not emit it as user-managed Terraform. |
secret-required | Required configuration contains write-only credentials, secrets, private keys, or tokens. |
request-style | Resource represents a request, handshake, approval, or lifecycle action rather than stable inventory. |
runtime-generated | Resource is generated by a controller or runtime system and should not become Terraform-owned configuration. |
runtime-data | Resource represents runtime data or observed state rather than desired configuration. |
action-style | Resource represents an action or operation rather than durable configuration. |
policy-skip | Resource is intentionally skipped by provider import policy even though it may be visible in discovery. |
Evidence Expectations
Section titled “Evidence Expectations”Good evidence identifies the exact failure mode: missing provider import support, provider read state that cannot reconstruct required fields, API list/read responses that omit required data, duplicate ownership with another Terraform resource, write-only credential fields, or controller-generated lifecycle state. Prefer references to Terraform provider docs, upstream API docs, Terraformer code paths, and tracking issues that explain the resource-specific decision.
Examples in this repository:
- AWS records resources with import/read reconstruction issues, duplicate ownership, and unsupported provider semantics.
- Datadog records integration resources where generator ownership and provider schema behavior need dedicated handling.
- Cloudflare records account, zone, storage, platform, and managed resources that need follow-up or should remain provider-managed.
- Kubernetes records native APIs that are runtime-generated, policy-skipped, or not importable as Terraform-managed configuration.
- LaunchDarkly records beta, singleton, and event/report resources that need scoped follow-up.
Validation
Section titled “Validation”Run the shared validation with:
go test ./providersThe repo-wide test discovers every providers/*/unsupported_resources.json file and validates JSON decoding, schema version, required fields, non-empty references, allowed statuses, and duplicate resources. Provider-local tests may still add provider-specific assertions, such as expected Kubernetes skip-policy coverage.
For provider resource PRs, use the pull request checklist to confirm that evidence-backed unsupported resources discovered during the work were added to the provider-local metadata file, or that no metadata update was needed.
Inventory
Section titled “Inventory”This inventory is an informational coverage snapshot. The source of truth is the discovered providers/*/unsupported_resources.json files validated by the Go test. Providers without metadata should remain not present yet until an evidence-backed unsupported resource has been investigated.
| Provider | Has unsupported_resources.json | Has provider-local unsupported_resources_test.go | Notes |
|---|---|---|---|
| alicloud | no | no | not present yet |
| auth0 | no | no | not present yet |
| aws | yes | no | metadata present |
| azure | no | no | not present yet |
| azuread | no | no | not present yet |
| azuredevops | no | no | not present yet |
| cloudflare | yes | yes | metadata present; provider-specific assertions |
| commercetools | no | no | not present yet |
| datadog | yes | no | metadata present |
| digitalocean | no | no | not present yet |
| equinixmetal | no | no | not present yet |
| fastly | no | no | not present yet |
| gcp | no | no | not present yet |
| github | no | no | not present yet |
| gitlab | no | no | not present yet |
| gmailfilter | no | no | not present yet |
| grafana | no | no | not present yet |
| heroku | no | no | not present yet |
| honeycombio | no | no | not present yet |
| ibm | no | no | not present yet |
| ionoscloud | no | no | not present yet |
| keycloak | no | no | not present yet |
| kafka | yes | yes | metadata present; provider-specific assertions |
| kubernetes | yes | yes | metadata present; provider-specific assertions |
| launchdarkly | yes | no | metadata present |
| linode | no | no | not present yet |
| logzio | no | no | not present yet |
| mackerel | no | no | not present yet |
| mikrotik | no | no | not present yet |
| myrasec | no | no | not present yet |
| newrelic | no | no | not present yet |
| ns1 | no | no | not present yet |
| octopusdeploy | no | no | not present yet |
| okta | no | no | not present yet |
| opal | no | no | not present yet |
| openstack | no | no | not present yet |
| opsgenie | no | no | not present yet |
| pagerduty | no | no | not present yet |
| panos | no | no | not present yet |
| rabbitmq | no | no | not present yet |
| tencentcloud | no | no | not present yet |
| vault | no | no | not present yet |
| vultr | no | no | not present yet |
| xenorchestra | no | no | not present yet |
| yandex | no | no | not present yet |