Per-connector ID formats
Problem: Different external systems use different ID formats. Knowing what value to use forRawId annotation is critical for correlation.
Solution: Use the external system’s native stable identifier:
Why this matters: C1 uses these IDs to correlate resources across syncs. Using the wrong ID causes duplicate objects or failed correlations.
Key points:
- Azure AD has two IDs: Object ID (use this) and Application ID (client ID for OAuth)
- AWS uses full ARNs, not account IDs alone
- GitHub has numeric IDs and GraphQL node IDs; either works but be consistent
Setting RawId annotation
Problem: Ensure C1 can correlate your resources across syncs and match resources created via Terraform. What is RawId? A string annotation containing the external system’s native identifier. C1 uses this to match resources across syncs and to merge Terraform-created objects with connector-discovered ones. Solution: Add theRawId annotation when building resources:
- Won’t change when the resource is renamed or modified
- Is unique within that resource type
- Is what an admin would recognize from the external system
Examples from production connectors
Common mistakes
When to use RawId
Should have RawId:- Apps, groups, roles, and any resource that might be pre-created via Terraform
- Resources that need stable correlation across syncs
- Any resource type where admins might reference objects by external ID
- Ephemeral or derived resources
- Resources only used internally by the connector