Tags: cloudflare/terraform-provider-cloudflare
Tags
release: 5.14.0 (#6481) * codegen metadata * chore(zone): update migration tests (#6468) Updates `cloudflare_zone` migration tests to use `tf-migrate` instead of `cmd/migrate`. * feat: feat: BOTS-7562 add bot management feedback endpoints to stainless config (prod) * feat: BOTS-7562 add bot management feedback endpoints to stainless config (prod) * feat: chore: point Terraform to Go 'next' * chore: point Terraform to Go 'next' * chore(api): update composite API spec * chore(internal): codegen related update * fix(zone): datasource model schema parity (#6487) * fix(zone): make datasource's zone ID computed optional Resolves #6129 * test(zone): fix datasource model/schema parity Updates the `ZonesAccountDataSourceModel` type be useful for both filters and decerilization. * feat: feat(radar): Add origins endpoints to public api docs * chore(account_tokens): adding a simple CRUD test (#6484) * adding a simple CRUD test fo account tokens * add a test file * feat: chore(api_shield_discovery_operation): Deprecate api_shield_discovery_operation * chore(cloudflare_api_shield_operation): Add acceptance tests (#6491) * test: Add acceptance tests for cloudflare_api_shield_operation * chore: Add CI acceptance tests for api_shield_operation * chore(internal): codegen related update * chore(logpush_job): add v4 to v5 migration tests (#6483) * codegen metadata * add migration test for logpush_job * add zone level logpush jobs to sweeper * use MigrationV2TestStep, use zone level job for instant-logs test * handle instant-logs being returned from the API despite not being a valid config value * rename resource test name to be consistent --------- Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> * fix(pages_project): use correct field name in test sweeper The Pages API response type uses "Name" instead of "ProjectName". Update the test sweeper to access the correct field from "ProjectListResponse". Fixes compilation error: deployment.ProjectName undefined (type pages.ProjectListResponse has no field or method ProjectName) * fix(zero_trust_device_posture_rule): preserve input.version and other fields (#6500) not returned by API The API doesn't return all configured input fields in Read responses, causing drift. This preserves input.version (critical), input.enabled cleanup, and additional fields (path, sha256, os_distro_*) from current state when API omits them. Fixes perpetual drift for firewall and os_version posture rules. * feat: feat(r2_data_catalog): Configure SDKs/Terraform to use R2 Data Catalog routes * feat(r2_data_catalog): Configure SDKs/Terraform to use R2 Data Catalog routes * DS-15730: Re-enable logpush_dataset_field data source and add acceptance test (#6499) Co-authored-by: Henry Clausen <hclausen@cloudflare.com> * DS-15566: Add logpush_job acceptance test for filter update (#6498) Co-authored-by: Henry Clausen <hclausen@cloudflare.com> * chore(internal): codegen related update * Update Subscription and Subscription.RatePlan schema in order to satisfy terraform to no detect changes on no changes to the config (#6497) * BILLSUB-247 CUSTESC-57375 fix drift issues after apply causing idempotency issues on subsequent applies * BILLSUB-247 CUSTESC-57375 fix wrong computed_optional syntax * Fix zone_subscription Sets field type mismatch --------- Co-authored-by: Sui Mak <sui@cloudflare.com> * feat: improve and standardize sweepers (#6501) * fix(zero_trust_device_posture_rule): preserve input.version and other fields (#6503) not returned by API The API doesn't return all configured input fields in Read responses, causing drift. This preserves input.version (critical), input.enabled cleanup, and additional fields (path, sha256, os_distro_*) from current state when API omits them. Fixes perpetual drift for firewall and os_version posture rules. * chore(internal): codegen related update * chore(zero_trust_device_managed_networks): add tests (#6463) * chore(zero_trust_device_default_profile_local_domain_fallback): add tests (#6464) * chore(zero_trust_device_posture_integration): update tests for to test with Crowdstrike (#6470) * fix(zone_subscription|account_subscription): add partners_ent as valid enum for rate_plan.id (#6505) * fix: add partners_ent as valid enum for rate_plan.id * fix: remove partners_enterprise enum from account subscription --------- Co-authored-by: Sui Mak <sui@cloudflare.com> * chore(api): update composite API spec * chore(internal): codegen related update * chore(internal): codegen related update * feat: add v4->v5 migration tests for pages_project and adjust schema (#6506) * fix: update import signature to accept account_id/subscription_id in order to import account subscription (#6510) Co-authored-by: Sui Mak <sui@cloudflare.com> * fix: r2 sweeper (#6512) * chore(internal): codegen related update * codegen metadata * chore(internal): codegen related update * chore(internal): codegen related update * codegen metadata * feat: chore: update go sdk to v6.4.0 for provider release * chore: skip invalid change detection * chore: update go sdk to v6.4.0 * fix(workers_script): resource drift when worker has unmanaged secret (#6504) Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com> * fix(workers_script): No longer treating the migrations attribute as WriteOnly (#6489) * codegen metadata * wip: moving migrations to be a write-only attribute --------- Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com> * chore(zero_trust_device_default|custom_profile): acceptance test coverage (#6511) * fix(account_members): making member policies a set (#6488) * ACCT-11111 making member policies a set * fixing test resource name * removing unnecessary * removing unnecessary * correct client version * fixing resource names and sweeping * manual cleanup of test resources * making resource groups and perm groups sets * fix(tests): resolve SDK v6 migration test failures (#6507) - Change global test resource prefix from cf-tf-test- to cftftest_ to fix API name validation errors (fixes list, list_item, snippet) - Add certificate_pack hosts order-insensitive comparison in ModifyPlan to prevent unnecessary replacements - Add UseStateForUnknown() plan modifier to certificate_pack primary_certificate field - Add UseStateForUnknown() plan modifiers to pages_project deployment_configs fields (always_use_latest_compatibility_date, build_image_major_version, compatibility_date, fail_open) to prevent state drift Fixes test failures in: list, list_item, snippet, certificate_pack, pages_domain, pages_project * chore(tests): cloud connector rules parity tests and add connectivity_directory_service tests (#6513) * fix(cloud_connector_rules): datasource model schema parity * fix: rename e2e test for connectivity_directory_service * fix(account_member): use sdk to setup prereq * fix(cloud_connector_rules): model and schema --------- Co-authored-by: Eric Falcao <efalcao@cloudflare.com> * fix: decoder, build (#6514) * fix(test_utils): undefined func * fix(decoder): dont include fields with json tag - * chore(account_subscription): skip test * fix: decoder and tests (#6516) chore(account_member): dont run acceptance with env variable fix(utils): test assertions * chore(account_member): fix check for env var (#6517) * fix(workers_kv): ignore value import state verify (#6521) * fix(workers_kv): ignore value import state verify * chore(workers_kv): comment about why we're ignoring value * chore(account_member): skip until user is dsr enabled (#6522) * fix(pages_project): non empty refresh plans (#6515) * chore(docs): update documentation (#6523) * chore: update changelog (#6525) * release: 5.14.0 --------- Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> Co-authored-by: Michael Girouard <206137+mgirouard@users.noreply.github.com> Co-authored-by: Steve Conrad <sconrad@cloudflare.com> Co-authored-by: cbertiercloudflare <cbertier@cloudflare.com> Co-authored-by: Sarah Sicard <18204584+ssicard@users.noreply.github.com> Co-authored-by: Tamas Jozsa <tamas@cloudflare.com> Co-authored-by: Henry Clausen <33390934+hc2116@users.noreply.github.com> Co-authored-by: Henry Clausen <hclausen@cloudflare.com> Co-authored-by: Sui Mak <smakys501@gmail.com> Co-authored-by: Sui Mak <sui@cloudflare.com> Co-authored-by: jlu-cloudflare <124198068+jlu-cloudflare@users.noreply.github.com> Co-authored-by: Rotem Atzaba <rotem@cloudflare.com> Co-authored-by: christhorwarth <chris.thorwarth@gmail.com> Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com> Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> Co-authored-by: Eric Falcao <efalcao@cloudflare.com>
release: 5.13.0 (#6397) * chore(workers): integrate generated changes for Workers resources The following resources are modified by these generated changes: - workers_cron_trigger - workers_custom_domain - workers_deployment - workers_for_platforms_dispatch_namespace - workers_kv - workers_kv_namespace - workers_route - workers_script * chore(load_balancing): integrate generated changes for Load Balancing resources The following resources are modified by these generated changes: - healthcheck - load_balancer - load_balancer_monitor - load_balancer_pool * chore(iam): integrate generated changes for IAM resources The following resources are modified by these generated changes: - account - account_member - account_token - api_token - token_validation_config (added) - token_validation_rules (added) * chore(zero_trust, cfone): integrate generated changes for ZT and CFONE resources The following resources are modified by these generated changes: - cloudforce_one_request - cloudforce_one_request_asset - cloudforce_one_request_message - cloudforce_one_request_priority - zero_trust_access_custom_page - zero_trust_access_group - zero_trust_access_identity_provider - zero_trust_access_infrastructure_target - zero_trust_access_key_configuration - zero_trust_access_mtls_certificate - zero_trust_access_policy - zero_trust_access_service_token - zero_trust_access_short_lived_certificate - zero_trust_access_tag - zero_trust_device_custom_profile - zero_trust_device_custom_profile_local_domain_fallback - zero_trust_device_default_profile - zero_trust_device_default_profile_local_domain_fallback - zero_trust_device_managed_networks - zero_trust_device_posture_integration - zero_trust_device_posture_rule - zero_trust_dex_test - zero_trust_dlp_custom_entry - zero_trust_dlp_custom_profile - zero_trust_dlp_entry - zero_trust_dlp_integration_entry - zero_trust_dlp_predefined_entry - zero_trust_dlp_predefined_profile - zero_trust_dns_location - zero_trust_gateway_certificate - zero_trust_gateway_policy - zero_trust_gateway_proxy_endpoint - zero_trust_gateway_settings - zero_trust_list - zero_trust_network_hostname_route - zero_trust_risk_scoring_integration - zero_trust_tunnel_cloudflared - zero_trust_tunnel_cloudflared_config - zero_trust_tunnel_cloudflared_route - zero_trust_tunnel_cloudflared_virtual_network - zero_trust_tunnel_warp_connector - zero_trust_access_ai_controls_mcp_portal (added) - zero_trust_access_ai_controls_mcp_server (added) * chore(d1): integrate generated changes for D1 resources * chore(byoip): integrate generated changes for BYOIP resources * chore(logpush): integrate generated changes for Logpush resources * chore(pages): integrate generated changes for Pages resources * chore(worker): integrate generated changes for Worker resources * chore(stainless): integrate changes from unpinned codegen version * feat: add new resources and data sources * chore: include new sections for pr template (#6395) * feat(magic_transit_connector): support self-serve license key (#6398) Co-authored-by: yihuaf <yihuaf@cloudflare.com> * ci(test): integrate migrator v2 (#6396) * ci: build migrator v2 in ci * chore: uptake migrator v2 for dns_record * chore(certificate_pack): docs show safe rotation instructions (#6388) * chore(test): increase legacy migrator test coverage (#6401) * fix(zero_trust_dex_test): correct configurability for 'targeted' attribute to fix drift * chore(test): acceptance tests for token validation resources (#6417) This adds acceptance test for token validation resources: ``` $ TF_ACC=1 go test ./internal/services/token_validation_* -run "^TestAccCloudflareTokenValidationConfig|TestAccCloudflareTokenValidationRules" -v -count 1 === RUN TestAccCloudflareTokenValidationConfig --- PASS: TestAccCloudflareTokenValidationConfig (42.65s) PASS ok github.com/cloudflare/terraform-provider-cloudflare/internal/services/token_validation_config 46.029s === RUN TestAccCloudflareTokenValidationRules --- PASS: TestAccCloudflareTokenValidationRules (21.90s) PASS ok github.com/cloudflare/terraform-provider-cloudflare/internal/services/token_validation_rules 23.824s ``` * chore(zones): data source tests (#6414) * chore(test): add schema and token validation acceptance tests to CI (#6421) This change adds the token validation and schema validation acceptance tests to CI runner. Acceptance test zone `terraform.cfapi.net` seems to already be entitled to utilize both services. It also ensures that the schema validation tests can be executed in parallel without interferring with each other: ``` $ TF_ACC=1 go test ./internal/services/token_validation_* ./internal/services/schema_validation_* -run "^TestAccCloudflareTokenValidationConfig|TestAccCloudflareTokenValidationRules|TestAccCloudflarePerOperationSetting|TestAccCloudflareSchemaValidationSchemas|TestAccCloudflareSchemaValidationZoneSettings" -v -count 1 === RUN TestAccCloudflareTokenValidationConfig --- PASS: TestAccCloudflareTokenValidationConfig (36.15s) PASS ok github.com/cloudflare/terraform-provider-cloudflare/internal/services/token_validation_config 37.827s === RUN TestAccCloudflareTokenValidationRules --- PASS: TestAccCloudflareTokenValidationRules (26.03s) PASS ok github.com/cloudflare/terraform-provider-cloudflare/internal/services/token_validation_rules 28.480s === RUN TestAccCloudflarePerOperationSetting --- PASS: TestAccCloudflarePerOperationSetting (15.87s) PASS ok github.com/cloudflare/terraform-provider-cloudflare/internal/services/schema_validation_operation_settings 21.278s === RUN TestAccCloudflareSchemaValidationSchemas --- PASS: TestAccCloudflareSchemaValidationSchemas (13.31s) PASS ok github.com/cloudflare/terraform-provider-cloudflare/internal/services/schema_validation_schemas 16.719s === RUN TestAccCloudflareSchemaValidationZoneSettings --- PASS: TestAccCloudflareSchemaValidationZoneSettings (18.18s) PASS ok github.com/cloudflare/terraform-provider-cloudflare/internal/services/schema_validation_settings 22.567s ``` * Add mcp portals acctests (#6411) * Add mcp portals acceptance tests * Fix mcp portals acceptance tests * Fix mcp portals acceptance tests * chore(zero_trust_access_service_token): add migration test for zero_trust_access_service_token (#6416) Co-authored-by: cortlyons <cortlyons@cloudflare.com> * chore(ci): skip flaky test in CI * chore(sso_connector): add acceptance tests (#6427) * Add acceptance tests for sso connector resource * Removing test staging option * Create ZT IDP before attempting SSO connector operations --------- Co-authored-by: scabell <scabell@cloudflare.com> * chore(email_routing): improved email routing sweepers (#6429) * chore(dns_record): improve dns sweepers (#6430) * chore(workers_kv_namespace): v4 to v5 migration tests for workers_kv_namespace (#6424) * chore(zero_trust_gateway_policy): v4 to v5 migration for zero_trust_gateway_policy (#6413) * chore(zero_trust_list): v4 to v5 migration tests for zero trust list records (#6400) * chore(account_member): add migration test (#6425) * Add migration test for account_member * chore(logpull_retention): add migration test for (#6426) * add migration tests for logpull_retention * chore(cloudflare_zero_trust_dlp_custom_profile): migration test and ignore order as set (#6428) * fix(workers_script_subdomain): add note to cloudflare_workers_script_subdomain about redundancy with cloudflare_worker (#6383) People using cloudflare_worker should not use cloudflare_workers_script_subdomain since cloudflare_worker already includes subdomain settings. * chore(logpush_job): add import tests for resource (#6402) * DS-15398: Add import tests for cloudflare_logpush_jobs resource This adds import tests for `cloudflare_logpush_jobs` resource, per https://wiki.cfdata.org/display/API/Terraform+Acceptance+Tests * DS-15398: Change LogpushJobModel optional,no_refresh to computed_optional,decode_null_to_zero (except OwnershipChallenge) This changes `LogpushJobModel` `optional,no_refresh` to `computed_optional,decode_null_to_zero` (except `OwnershipChallenge`). - Changed `apijson` to `apijsoncustom` in `model.go` and `resource.go`. This is based on similar fixes done for #5909 * chore(logpull_retention): update acceptance test (#6277) This updates `logpull_retention` test: 1. Add import test. 2. Switch to Plan and State Checks from legacy Checks. Test passes locally: ``` go test ./internal/services/logpull_retention -run "^TestAccLogpullRetention" -v -count 1 === RUN TestAccLogpullRetention_Basic --- PASS: TestAccLogpullRetention_Basic (10.48s) PASS ok github.com/cloudflare/terraform-provider-cloudflare/internal/services/logpull_retention 10.487s ``` * chore(zone_dnssec): v4 to v5 migration tests for zone_dnssec (#6432) TF_ACC=1 TF_MIGRATE_BINARY_PATH=~/cf-repos/terraform-devstack/tf-migrate/tf-migrate go test -v -run "TestMigrate" ./internal/services/zone_dnssec === RUN TestMigrateZoneDNSSECBasic --- PASS: TestMigrateZoneDNSSECBasic (15.62s) === RUN TestMigrateZoneDNSSECWithModifiedOn --- PASS: TestMigrateZoneDNSSECWithModifiedOn (20.48s) === RUN TestMigrateZoneDNSSECStatusActive --- PASS: TestMigrateZoneDNSSECStatusActive (14.33s) PASS ok github.com/cloudflare/terraform-provider-cloudflare/internal/services/zone_dnssec 51.780s * chore(workers_kv): v4 to v5 migration tests for workers_kv (#6435) * chore(r2_bucket): v4 to v5 migration tests for cloudflare_r2_bucket (#6437) * chore(notification_policy_webhook): add migration test for notification-policy-webhook (#6443) * chore(zero_trust_tunnel_cloudflared_route): v4 to v5 migration tests for zero_trust_tunnel_cloudflared_route (#6409) * chore(docs): document configurations and examples (#6449) * feat(zero_trust_access_application): add proxy_endpoint for ZT Access Application (#6453) Adds a new app type for the session duration compatible app types for the zero type access application resource. The newly supported type is proxy_endpoint. * chore(universal_ssl_setting): add acceptance tests for universal_ssl_setting - Add TestAccCloudflareUniversalSSLSetting_Basic with create, update, and import steps - Validates resource adoption with enabled = true - Validates update to enabled = false - Validates terraform import functionality with ImportStateVerify - Add testdata template for universal SSL setting configuration * feat(zero_trust_dlp_predefined_profile): Switch DLP Predefined Profile endpoints, introduce enabled_entries attribute The new endpoints contain a new field `enabled_entries` which will be the preferred way to manage entries within a predefined profile. The existing `entries` field will be supported but now be computed optional * feat(zero_trust_tunnel_cloudflared): v4 to v5 migration tests (#6461) * provider migration test for zero-trust-device-posture-rule Co-authored-by: cortlyons <cortlyons@cloudflare.com> * Deprecate API Shield Schema Validation resources (#6446) This change reflects the deprecation of the API Shield schema validation APIs to terraform. The deprecation notice for each of them mentions the replacements. * fix(pages_project): unintended resource state drift (#6377) * fix(cloudflare_worker+cloudflare_worker_version): import for the resources (#6357) * fix: cloudflare_worker resource can be cleanly imported - Add plan modifiers for created_on and updated_on to prevent these properties from incorrectly appearing in the diff - Fill in all default values to prevent user-configurable properties from being marked as unknown - These were causing an unnecessary update to be performed on import * fix: cloudflare_worker_version resource can be cleanly imported - Allow in-place updates to write provider-only attributes (module content_file) to state - This allows the resource