feat: Sweeper Standardization by tamas-jozsa · Pull Request #6501 · cloudflare/terraform-provider-cloudflare

tamas-jozsa · 2025-11-28T18:07:57Z

Overview

This PR introduces a standardized sweeper system with consistent resource
naming conventions and adds a dangerous deletion mode for complete resource
cleanup in test environments.

Changes

Standardized Test Resource Naming Convention

New Standard Prefix: All test resources now use cf-tf-test- prefix
- Example: cf-tf-test-abcdefghij
Legacy Support: Temporarily supports old tf-acctest- prefix during migration
Helper Function: utils.GenerateRandomResourceName() generates standardized
names with 10 random lowercase letters

Files Modified:

internal/utils/random_acc_test_name.go - Updated to generate cf-tf-test-*
names
internal/utils/random_acc_test_name_test.go - Updated tests for new naming

Sweeper Standardization (131 Sweepers Migrated)

Migrated all 131 sweepers to use standardized logging and filtering patterns:

Pattern Applied:

✅ Replaced fmt.Printf/log.Print with tflog.Info()/tflog.Error()
✅ Added environment variable validation (return nil with info message if not
set)
✅ Used utils.ShouldSweepResource() for filtering (where applicable)
✅ Added consistent error handling with continue on failures
✅ Removed legacy logging imports

Key Files:

TODO.md - Tracking document showing 100% completion (131/131 sweepers)
All internal/services/*/resource_test.go files - Updated sweeper functions

Example Before:
if zoneID == "" {
return errors.New("CLOUDFLARE_ZONE_ID must be set")
}
fmt.Printf("Deleting resource: %s\n", name)

Example After:
if zoneID == "" {
tflog.Info(ctx, "Skipping sweep: CLOUDFLARE_ZONE_ID not set")
return nil
}
tflog.Info(ctx, fmt.Sprintf("Deleting resource: %s (zone: %s)", name, zoneID))

Sweeper Filtering Helpers

Added standardized filtering functions in internal/utils/sweeper_helpers.go:

// Check if resource follows new naming convention
func IsTestResource(name string) bool

// Check if resource follows legacy naming convention
func IsLegacyTestResource(name string) bool

// Determine if resource should be swept (supports both conventions)
func ShouldSweepResource(name string) bool

Features:

Supports both new (cf-tf-test-) and legacy (tf-acctest-) prefixes
Used consistently across all 131 sweepers
Includes comprehensive test coverage

Dangerous Delete Mode ⚠️

Added --dangerously-delete-resources flag to bypass resource name validation
and delete ALL resources.

Implementation:

a) Script Changes (scripts/sweep):

Added --dangerously-delete-resources command-line flag
Exports SWEEP_DANGEROUSLY_DELETE_ALL environment variable
Displays prominent warnings:
⚠️ DANGER MODE ENABLED: Resource name validation is DISABLED
⚠️ ALL RESOURCES will be deleted, regardless of their names!
⚠️ This may delete production resources. Proceed with extreme caution!
Added 2-second delay before execution
Works with --dry-run for safe preview

b) Helper Function Update (internal/utils/sweeper_helpers.go):
func ShouldSweepResource(name string) bool {
// Check for danger mode environment variable
if os.Getenv("SWEEP_DANGEROUSLY_DELETE_ALL") == "true" {
return true // DANGER: Delete everything!
}

  // Normal mode: only delete resources with test prefixes
  return IsTestResource(name) || IsLegacyTestResource(name)

}

c) Test Coverage (internal/utils/sweeper_helpers_test.go):

Added TestShouldSweepResource_DangerMode() test
Verifies danger mode returns true for all resources
Verifies normal mode resumes after unsetting variable
All tests pass ✅

Usage Examples:

Preview what would be deleted (safe)

./scripts/sweep --account <account_id>
--dangerously-delete-resources
--resource dns_record
--dry-run

Actually delete everything (DANGEROUS)

./scripts/sweep --account <account_id>
--dangerously-delete-resources
--resource dns_record