to be imported without recreation * fix(workers_script): allow config.run_worker_first to accept list input - This property can either be a boolean or list of strings, the API accepts both - Update resource to accept list of strings in addition to boolean values * feat(worker_version): boolean support for run_worker_first (#6407) * chore: add support for boolean run_worker_first * chore: adding upgrade test --------- Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com> * feat(worker_version): add content_base64 support * fix(pages_domain): resource tests (#6338) * chore(api): update composite API spec --------- Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com> * fix(workers_kv): updating workers metadata attribute to be read from endpoint (#6386) Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com> * feat(workers_script_subdomains): add import support (#6375) Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com> * fix(workers_kv): multipart request (#6367) * chore(api): update composite API spec * fix: multipart request in cloudflare_workers_kv --------- Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com> * fix(zero_trust_tunnel_cloudflared_config): remove warp_routing from cloudflared_config (#6471) Co-authored-by: João "Pisco" Fernandes <joaocarlos@cloudflare.com> * chore(workers_script): add workers scripts sweeper (#6351) * chore(api): update composite API spec * chore: adding sweeper * chore: adding sweeper for workers --------- Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com> * fix(dns_record): inconsistent apply error (#6452) * chore(dns_record): rename testdata * chore(dns_record): update test data refs * fix(dns_record): method to compare two dns records are equal * fix(dns_record): inconsistent apply * fix(account_token)!: token policy order and nested resources (#6440) * removing computed fields to fix policy order * using jsonencode for resources * feat(api_token+account_tokens): state upgrader and schema bump (#6472) * feat(api_token): api token migrator - state upgrader for api tokens - migration test - bumps schema version to 1 * feat(account_token): account token migrator - state upgrader for account tokens - migration test - bumps schema version to 1 * chore(zt_access): add sweepers for policy and service token (#6465) * fix(zero_trust_device_custom_profile): resolve drift issues (#6364) Adds UseStateForUnknown plan modifier for some computed attributes Co-authored-by: Tyler Stanish <tstanish@cloudflare.com> * fix: allow r2_bucket_event_notification to be applied twice without failing (#6419) * chore(zone_settings): acceptance test to repro issue #6363 (#6445) * fix(zero_trust_device_custom_profile_local_domain_fallback): drift issues (#6365) When domains are not specified in alphabetical order, the plan shows changes after refreshing from the API. This is because the API returns them in alphabetical order. To resolve, this change switches the zero_trust_device_custom_profile_local_domain_fallback attribute from a list to set. Co-authored-by: Tyler Stanish <tstanish@cloudflare.com> * TUN-9846: Fix cloudflare_zero_trust_tunnel_warp_connector_token datasource * chore(workers_script): fix resource names in tests * chore(workers_script): fix resource name in TestAccCloudflareWorkerScript_ModuleWithDurableObject * fix(queue_consumer): id population (#6181) * resolves #5652 * Unifying queue consumer script and script_name in terraform state * Populate queue consumer info in queue resource * Modify mtls resource and mtls, org, and app tests * feat(api): api update * fixing bad merge * Marking consumer_id as computed because it is generated from the create consumer response * Adding tests for queue_consumer * Refactoring tests to have test configs in files * Adding more tests for different config cases * Updating queue consumer tests --------- Co-authored-by: Alex Holland <aholland@cloudflare.com> Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> * feat: chore(build): point Terraform to released Go v6.3.0 * chore(build): point Terraform to released Go v6.3.0 * feat(docs): make docs explicit when a resource does not have import support * chore(docs): generate docs and examples * chore(queue_consumer): testdata refactor * chore(ci): clean up leftover files in resources (#6474) * chore(zero_trust_connectivity_directory_service): cleanup leftovers * chore(zero_trust_access_policy): cleanup duplicate test main * chore(ci): fixes for parity tests and build failures (#6475) * chore(api_token): skip migration tests if tf_acc is not set * chore(list): fix schema parity tests * chore(email_routing_catch_all): fix build error * fix(zero_trust_gateway_policy): schema parity tests * chore(ci): drop migration tests from CI (#6476) * chore(ci): fix tests ran on release PR (#6478) * chore(ci): modify sweepers (#6479) * chore(organizations): sweeper * chore(zero_trust_tunnel_cloudflared): comment out sweeper, infinite loop? * chore(zero_trust_tunnel_cloudflared_virtual_network): dont swallow error * release: 5.13.0 --------- Co-authored-by: Musa Jundi <musa@cloudflare.com> Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> Co-authored-by: Eric Fang <github@accounts.unkies.org> Co-authored-by: yihuaf <yihuaf@cloudflare.com> Co-authored-by: Tamás Józsa <tamas@cloudflare.com> Co-authored-by: Andrew Mitchell <32021055+mitch292@users.noreply.github.com> Co-authored-by: Jan <1324490+janrueth@users.noreply.github.com> Co-authored-by: Gabriel Massadas <5445926+G4brym@users.noreply.github.com> Co-authored-by: Edward Cort Lyons <Lyons.Cort@gmail.com> Co-authored-by: cortlyons <cortlyons@cloudflare.com> Co-authored-by: Samuel <6132869+SamuelDev@users.noreply.github.com> Co-authored-by: scabell <scabell@cloudflare.com> Co-authored-by: Rotem Atzaba <rotem@cloudflare.com> Co-authored-by: Sarah Sicard <18204584+ssicard@users.noreply.github.com> Co-authored-by: Max Peterson <64494795+maxwellpeterson@users.noreply.github.com> Co-authored-by: Sohei Okamoto <sohei@cloudflare.com> Co-authored-by: Alex Holland <aholland@cloudflare.com> Co-authored-by: ang-cloudflare <ang@cloudflare.com> Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> Co-authored-by: Cina Saffary <cina@cloudflare.com> Co-authored-by: Max Peterson <mpeterson@cloudflare.com> Co-authored-by: christhorwarth <chris.thorwarth@gmail.com> Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com> Co-authored-by: João "Pisco" Fernandes <joaocarlos@cloudflare.com> Co-authored-by: Steve Conrad <sconrad@cloudflare.com> Co-authored-by: Tyler Stanish <tystanish@gmail.com> Co-authored-by: Tyler Stanish <tstanish@cloudflare.com> Co-authored-by: Carol Xu <37486071+Carolx715@users.noreply.github.com> Co-authored-by: Vaishak Dinesh <vaishak@cloudflare.com> Co-authored-by: jkoe-cf <152918105+jkoe-cf@users.noreply.github.com>
release: 5.12.0 (#6292) * feat: modernize zero_trust_tunnel_cloudflared_virtual_network tests and improve (#6293) coverage - Convert legacy resource.TestCheckResourceAttr to modern ConfigStateChecks - Add proper CheckDestroy function for resource cleanup verification - Enhance test coverage with minimal configuration test case - Add comprehensive state validation with computed attribute checks * feat: modernize zero_trust_tunnel_cloudflared_config tests and fix warp_routing (#6294) schema - Convert legacy resource.TestCheckResourceAttr to modern ConfigStateChecks - Add comprehensive tfjsonpath navigation for nested attributes - Fix warp_routing Unknown value issue by flattening to warp_routing_enabled - Add proper schema defaults and provider implementation - Update both resource and data source models * feat: chore: use cloudflare-go@next for the 'next' branch * chore: use cloudflare-go@next for the 'next' branch * chore(internal): codegen related update * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(internal): codegen related update * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * fix: enable skipped gateway policy tests and simplify quarantine test (#6296) Enable previously skipped Zero Trust gateway policy tests that were disabled due to feature flag and enterprise requirements. Simplify quarantine test to use single file type to avoid ordering issues. - Enable TestAccCloudflareTeamsRule_HTTP_Quarantine test - Enable TestAccCloudflareTeamsRuleEgressDedicated test - Uncomment testAccCloudflareTeamsRuleConfigEgressDedicated helper function - Simplify quarantine test to use single pdf file type - Remove outdated skip comments and commented code blocks * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(zerot trust dl resources): Add acceptance tests for DLP resources (rebased version of !5751) (#6233) * Add acceptance tests for DLP entries * Add acceptance tests for DLP profiles * added a deprecation date for the entries field * removed the changes to internal/services/zero_trust_dlp_integration_entry/schema.go so that they can be made at the openapi yaml level in our repo * fixed accidental change * Added Vaishak's suggested tests Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> * deprecated => sunset --------- Co-authored-by: jjohnson <jjohnson@cloudflare.com> Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> * codegen metadata * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(pages_project): only sweep pages projects resources created during testing (#6298) * chore(pages_project): update CLOUDFLARE_PAGES_OWNER and CLOUDFLARE_PAGES_REPO used for acceptance tests (#6300) * chore(api): update composite API spec * chore(api): update composite API spec * chore(r2_bucket_lock, r2_bucket_lifecycle): add acceptance tests (#6299) * chore(api): update composite API spec * fix: fix zero_trust_dex_test tests (#6301) * fix(cloudflare_workflow): download dependencies for workflow resource acceptance tests (#6302) * chore(api): update composite API spec * chore(api): update composite API spec * fix(cloudflare_workers_script): Update docs note for resource (#6304) - Soften language around deprecation based on customer feedback - Explicitly call out cloudflare_worker and cloudflare_worker_version resources as beta * test(r2_custom_domain): add acceptance tests (#6312) * test: add acceptance tests for r2_custom_domain resource * test: update r2 custom domain tests with additional scenarios + randomized subdomain --------- Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> * chore: fix errors in `cloudflare_pages_project` acceptance tests (#6318) This follows up #6298 to fix some errors introduced into the test, as well as fixing some longstanding errors in the assumed resource schema used in test cases and config files. This also removes `ExpectNonEmptyPlan: true` from several test cases that were masking false drift problems in the resource. Several tests have been temporarily marked as skipped waiting on upstream fixes to the resource to land. * chore(api): update composite API spec * chore(internal): codegen related update * codegen metadata * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(internal): codegen related update * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * chore(internal): codegen related update * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * fix: correctly detect more ID attributes for data sources * chore(api): update composite API spec * fix: read by id data sources should have required IDs * codegen metadata * chore(api): update composite API spec * feat: fix(content_scanning): content scanning terraform resource * feat(content_scanning): Add content scanning terraform resource * codegen metadata * fix(internal): correctly generate schema according to annotations * codegen metadata * chore(api): update composite API spec * chore(internal): codegen related update * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(internal): codegen related update * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(zero_trust_dlp_custom_profile): shared_entries acceptance tests (#6317) * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * feat: feat: SDKs for Organizations and OrganizationsProfile * chore: Add back in skips for Org accounts * chore: Maintain skips in Organization-Members resource * chore: remove codegen skips from Orgs related resources * chore(api_shield): Acceptance tests increase coverage (#6325) This change adds acceptance tests for the api_shield resource. * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * feat(zero_trust_access_application): Add support for MCP & MCP_PORTAL (#6326) * chore(zero_trust_network_hostname_route): Add acceptance tests for Hostname Routes (#6282) * fix(zero_trust_access_service_token): client secret versioning (#6328) * fix(notification_policy): address drift due to unordered lists, converted to sets (#6316) Co-authored-by: Henry Clausen <hclausen@cloudflare.com> * chore(organizations and organization_profiles): Acceptance Tests and wait after create (#6329) * feat: Add Organizations Acceptance Tests * orgs profile tests * chore: Add a sleep to orgs create, because of 403 issue. * Chore: remove the 30s sleep in update. * fix(cloudflare_r2_bucket_sippy): attribute name in example (#6336) * fix(migrate): add target flag to specify resources (#6324) * feat: fix(workers_domain): treat `PUT /workers/domains` as a create operation * fix(workers_domain): treat `PUT /workers/domains` as a create operation * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * feat: feat(api): add mcp portals endpoints * feat: feat(radar): add new group by dimension endpoints; deprecate to_markdown endpoint * chore(api): update composite API spec * chore(zero_trust_connectivity_directory_service): Add wvpc / connectivity directory servic acceptance tests (#6334) * Add acceptance tests for content_scanning (#6344) * chore(api): update composite API spec * codegen metadata * feat: feat: add connectivity directory service APIs to openapi.stainless.yml * fix: add proper terraform annotations to connectivity_directory_service * feat: add connectivity directory service APIs to openapi.stainless.yml * chore(api): update composite API spec * chore(queue): Acceptance tests (#6339) * fix(cloudflare_worker_version): replace when module content_sha256 value changes (#6335) - Previously, Terraform would attempt to update the resource in-place when module content_sha256 was the only change, but this resource can't be updated in-place - Instead, the resource should be replaced when any module content_sha256 value changes * chore(logpush_jobs): Add tests from basic to full fields, and changes on omitempty field (#6337) This adds tests in `logpush_jobs` for changing from basic to full fields, and changes on `omitempty` field. * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * feat: chore(abuse): rename path parameter * chore(abuse): rename path parameter * fix(workers_version): inconsistent binding order causing inconsistent result after apply (#6342) * chore(organizations): wire up acceptance test in CI (#6349) * chore: wire up organizations acceptance test * chore: use email in plain text * fix(account_member): update policies test by selecting correct resource group (#6352) * chore(api): update composite API spec * feat: ci: trigger prod build * ci: trigger prod build * bug(cloudflare_list): don't explicitly import nested items (#6262) Co-authored-by: Brad Swenson <bswenson@cloudflare.com> * chore: update pr template (#6359) * codegen metadata * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * feat: chore: pin cloudflare-go for provider release * fix(zero_trust_dex_test): fix duplicate key, imports (#6366) Fixes some invalid code in `zero_trust_dex_test`: - removes duplicate `targeted` attribute - adds missing `customfield` import * fix(custom_pages): update type enumerations (#6369) Enumeration values for the validator were somehow removed, most likely a bad conflict resolution. This patch adds them back. * fix(zero_trust_dex_test): ensure model/schema parity (#6370) Updates the `zero_trust_dex_test` resource to align the models' and schemas' `target_policies` attribute. * fix(custom_pages): fix broken tests (#6372) * feat: ci: remove zero_trust_connectivity_directory_service This resource was never released and will be renamed to just `connectivity_directory_service` in the future. This patch just removes the resource for now so we can release the provider. * fix: restore missing testdata (#6378) * fix(organization): restore missing testdata Restores custom code that was incorrectly removed as part of a conflict resolution. * fix(workflow): restore missing testdata Restores custom code that was incorrectly removed as part of a conflict resolution. * docs: generate terraform documentation (#6384) * fix: ensure model/schema parity across several resources (#6379) * fix(organization): fix model/schema parity * fix(r2_bucket_event_notification): fix model/schema parity * fix(zero_trust_access_application): fix model/schema parity * fix(zero_trust_dex_test): fix model/schema parity * fix(zero_trust_network_hostname_route): drop unnecessary prechecks * ci(organization): termporarily skip model/schema parity checks * chore(organization_profile): add org id env variable for acceptance tests (#6382) * ci: fix acceptance tests (#6385) * fix(queue): fix bad test data * ci(zone_dnssec): skip bad test Skipping since this test is consistently failing auth. This is consistent across v5.11.0 and the new release branch. ``` === RUN TestAccCloudflareZoneDNSSEC_Presigned resource_test.go:196: Step 1/2 error: Error running apply: exit status 1 Error: failed to make http request with cloudflare_zone_dnssec.urnfhldnml, on terraform_plugin_test.tf line 11, in resource "cloudflare_zone_dnssec" "urnfhldnml": 11: resource "cloudflare_zone_dnssec" "urnfhldnml" { PATCH "https://api.cloudflare.com/client/v4/zones/e3f462b432dd82b7329cc29bbbb4e8a6/dnssec": 403 Forbidden {"success":false,"errors":[{"code":10000,"message":"Authentication error"}]} ``` * fix(custom_pages): fix bad waf_challenge tests The `waf_challenge` type doesn't appear in the OpenAPI definition any more. Updating existing migration tests to use country_challenge instead. * fix(queue): work around inconsistent CRUD API Adds custom code to the `queue` resource to work around the API's inconsistent responses. The response payloads differ depending on the operation, causing issues withstate. ``` --- FAIL: TestAccCloudflareQueue_Basic (8.85s) resource_test.go:154: Step 3/3 error running import: ImportStateVerify attributes not equivalent. Difference is shown below. The - symbol indicates attributes missing after import. map[string]string{ + "consumers_total_count": "0", + "producers_total_count": "0", } ``` This patch ensure that ConsumersTotalCount and ProducersTotalCount are set to 0 when (and only if) the API doesn't return these fields. * ci(zero_trust_tunnel_cloudflared_virtual_network): fix broken sweeper * Revert " bug(cloudflare_list): don't explicitly import nested items (#6262)" (#6389) This reverts commit ea04616. * ci: fix acceptance tests (round 2) (#6390) * fix(queue): fix bad testdata Fixes invalid testdata for queues. ``` --- FAIL: TestAccCloudflareQueue_Settings_UpdateRetention (3.85s) resource_test.go:60: Step 1/2 error: Error running apply: exit status 1 Error: failed to make http request with cloudflare_queue.qnwlkvehqj, on terraform_plugin_test.tf line 11, in resource "cloudflare_queue" "qnwlkvehqj": 11: resource "cloudflare_queue" "qnwlkvehqj" { POST "https://api.cloudflare.com/client/v4/accounts/f037e56e89293a057740de681ac9abbe/queues": 400 Bad Request { "result": null, "success": false, "errors": [ { "code": 100128, "message": "Queue 'qnwlkvehqj' has invalid settings: message_retention_period must be between 60 and 1209600 seconds." } ], "messages": [] } ``` * ci(queue): skip TestAccCloudflareQueue_Settings_UpdateDeliveryPaused Skips the `TestAccCloudflareQueue_Settings_UpdateDeliveryPaused` test for now until the API changes can make their way through codegen. ``` --- FAIL: TestAccCloudflareQueue_Settings_UpdateDeliveryPaused (8.85s) resource_test.go:29: Step 2/2 error: After applying this test step, the refresh plan was not empty. stdout Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # cloudflare_queue.tdcolxmjmr will be updated in-place ~ resource "cloudflare_queue" "tdcolxmjmr" { ~ consumers = [] -> (known after apply) ~ consumers_total_count = 0 -> (known after apply) ~ created_on = "2025-10-29T20:40:33.662817Z" -> (known after apply) id = "99f0751ecf114c38a90a8cebce0a0ff5" ~ modified_on = "2025-10-29T20:40:36.647573Z" -> (known after apply) ~ producers = [] -> (known after apply) ~ producers_total_count = 0 -> (known after apply) ~ settings = { ~ delivery_delay = 0 -> (known after apply) + delivery_paused = true ~ message_retention_period = 345600 -> (known after apply) } # (3 unchanged attributes hidden) } ``` Root cause is that the API doesn't return `delivery_paused` in the response following the PUT request: ``` PUT /client/v4/accounts/f037e56e89293a057740de681ac9abbe/queues/3323539e98874020bf94c14ff44fd961 { "queue_name": "smyqtafgoi", "settings": { "delivery_paused": true } } ``` ``` HTTP 200 { "errors": [], "messages": [], "result": { "created_on": "2025-10-29T22:38:19.234751Z", "modified_on": "2025-10-29T22:38:22.327117Z", "queue_id": "3323539e98874020bf94c14ff44fd961", "queue_name": "smyqtafgoi", "settings": { "delivery_delay": 0, "message_retention_period": 345600 } }, "success": true } ``` * fix(ruleset): skip invalid test Mirage and the Disable Apps feature are currently deprecated, but it looks like they've been partially EOL'd. ``` --- FAIL: TestAccCloudflareRuleset_SetConfigRules (10.45s) ruleset_test.go:6489: Step 2/4 error: Error running apply: exit status 1 Error: failed to make http request with cloudflare_ruleset.my_ruleset, on 2.tf line 3, in resource "cloudflare_ruleset" "my_ruleset": 3: resource "cloudflare_ruleset" "my_ruleset" { PUT "https://api.cloudflare.com/client/v4/zones/0da42c8d2132a9ddaf714f9e7c920711/rulesets/b42c166fd6b34f54996fb6e4e093c6cd": 400 Bad Request { "result": null, "success": false, "errors": [ { "code": 20251, "message": "disable_apps is deprecated", "source": { "pointer": "/rules/0/action_parameters/disable_apps" } }, { "code": 20252, "message": "mirage has been deprecated and will be ignored", "source": { "pointer": "/rules/0/action_parameters/mirage" } } ], "messages": [] } ``` * fix(zero_trust_dlp_custom_profile): fix read, refresh, import (#6391) Acceptance tests were failing on a non-empty refresh plan. ``` === RUN TestAccCloudflareZeroTrustDlpCustomProfile_Basic resource_test.go:46: Step 2/3 error: After applying this test step, the refresh plan was not empty. stdout Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # cloudflare_zero_trust_dlp_custom_profile.garhxylojy will be updated in-place ~ resource "cloudflare_zero_trust_dlp_custom_profile" "garhxylojy" { ~ ai_context_enabled = false -> true ~ created_at = "2025-10-30T01:33:30Z" -> (known after apply) id = "15e4364d-3692-42f6-b8c9-ec7b8818a944" name = "garhxylojy-updated" + open_access = (known after apply) ~ type = "custom" -> (known after apply) ~ updated_at = "2025-10-30T01:33:34Z" -> (known after apply) # (5 unchanged attributes hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ``` Fixes: - updated the Read operation to use `apijson.UnmarshalComputed`; makes attributes like `ai_context_enabled` visible for state - use `UseStateForUnknown` for `creted_at` - use `ImportStateVerifyIgnore` to work around inconsistent CRUD * fix(zero_trust_tunnel_cloudflared_virtual_network): fix sweeper panics (#6392) Fixes panics observed in CI when sweepers run for the `zero_trust_tunnel_cloudflared_virtual_network` resource. ``` 2025/10/30 00:16:16 [DEBUG] Running Sweepers for region (all): 2025/10/30 00:16:16 [DEBUG] Running Sweeper (cloudflare_zero_trust_tunnel_cloudflared_virtual_network) in region (all) 2025/10/30 00:16:16 [DEBUG] Completed Sweeper (cloudflare_zero_trust_tunnel_cloudflared_virtual_network) in region (all) in 294.541µs Error: /30 00:16:16 [ERROR] Error running Sweeper (cloudflare_zero_trust_tunnel_cloudflared_virtual_network) in region (all): missing required account_id parameter FAIL github.com/cloudflare/terraform-provider-cloudflare/internal/services/zero_trust_tunnel_cloudflared_virtual_network 0.014s FAIL ⚠ Sweeper failed, retrying in 4s... ``` * docs: generate provider documentation (#6394) * release: 5.12.0 --------- Co-authored-by: Tamás Józsa <tamas@cloudflare.com> Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> Co-authored-by: Louis Sven Goulet <31444858+lorlouis@users.noreply.github.com> Co-authored-by: jjohnson <jjohnson@cloudflare.com> Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> Co-authored-by: Cina Saffary <cina@cloudflare.com> Co-authored-by: carolxu-maker <cxu@cloudflare.com> Co-authored-by: Caio Nogueira <56550668+Caio-Nogueira@users.noreply.github.com> Co-authored-by: Max Peterson <64494795+maxwellpeterson@users.noreply.github.com> Co-authored-by: Joshua Johnson <jspspike@gmail.com> Co-authored-by: Jan <1324490+janrueth@users.noreply.github.com> Co-authored-by: Eduardo Gomes <technikome@gmail.com> Co-authored-by: Gonçalo <GoncaloGarcia@users.noreply.github.com> Co-authored-by: Alex Holland <aholland@cloudflare.com> Co-authored-by: Henry Clausen <33390934+hc2116@users.noreply.github.com> Co-authored-by: Henry Clausen <hclausen@cloudflare.com> Co-authored-by: shwetangd <shwetang@cloudflare.com> Co-authored-by: Eric Falcao <efalcao@gmail.com> Co-authored-by: George <gyoxall@cloudflare.com> Co-authored-by: jkoe-cf <152918105+jkoe-cf@users.noreply.github.com> Co-authored-by: Sohei Okamoto <sohei@cloudflare.com> Co-authored-by: Adam Bouhmad <adbouhmad@gmail.com> Co-authored-by: Brad <broswen@users.noreply.github.com> Co-authored-by: Brad Swenson <bswenson@cloudflare.com> Co-authored-by: Michael Girouard <206137+mgirouard@users.noreply.github.com>
release: 5.11.0 (#6208) * chore: skip mtls migration test (#6207) * fix: workers script migration (#6210) * chore: run migration tests with sweepers (#6209) * chore(api): update composite API spec * fix: case-insensitive location handling for R2 bucket resources (#6026) * chore(api): update composite API spec * feat(api): api update * chore(test): use no-grit by default when running migration tests (#6214) * fix(migrate): page rules status defaults (#6212) * fix(migrate): page rules status * chore(resource): migration tests * fix(migrate): concatenate static and dynamic rules blocks (#6215) * fix(migrate): zt access app default type (#6218) * fix(r2_bucket): case-insensitive location comparison and preserve state case in R2 bucket resource (#6211) * feat: add case-insensitive location handling for R2 bucket resources * handle case-insensitive location comparison and preserve state case in R2 bucket resource * chore(migrate): remove debug statements from migration tool (#6223) * fix: resolve provider schema validation errors and R2 bucket test failures (#6222) - Fix workers_script schema: add Computed: true to version_id attribute with default value - Fix worker_version schema: remove WriteOnly: true from jwt attribute under Computed assets - Add missing VersionID field to WorkersScriptMetadataBindingsModel (26→27 attributes) - Fix R2 bucket creation_date refresh drift with UseStateForUnknown() plan modifier - Add locationNormalizePlanModifier for case-insensitive location handling - Update R2 bucket test expectations to match actual case-preservation behavior Resolves schema validation panics in migration tests introduced by commits: - d57ee84 (feat: api update) - 45fef7a (chore: update composite API spec) * fix: resolve zero trust test failures from computed attribute refresh drift (#6224) - Add UseStateForUnknown() plan modifiers to created_at/updated_at in zero_trust_access_application schema - Add UseStateForUnknown() plan modifiers to created_at/updated_at/app_count in zero_trust_access_custom_page schema - Change app_count from Optional to Computed in zero_trust_access_custom_page to match API behavior Resolves refresh plan drift where timestamp and count attributes were causing non-empty plans during test refreshes, leading to test failures across the zero trust access test suites. Tests now passing: - TestAccCloudflareAccessApplication_BasicAccount/BasicZone - TestAccCloudflareAccessApplicationDataSource_AccountName - TestAccCloudflareAccessCustomPage_IdentityDenied/Forbidden * feat(api): api update * feat(api): api update * codegen metadata * codegen metadata * codegen metadata * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * codegen metadata * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * feat: Merge branch 'vaishak/update-version' into 'main' chore: point to next See merge request cloudflare/sdks/cloudflare-config!127 * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(internal): codegen related update * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * feat: Merge branch 'mpeterson/IAC-224-workflow' into 'main' feat: IAC-224 Add Terraform resource for Workflows Closes IAC-224 See merge request cloudflare/sdks/cloudflare-config!125 * chore: ensure `tfplugindocs` always use `/var/tmp` for compilation on linux * codegen metadata * chore(internal): codegen related update * codegen metadata * codegen metadata * chore(internal): codegen related update * feat: Merge branch 'dianatran/SECENG-8771' into 'main' feat: SECENG-8771 add custom origin trust store to stainless config Closes SECENG-8771 See merge request cloudflare/sdks/cloudflare-config!102 * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * codegen metadata * chore(internal): codegen related update * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * chore: do not install brew dependencies in ./scripts/bootstrap by default * codegen metadata * chore(internal): codegen related update * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * fix: resolve compilation errors in zero_trust_access_application and workers_script (#6230) schema - Fix SaaSApp type mismatch in zero_trust_access_application normalizations.go and plan_modifiers.go - Add Computed: true to bindings.version_id attribute in workers_script schema - Remove unused basetypes import from plan_modifiers.go * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(internal): codegen related update * codegen metadata * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * chore: improve example values * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * add comprehensive tests for regional tiered cache resource (#6213) Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> * Modernize & Improve Acceptance tests for workers_kv and custom_namespace (#6235) * test: modernize cloudflare_workers_kv acceptance tests and improve coverage - Replace legacy resource.TestCheckResourceAttr with ConfigStateChecks using statecheck.ExpectKnownValue - Add ConfigPlanChecks for update scenarios with proper plan validation - Remove t.Parallel() calls per project guidelines - Update imports to include knownvalue, statecheck, and tfjsonpath packages Comprehensive coverage improvements: - Add TestAccCloudflareWorkersKV_ValueUpdate with minimal diff validation - Add TestAccCloudflareWorkersKV_EmptyValue for edge case empty values - Add TestAccCloudflareWorkersKV_LargeValue testing 1MB values (within 25MB limit) - Add TestAccCloudflareWorkersKV_SpecialCharactersInKey for key validation - Add TestAccCloudflareWorkersKV_InvalidJSONMetadata with error pattern validation - Add TestAccCloudflareWorkersKV_InvalidImportID testing malformed import IDs - Add TestAccCloudflareWorkersKV_MetadataUpdate for metadata-only updates Test coverage increased from 4 to 10 comprehensive test scenarios covering: - Basic CRUD operations with modern assertions - Edge cases (empty values, large values, special characters) - Error handling (invalid JSON, malformed imports) - Update scenarios with plan validation - Import/export robustness testing * test: modernize cloudflare_workers_kv_namespace acceptance tests and improve coverage - Replace legacy resource.TestCheckResourceAttr with ConfigStateChecks using statecheck.ExpectKnownValue - Add ConfigPlanChecks for update scenarios with proper plan validation - Remove t.Parallel() calls per project guidelines - Upgrade from deprecated v1 to modern v6 cloudflare-go client - Update imports to include knownvalue, statecheck, tfjsonpath, and plancheck packages Comprehensive coverage improvements: - Add TestAccCloudflareWorkersKVNamespace_SpecialCharactersInTitle for complex title validation - Add TestAccCloudflareWorkersKVNamespace_AccountIDForcesRecreation for schema validation - Add TestAccCloudflareWorkersKVNamespace_InvalidImportID testing malformed import IDs - Add TestAccCloudflareWorkersKVNamespace_LongTitle for edge case title lengths - Add TestAccCloudflareWorkersKVNamespace_MultipleUpdates for sequential update validation Test coverage increased from 1 to 6 comprehensive test scenarios covering: - Basic CRUD operations with modern assertions - Edge cases (special characters, long titles, multiple updates) - Error handling (invalid imports, malformed IDs) - Schema validation (computed fields, plan modifiers) - Import/export robustness testing * test: modernize cloudflare_custom_hostname acceptance tests and improve coverage - Replace legacy patterns with modern testing framework where appropriate - Add ConfigPlanChecks for zone recreation scenarios with proper plan validation - Remove t.Parallel() calls per project guidelines - Add comprehensive import testing with proper ImportStateVerifyIgnore - Update imports to include knownvalue, plancheck, statecheck, tfjsonpath, and regexp Coverage improvements and API constraint discovery: - Add TestAccCloudflareCustomHostname_InvalidHostname for hostname format validation - Add TestAccCloudflareCustomHostname_LetsEncryptCA testing alternative certificate authority - Add TestAccCloudflareCustomHostname_TLS13 for modern TLS version configuration - Add TestAccCloudflareCustomHostname_InvalidImportID testing malformed import scenarios Fix drift detection issues: - Add lifecycle ignore_changes rules to all test configurations for computed fields - Handle dynamic fields: created_at, ownership_verification, ssl.wildcard, status - Resolve refresh plan conflicts with constantly changing computed values API constraint documentation: - Certificate authorities: only lets_encrypt, google, ssl_com supported (not digicert) - Validation methods: only http, txt supported (not email) - Hostname format: cannot contain spaces, underscores, or begin/end with hyphens Test coverage increased from 8 to 12 scenarios covering: - Basic CRUD operations with modern assertions and lifecycle management - Certificate authority variations and TLS version configurations - Error handling for invalid hostnames and malformed imports - Zone recreation validation with ConfigPlanChecks - Import robustness testing with comprehensive ignore lists * fix: resolve SSL certificate transition failures in cloudflare_custom_hostname (Issue #3012) - Fix MarshalJSONForUpdate to include all required SSL fields for API updates - Add test reproducing and validating SSL certificate authority transitions - Use full marshaling for SSL updates instead of patch to meet API requirements Root cause: apijson.MarshalForPatch() only sent changed fields, but Cloudflare API requires both validation type and method to be present in all SSL updates, causing 400 Bad Request with error code 1440: 'Both validation type and validation method are required.' Fix: Override MarshalJSONForUpdate to use apijson.MarshalRoot() for SSL updates, ensuring all required fields are included in PATCH requests. Test: TestAccCloudflareCustomHostname_SSLCertificateTransition validates transitions from default certificate authority to lets_encrypt, confirming the fix resolves reported user issues with SSL configuration changes. Resolves: #3012 * Fix acceptance test failures in workers_script, worker_version, and zero_trust_access_application (#6234) * fix: workers_script and worker_version test failures - Fix unknown assets value error in worker_version resource and data source by setting computed assets field to null when not returned by API - Fix import verification failures by adding version_id fields to ImportStateVerifyIgnore lists in both services - Fix refresh plan inconsistencies by using UnmarshalComputed consistently in Read methods and adding ExpectNonEmptyPlan for legitimate API behavior - Add missing customfield import to worker_version files Resolves test failures: - TestAccCloudflareWorkerScript_ServiceWorker - TestAccCloudflareWorkerScript_ModuleUpload - TestAccCloudflareWorkerVersion_Basic - TestAccCloudflareWorkerVersionDataSource_Basic Root cause: Workers API returns different field structures between Create/Read operations, causing computed fields to appear as changed during refresh and unknown values to persist after apply operations. * fix: Fix zero_trust_access_application schema mismatch for created_at and updated_at fields - Add missing created_at and updated_at schema attributes to match model definition - Add timetypes import and UseStateForUnknown plan modifiers to prevent unnecessary plan changes for computed timestamp fields - Resolves 'Value Conversion Error: mismatch between struct and object' that was blocking TestAccCloudflareAccessPolicy_ServiceToken The ZeroTrustAccessApplicationModel struct defined CreatedAt and UpdatedAt fields but the schema was missing the corresponding attributes, causing Terraform framework conversion errors during resource operations. * fix: Enhance DNS record sweeper to handle PTR records - Add logic to clean up PTR (reverse DNS) records pointing to test domains - Include detection for .in-addr.arpa and .ip6.arpa record patterns - Target PTR records containing example.com or test content for deletion - Fixes TestMigrateDNSRecordPTRRecord failure due to existing test records The migration test was failing because existing PTR records like '1.2.0.192.in-addr.arpa -> example.com' weren't being cleaned up by the original sweeper logic, causing 'record already exists' errors. * chore: add easy sweeper script (#6220) * chore: run workers_kv and regional_hostname tests in CI (#6240) * fix: resolve compilation and schema parity errors across multiple services (#6241) - worker_version: fix duplicate imports and correct customfield.NewObject usage - zero_trust_access_application: remove unused basetypes import - zero_trust_tunnel_cloudflared_config: add missing customfield import and WARPRoutingModel definition - zero_trust_tunnel_cloudflared_config: fix JSON tag mismatches for schema parity tests * fix: Fix zero trust access application acceptance tests (#6243) - Fix ExpectNonEmptyPlan usage in resource tests based on actual API behavior - Add missing ImportStateVerifyIgnore fields for computed attributes (type, auto_redirect_to_identity, saas_app) - Enhance ImportState to fetch policies separately using Applications.Policies.List endpoint since main GET API doesn't return policies - Update test expectations to match actual updated_at field behavior across different application types * Revert "fix: Fix zero trust access application acceptance tests" (#6245) This reverts commit 3d900e0. * don't treat `bindings.