SDK Migration (Partial)

Started migration from cloudflare-go v1 to v6 SDK:

Completed:

✅ dns_record - Fully migrated to v6 SDK
- Removed cfold (v1) imports
- Updated type references: cfold.DNSRecord → dns.Record
- Replaced SharedV1Client() → SharedClient()
- Updated API calls to use v6 methods

Tracked:

SDK_MIGRATION_TODO.md - Comprehensive tracking document for remaining 49
services

Documentation

a) Updated docs/sweepers.md:

Added section on dangerous delete mode with usage examples
Added safety warnings and best practices
Updated filtering helpers documentation
Added --dry-run examples

b) Created DANGEROUS_SWEEP_MODE.md:

Comprehensive guide on danger mode
Implementation details
Safety warnings and best practices
Testing instructions
Rollback procedures

c) Updated TODO.md:

Tracks sweeper migration progress (100% complete)
Documents migration patterns applied
Lists all 131 migrated sweepers

d) Created SDK_MIGRATION_TODO.md:

Tracks v1 to v6 SDK migration (2% complete)
Lists 49 services needing migration
Provides migration instructions and patterns

Summary Statistics

Sweepers Standardized: 131/131 (100%)
Test Files Modified: 131 resource_test.go files
SDK Migration: 1/49 services (dns_record complete)
New Helper Functions: 3 (IsTestResource, IsLegacyTestResource,
ShouldSweepResource)
New CLI Flags: 1 (--dangerously-delete-resources)
New Documentation: 2 files (DANGEROUS_SWEEP_MODE.md, SDK_MIGRATION_TODO.md)
Updated Documentation: 2 files (docs/sweepers.md, TODO.md)
Test Coverage: 100% for sweeper helpers (including danger mode)

Testing

All changes have been tested and verified:

Sweeper helper tests pass

go test ./internal/utils/... -v -run TestShouldSweepResource

Output: PASS

DNS record service builds successfully

go build ./internal/services/dns_record/...

Output: Success (exit code 0)

Sweep script help displays correctly

./scripts/sweep --help

Output: Shows new --dangerously-delete-resources flag

tamas-jozsa · 2025-11-28T18:16:27Z

currently testing via acceptance test run https://github.com/cloudflare/terraform-provider-cloudflare/actions/runs/19771094309/job/56655219389