*.version_id` as Computed and remove default value (#6249) The `version_id` binding property is only relevant to bindings of type `inherit`, which allow a user to specify a binding whose value should be copied from another version. If `version_id` is unspecified on an inherit binding, it's assumed to be `latest` by default As a result, the attribute was codegen'd to be Computed and have a `Default` value. However, `inherit` bindings are only valid in the context of a request and will never be returned by the API. Thus, it doesn't make sense for this attribute to be Computed (or have a default). * Remove created_at, updated_at, app_count (#6250) * Remove created_at, updated_at from saas app (#6253) * feat: add `assets.directory` attribute for handling assets uploads in `cloudflare_workers_script` and `cloudflare_worker_version` resources (#6160) * feat: modernize and fix cloudflare_zone_dnssec tests with comprehensive (#6254) coverage - Modernize test patterns from legacy resource.TestCheckFunc to ConfigStateChecks with statecheck.ExpectKnownValue() and knownvalue assertions - Fix status transition handling to properly expect 'active|pending' and 'disabled|pending-disabled' states from API - Add ExpectNonEmptyPlan handling for DNSSEC computed value drift scenarios - Fix destroy function logic for different DNSSEC activation states - Add comprehensive test coverage for all optional attributes: - TestAccCloudflareZoneDNSSEC_Basic: minimal active configuration - TestAccCloudflareZoneDNSSEC_StatusDisabled: active -> disabled lifecycle - TestAccCloudflareZoneDNSSEC_MultiSigner: dnssec_multi_signer feature - TestAccCloudflareZoneDNSSEC_UseNsec3: dnssec_use_nsec3 feature - TestAccCloudflareZoneDNSSEC_Comprehensive: all optional attributes - TestAccCloudflareZoneDNSSEC_Update: configuration transition scenarios - Unskip presigned DNSSEC test by creating dedicated secondary zone (secondary.terraform.cfapi.net) - Add proper ImportStateVerifyIgnore for computed and changing attributes - Create test data files for all configuration variants - Ensure all tests follow modern Terraform testing patterns All 10 zone_dnssec tests now pass, providing comprehensive coverage of DNSSEC configurations and API behavior. * Add validation tests for cloudflare_workflow resource (#6236) * fix(ruleset): allow rewrite rules to set an empty URL query string (#6256) Closes #6131 * Rex/acceptance tests (#6248) * chore(api): update composite API spec * tests: added acceptance tests + fixes for gateway policy + certificates + lists + settings --------- Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> Co-authored-by: Rex Scaria <arunrex@cloudflare.com> Co-authored-by: Tamás Józsa <tamas@cloudflare.com> * feat: add comprehensive test coverage for cloudflare_zero_trust_list types and (#6258) scenarios - Add test coverage for all list type variants: DOMAIN, URL, EMAIL, IP (SERIAL already covered) - Add TestAccCloudflareTeamsList_DomainType: domain list with item descriptions - Add TestAccCloudflareTeamsList_URLType: URL list with API normalization handling - Add TestAccCloudflareTeamsList_EmailType: email address list validation - Add TestAccCloudflareTeamsList_IPType: IP address and CIDR range list validation - Add TestAccCloudflareTeamsList_EmptyList: null items handling for empty lists - Add TestAccCloudflareTeamsList_Update: item lifecycle and modification scenarios - Handle API behavior: URL normalization drift, computed field changes, null vs empty sets - Add ExpectNonEmptyPlan for URL normalization and computed field drift scenarios - Expand ImportStateVerifyIgnore for changing computed fields (created_at, updated_at, list_count) - Create comprehensive test data files for all type variants and scenarios All 8 zero_trust_list tests now pass, providing complete coverage of Zero Trust List configurations. * feat: modernize and expand cloudflare_zero_trust_access_service_token test (#6260) coverage - Modernize all tests from legacy resource.TestCheckFunc to ConfigStateChecks with statecheck.ExpectKnownValue() and knownvalue assertions - Add ConfigPlanChecks with plancheck.ExpectResourceAction() for update validation - Split multiple resource.Test() calls into separate focused test functions - Add comprehensive import verification to all tests with proper ImportStateVerifyIgnore - Add missing test coverage for secret rotation functionality: - TestAccCloudflareAccessServiceToken_Minimal: required-only attributes with default validation - TestAccCloudflareAccessServiceToken_SecretRotation: client_secret_version increments (1→2→3) - TestAccCloudflareAccessServiceToken_PreviousSecretExpiry: previous_client_secret_expires_at handling - Discover and validate API requirement: client_secret_version increments require previous_client_secret_expires_at - Create comprehensive test data files for minimal config and secret rotation scenarios - Rename test functions for clarity: BasicAccount/BasicZone, WithDurationAccount/WithDurationZone, DeleteAccount/DeleteZone All 13 zero_trust_access_service_token tests now pass with comprehensive coverage of secret rotation workflows. * feat: Modernize and expand test coverage for zero_trust_tunnel_cloudflared_route (#6264) - Modernize existing tests to use ConfigStateChecks with statecheck.ExpectKnownValue() - Add statecheck import and replace legacy resource.ComposeTestCheckFunc patterns - Add ConfigPlanChecks to update scenarios for proper plan validation - Add import testing to all positive test scenarios - Expand test coverage from 4 to 15 test functions: * IPv6 network support testing * Large CIDR block validation with /16 to /24 updates * Virtual network field support testing * Special character comment handling (within 100-char API limit) * Single IP host routes (/32) validation * Computed fields testing (created_at, deleted_at timestamps) * Various subnet sizes (/28, /30) with different CIDR ranges * Error conditions: invalid CIDR formats, malformed networks * Missing required fields validation * Invalid tunnel ID error handling * Route conflict detection (409 Conflict for duplicate networks) - Fix error test patterns to match actual API responses - Add 4 new test configuration files for comprehensive scenarios - Validate real API behavior including normalization and conflict detection * feat: Modernize and expand test coverage for zero_trust_device_posture_rule (#6259) * feat: Modernize and expand test coverage for zero_trust_device_posture_rule - Modernize all existing tests to use ConfigStateChecks with statecheck.ExpectKnownValue() - Replace legacy resource.ComposeTestCheckFunc patterns with modern testing approaches - Add plancheck import for ConfigPlanChecks validation - Add comprehensive test coverage for 6 new posture rule types: * file: Path validation, SHA256, file existence checks * application: OS-specific paths, thumbprint validation * client_certificate: Complex nested validation with extended_key_usage, locations, SANs * sentinelone: Security agent status, threat levels, network connectivity * tanium: Risk scoring, connection IDs, timestamp validation * serial_number: Device identification validation - Add update lifecycle test with ConfigPlanChecks for plan validation - Include import testing for all test scenarios with proper account_id prefix - Use appropriate knownvalue types (Bool, Float64Exact, StringExact) for type safety - Add 7 new test configuration files covering diverse input schemas - Expand coverage from 7 to 14 test functions with modern patterns * fix: correct schema parity mismatches in zero trust model tags - zero_trust_gateway_certificate: fix activate field json tag from '-' to 'activate,optional' - zero_trust_tunnel_cloudflared_config: fix config field json tag from 'config,optional' to 'config,computed_optional' Resolves TestZeroTrustGatewayCertificateModelSchemaParity and TestZeroTrustTunnelCloudflaredConfigModelSchemaParity test failures by aligning model JSON tags with their corresponding schema definitions. * tests: add acceptance tests for r2_managed_domain and r2_bucket_cors resources (#6269) * chore(zero_trust_dex_test): Updated acceptance tests (#6183) * feat: add missing services to CI test runner (#6271) Added zero_trust_device_posture_rule, zero_trust_gateway_policy, and zone_dnssec to the ALL_SERVICES array in scripts/run-ci-tests to ensure these services are included in CI test runs. All services maintained in alphabetical order. * feat: modernize and expand test coverage for zero_trust_gateway_policy (#6266) - Modernize existing tests to use ConfigStateChecks and ConfigPlanChecks - Add 8 new test cases covering missing action types and scenarios - Add comprehensive CRUD testing with import verification - Test DNS override, HTTP redirect, egress, safesearch, and resolve policies - Add minimal→maximal attribute progression testing - Replace legacy TestCheckFunc patterns with modern statecheck assertions - Add testdata files for all new test scenarios * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * chore(internal): codegen related update * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * chore(internal): codegen related update * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * chore(internal): codegen related update * feat: docs(iam): Adding new self-service SSO APIs * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * fix: bugfix for setting JSON keys with special characters * feat: docs(iam): Changing SSO update from put to patch * codegen metadata * codegen metadata * codegen metadata * chore(internal): codegen related update * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * chore(internal): codegen related update * codegen metadata * codegen metadata * chore(api): update composite API spec * chore(mcp): allow pointing `docs_search` tool at other URLs * codegen metadata * codegen metadata * chore(internal): codegen related update * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(internal): codegen related update * codegen metadata * codegen metadata * codegen metadata * chore(internal): codegen related update * feat: added capability for `dynamicvalidator` to do arbitrary semantic equivalence check * feat: fix(api): RAG-286: Add to_markdown subresource to AI resource * fix(api): RAG-286: Add to_markdown subresource to AI resource * feat: chore(zero_trust_access_application): fix config for disabling codegen in access_application * chore(zero_trust_access_application): fix config for disabling codegen in access_application * chore(internal): codegen related update * fix(list_item): source url validation (#6226) * bug: skip source_url validation if value is missing * chore: add list_item acceptance test for locals validation --------- Co-authored-by: Brad Swenson <bswenson@cloudflare.com> * feat: fix(ai): rename duplicate parameter in the to_markdown subresource * fix(ai): rename duplicate parameter in the to_markdown subresource * chore(internal): codegen related update * fix(build): fix broken builds on 'next' (#6280) * fix(build): sync SHA for Go SDK dependency with latest commit on 'next' * fix(build): add zero_trust_access_application back * feat: modernize and improve cloudflare_pages_project test coverage (#6274) - Modernize all tests to use ConfigStateChecks with statecheck.ExpectKnownValue - Replace legacy resource.ComposeTestCheckFunc patterns with modern testing - Add comprehensive test coverage