* codegen metadata * chore(zone): update migration tests (#6468) Updates `cloudflare_zone` migration tests to use `tf-migrate` instead of `cmd/migrate`. * feat: feat: BOTS-7562 add bot management feedback endpoints to stainless config (prod) * feat: BOTS-7562 add bot management feedback endpoints to stainless config (prod) * feat: chore: point Terraform to Go 'next' * chore: point Terraform to Go 'next' * chore(api): update composite API spec * chore(internal): codegen related update * fix(zone): datasource model schema parity (#6487) * fix(zone): make datasource's zone ID computed optional Resolves #6129 * test(zone): fix datasource model/schema parity Updates the `ZonesAccountDataSourceModel` type be useful for both filters and decerilization. * feat: feat(radar): Add origins endpoints to public api docs * chore(account_tokens): adding a simple CRUD test (#6484) * adding a simple CRUD test fo account tokens * add a test file * feat: chore(api_shield_discovery_operation): Deprecate api_shield_discovery_operation * chore(cloudflare_api_shield_operation): Add acceptance tests (#6491) * test: Add acceptance tests for cloudflare_api_shield_operation * chore: Add CI acceptance tests for api_shield_operation * chore(internal): codegen related update * chore(logpush_job): add v4 to v5 migration tests (#6483) * codegen metadata * add migration test for logpush_job * add zone level logpush jobs to sweeper * use MigrationV2TestStep, use zone level job for instant-logs test * handle instant-logs being returned from the API despite not being a valid config value * rename resource test name to be consistent --------- Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> * fix(pages_project): use correct field name in test sweeper The Pages API response type uses "Name" instead of "ProjectName". Update the test sweeper to access the correct field from "ProjectListResponse". Fixes compilation error: deployment.ProjectName undefined (type pages.ProjectListResponse has no field or method ProjectName) * fix(zero_trust_device_posture_rule): preserve input.version and other fields (#6500) not returned by API The API doesn't return all configured input fields in Read responses, causing drift. This preserves input.version (critical), input.enabled cleanup, and additional fields (path, sha256, os_distro_*) from current state when API omits them. Fixes perpetual drift for firewall and os_version posture rules. * feat: feat(r2_data_catalog): Configure SDKs/Terraform to use R2 Data Catalog routes * feat(r2_data_catalog): Configure SDKs/Terraform to use R2 Data Catalog routes * DS-15730: Re-enable logpush_dataset_field data source and add acceptance test (#6499) Co-authored-by: Henry Clausen <hclausen@cloudflare.com> * DS-15566: Add logpush_job acceptance test for filter update (#6498) Co-authored-by: Henry Clausen <hclausen@cloudflare.com> * chore(internal): codegen related update * Update Subscription and Subscription.RatePlan schema in order to satisfy terraform to no detect changes on no changes to the config (#6497) * BILLSUB-247 CUSTESC-57375 fix drift issues after apply causing idempotency issues on subsequent applies * BILLSUB-247 CUSTESC-57375 fix wrong computed_optional syntax * Fix zone_subscription Sets field type mismatch --------- Co-authored-by: Sui Mak <sui@cloudflare.com> * feat: improve and standardize sweepers (#6501) * fix(zero_trust_device_posture_rule): preserve input.version and other fields (#6503) not returned by API The API doesn't return all configured input fields in Read responses, causing drift. This preserves input.version (critical), input.enabled cleanup, and additional fields (path, sha256, os_distro_*) from current state when API omits them. Fixes perpetual drift for firewall and os_version posture rules. * chore(internal): codegen related update * chore(zero_trust_device_managed_networks): add tests (#6463) * chore(zero_trust_device_default_profile_local_domain_fallback): add tests (#6464) * chore(zero_trust_device_posture_integration): update tests for to test with Crowdstrike (#6470) * fix(zone_subscription|account_subscription): add partners_ent as valid enum for rate_plan.id (#6505) * fix: add partners_ent as valid enum for rate_plan.id * fix: remove partners_enterprise enum from account subscription --------- Co-authored-by: Sui Mak <sui@cloudflare.com> * chore(api): update composite API spec * chore(internal): codegen related update * chore(internal): codegen related update * feat: add v4->v5 migration tests for pages_project and adjust schema (#6506) * fix: update import signature to accept account_id/subscription_id in order to import account subscription (#6510) Co-authored-by: Sui Mak <sui@cloudflare.com> * fix: r2 sweeper (#6512) * chore(internal): codegen related update * codegen metadata * chore(internal): codegen related update * chore(internal): codegen related update * codegen metadata * feat: chore: update go sdk to v6.4.0 for provider release * chore: skip invalid change detection * chore: update go sdk to v6.4.0 * fix(workers_script): resource drift when worker has unmanaged secret (#6504) Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com> * fix(workers_script): No longer treating the migrations attribute as WriteOnly (#6489) * codegen metadata * wip: moving migrations to be a write-only attribute --------- Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com> * chore(zero_trust_device_default|custom_profile): acceptance test coverage (#6511) * fix(account_members): making member policies a set (#6488) * ACCT-11111 making member policies a set * fixing test resource name * removing unnecessary * removing unnecessary * correct client version * fixing resource names and sweeping * manual cleanup of test resources * making resource groups and perm groups sets * fix(tests): resolve SDK v6 migration test failures (#6507) - Change global test resource prefix from cf-tf-test- to cftftest_ to fix API name validation errors (fixes list, list_item, snippet) - Add certificate_pack hosts order-insensitive comparison in ModifyPlan to prevent unnecessary replacements - Add UseStateForUnknown() plan modifier to certificate_pack primary_certificate field - Add UseStateForUnknown() plan modifiers to pages_project deployment_configs fields (always_use_latest_compatibility_date, build_image_major_version, compatibility_date, fail_open) to prevent state drift Fixes test failures in: list, list_item, snippet, certificate_pack, pages_domain, pages_project * chore(tests): cloud connector rules parity tests and add connectivity_directory_service tests (#6513) * fix(cloud_connector_rules): datasource model schema parity * fix: rename e2e test for connectivity_directory_service * fix(account_member): use sdk to setup prereq * fix(cloud_connector_rules): model and schema --------- Co-authored-by: Eric Falcao <efalcao@cloudflare.com> * fix: decoder, build (#6514) * fix(test_utils): undefined func * fix(decoder): dont include fields with json tag - * chore(account_subscription): skip test * fix: decoder and tests (#6516) chore(account_member): dont run acceptance with env variable fix(utils): test assertions * chore(account_member): fix check for env var (#6517) * fix(workers_kv): ignore value import state verify (#6521) * fix(workers_kv): ignore value import state verify * chore(workers_kv): comment about why we're ignoring value * chore(account_member): skip until user is dsr enabled (#6522) * fix(pages_project): non empty refresh plans (#6515) * chore(docs): update documentation (#6523) * chore: update changelog (#6525) * release: 5.14.0 --------- Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> Co-authored-by: Michael Girouard <206137+mgirouard@users.noreply.github.com> Co-authored-by: Steve Conrad <sconrad@cloudflare.com> Co-authored-by: cbertiercloudflare <cbertier@cloudflare.com> Co-authored-by: Sarah Sicard <18204584+ssicard@users.noreply.github.com> Co-authored-by: Tamas Jozsa <tamas@cloudflare.com> Co-authored-by: Henry Clausen <33390934+hc2116@users.noreply.github.com> Co-authored-by: Henry Clausen <hclausen@cloudflare.com> Co-authored-by: Sui Mak <smakys501@gmail.com> Co-authored-by: Sui Mak <sui@cloudflare.com> Co-authored-by: jlu-cloudflare <124198068+jlu-cloudflare@users.noreply.github.com> Co-authored-by: Rotem Atzaba <rotem@cloudflare.com> Co-authored-by: christhorwarth <chris.thorwarth@gmail.com> Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com> Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> Co-authored-by: Eric Falcao <efalcao@cloudflare.com>

tamas-jozsa changed the title ~~feat: improve sweepers~~ feat: Sweeper Standardization Nov 28, 2025

tamas-jozsa force-pushed the sweepers branch 11 times, most recently from 0d6ad9c to 6ee8e1b Compare December 2, 2025 18:42

mgirouard approved these changes Dec 2, 2025

View reviewed changes

feat: improve and standardize sweepers

3d6a226

tamas-jozsa force-pushed the sweepers branch from 6ee8e1b to 3d6a226 Compare December 2, 2025 19:08

tamas-jozsa merged commit 03fb2d2 into next Dec 2, 2025
2 of 4 checks passed

tamas-jozsa deleted the sweepers branch December 2, 2025 19:08

stainless-app bot mentioned this pull request Dec 2, 2025

release: 5.14.0 #6481

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Sweeper Standardization#6501

feat: Sweeper Standardization#6501
tamas-jozsa merged 1 commit intonextfrom
sweepers

tamas-jozsa commented Nov 28, 2025 •

edited

Loading

Uh oh!

tamas-jozsa commented Nov 28, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

tamas-jozsa commented Nov 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Preview what would be deleted (safe)

Actually delete everything (DANGEROUS)

Sweeper helper tests pass

Output: PASS

DNS record service builds successfully

Output: Success (exit code 0)

Sweep script help displays correctly

Output: Shows new --dangerously-delete-resources flag

Uh oh!

tamas-jozsa commented Nov 28, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

tamas-jozsa commented Nov 28, 2025 •

edited

Loading