with 5 new test cases: * Update lifecycle tests (add/remove optional attributes) * Full configuration test covering all deployment bindings * Environment variable type validation (plain_text/secret_text) * Preview deployment setting enum tests (all/none/custom) - Add TestMain and sweeper for automated resource cleanup - Create destroy verification function with proper API integration - Add import verification steps to all test cases - Fix schema access patterns for SingleNestedAttribute fields - Handle API default values with ExpectNonEmptyPlan for refresh plan diffs - Add comprehensive ImportStateVerifyIgnore for computed/sensitive fields - Enable 4 tests to run with default account (44% improvement) - Add modern ConfigPlanChecks for update scenario validation Tests now cover all optional attributes, enum values, lifecycle operations, and deployment binding types with modern Terraform testing patterns. * TUN-9814: Update virtual network resource (#6270) * TUN-9814: Update virtual network resource * remove acc check * TUN-9813: Update cloudflared config resource (#6272) * TUN-9813: Update cloudflared config resource * remove acc check * feat: sweepers for workers_kv and zero_trust_list (#6281) * fix: fix acceptance tests in CI (#6286) * fix: fix bot_management and list_item acceptance tests * fix: disable cloudflare_workflow acceptance tests * fix(build): revert cache resources to released state (#6289) * chore(logpush_jobs): Switch to Plan and State Checks from legacy Checks for logpush_jobs resource (#6083) This switches to Pland nad State Checks from legacy Checks for `logpush_jobs` resource. - Reference: https://developer.hashicorp.com/terraform/plugin/testing/acceptance-tests/teststep - This check resource action taken was whether create or update on each step. Applicable tests pass locally: ``` go test ./internal/services/logpush_job -run "^TestAccCloudflareLogpushJob_" -v -count 1 ``` ``` === RUN TestAccCloudflareLogpushJob_Basic --- PASS: TestAccCloudflareLogpushJob_Basic (8.07s) === RUN TestAccCloudflareLogpushJob_BasicOutputOptions --- PASS: TestAccCloudflareLogpushJob_BasicOutputOptions (6.40s) === RUN TestAccCloudflareLogpushJob_Full --- PASS: TestAccCloudflareLogpushJob_Full (6.82s) === RUN TestAccCloudflareLogpushJob_ImmutableFields --- PASS: TestAccCloudflareLogpushJob_ImmutableFields (4.79s) PASS ok github.com/cloudflare/terraform-provider-cloudflare/internal/services/logpush_job 26.101s ``` * feat: chore: use cloudflare-go v6.1.0 for v5.11.0 release * chore: use cloudflare-go v6.1.0 for v5.11.0 release * release: 5.11.0 * chore: update docs and examples --------- Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> Co-authored-by: Tamás Józsa <jtomi92@gmail.com> Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> Co-authored-by: pvail-cf <pvail@cloudflare.com> Co-authored-by: Musa Jundi <musa@cloudflare.com> Co-authored-by: Zaidoon Abd Al Hadi <43054535+zaidoon1@users.noreply.github.com> Co-authored-by: Cina Saffary <cina@cloudflare.com> Co-authored-by: Alex Holland <aholland@cloudflare.com> Co-authored-by: Tamás Józsa <tamas@cloudflare.com> Co-authored-by: Max Peterson <64494795+maxwellpeterson@users.noreply.github.com> Co-authored-by: Zak Cutner <zak@cloudflare.com> Co-authored-by: Rex Scaria <sendit2rex@gmail.com> Co-authored-by: Rex Scaria <arunrex@cloudflare.com> Co-authored-by: carolxu-maker <cxu@cloudflare.com> Co-authored-by: nevins-cf <nevins@cloudflare.com> Co-authored-by: Brad <broswen@users.noreply.github.com> Co-authored-by: Brad Swenson <bswenson@cloudflare.com> Co-authored-by: Luís Neto <lmpneto137@gmail.com> Co-authored-by: Sohei Okamoto <sohei@cloudflare.com>
release: 5.10.1 (#6164) * fix: ruleset migration issues (#6163) * Revert "fix: ruleset migration issues (#6163)" (#6165) This reverts commit 44b653c. * chore: enable mconn tests (#6166) * fix: magic connector tests * chore: remove skip * fix: ruleset migration issues (#6168) * feat: grit to go (#6162) * feat: grit to go * fix: unused import in load_balancer_monitor * chore: remove debugging printf statement --------- Co-authored-by: Musa Jundi <musa@cloudflare.com> * fix: lb and lb pool config migration (#6170) * fix: cloudflare_load_balancer transformation issues (#6171) * Test improvements (#6172) * chore: add sweeper for logpush job * chore: define ci test product groups * chore: limit max retries (#6173) * fix: fix grit in migration tests (#6175) * fix: ruleset migration in nogrit (#6174) * chore: point transformations to gh/next (#6177) * chore: zero trust config issues (#6179) fix: fix zero trust access application state migration * fix: lb monitor state migration (#6180) * fix: lb monitor state * fix: build * fix(migrate): improve `zone_setting` migrations (#6169) Improves how zone settings are migrated from v4 -> v5 of the provider by adding two new flags: - `--zone-settings-module` for handling a common pattern in the v4 provider where `zone_settings_override` is wrapped in a module and settings are passed in as module input variables. When provided, we will expand the vars into `zone_setting` resources and imports at the call site. - `--skip-imports` for skipping import generation, which is useful in cases where imports could be generated in invalid locations (read: outside the root module). Module definition: `modules/zone_settings/main.tf` ```hcl resource "cloudflare_zone_settings_override" "zone_settings" { zone_id = var.zone_id settings { security_level = var.security_level ssl = var.ssl } } ``` Module call: `sites/example_com/main.tf` ```hcl module "zone_settings" { source = "../modules/zone_settings" zone_id = cloudflare_zone.example_com.id security_level = "high" ssl = "origin_pull" } ``` When the `--zone-settings-module` flag is set, the migrator tool will replace module calls with inline zone setting definitions and their imports. ```hcl resource "cloudflare_zone_setting" "zone_settings_zone_settings_security_level" { zone_id = cloudflare_zone.example_com.id setting_id = "security_level" value = "high" } resource "cloudflare_zone_setting" "zone_settings_zone_settings_ssl" { zone_id = cloudflare_zone.example_com.id setting_id = "ssl" value = "origin_pull" } import { to = cloudflare_zone_setting.zone_settings_zone_settings_security_level id = "${cloudflare_zone.example_com.id}/security_level" } import { to = cloudflare_zone_setting.zone_settings_zone_settings_ssl id = "${cloudflare_zone.example_com.id}/ssl" } ``` Import generation can be skipped entirely with the `--skip-imports` flag. * fix: remove 'disable_railgun' from state after v4 migration (#6186) * fix: handling of nested arrays in ruleset migration (#6187) * fix: handling of nested arrays in ruleset migration * chore: fix test data for transformation * chore: compare better (#6192) * fix: ruleset state (#6191) * fix(zone_setting): ensure clean state after migrate (#6190) * fix(zone_setting): ensure clean state after migrate Fixes an issue with the migrate flow for `cloudflare_zone_setting` where we weren't removing all settings from state after migrating from v4 -> v5. The root cause was indexes shifting in slices while deleting items (forward deletes vs backward deletes). - updates state removal method for cleaning up `cloudflare_zone_setting` resources to delete items in reverse * test(zone_setting): ensure attribute order Fixes an issue with migrated attribute order revealed in flaky tests. --------- Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> * fix: variable interpolation (#6193) * fix: variable interpolation * chore: missed page rule migrations test * chore: restore deleted test cases * fix(workers_script): fix incorect model type of `run_worker_first` attribute (#6199) * fix: remove zone settings with null values (#6201) * docs(list_item): add import documentation (#6202) List item uses custom code for imports so its invisible to codegen. Since docs are generated automatically, any custom docs changes will be ovewritten with every release. This patch updates the generator script to first create any missing examples that couldn't be codegen'd, then it runs `tfplugindocs` which ensures that import examples are appended to the generated markdown docs. Changes: - adds manual `import.sh` for `cloudflare_list_item` * fix(migrate): block transformations (#6203) * Revert "fix: variable interpolation (#6193)" This reverts commit 332de8d. * fix(migrate): block transformation * fix(migrate): lb and lb pools * fix(migrate): fix main_module value migration (#6204) * ci(page_rule): disable parallel tests (#6205) Fixes flaky `page_rule` tests in CI. Parallel tests causes issues with it's strange `priority` behavior. Changes: - set `parallel=1` for `page_rule` tests * ci: skip flaky tests (#6206) Skipping consistently failing tests due to cert conflicts. - `TestMigrateZeroTrustAccessMTLSCertificate_Basic` - `TestAccCloudflareAccessMutualTLSHostnameSettings_Account` - `TestAccCloudflareAccessMutualTLSHostnameSettings_Update` - `TestAccCloudflareAccessMutualTLSHostnameSettings_BooleanCombinations` - `TestAccCloudflareAccessMutualTLSHostnameSettings_Import` * release: 5.10.1 --------- Co-authored-by: Musa Jundi <musa@cloudflare.com> Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> Co-authored-by: Tamás Józsa <jtomi92@gmail.com> Co-authored-by: Michael Girouard <206137+mgirouard@users.noreply.github.com> Co-authored-by: Cina Saffary <cina@cloudflare.com> Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com>
release: 5.10.0 (#6073) * fix(cloudflare_list_item) redirect source_url path validation * codegen metadata * chore: remove skips * fix: ci workflows * fix: don't announce to discord * fix: discord failure * Update access identity provider test, service token test, and plan modifiers * codegen metadata * feat: modernize healthcheck tests * feat(cloudflare_list): add nested set list items * feat(cloudflare_list): add nested list items to data source * feat: modernize notification_policy_webhooks tests * codegen metadata * docs(cloudflare_list) add nested items warning * feat(ruleset): validate action parameters are used with correct action This ensures we catch these validation errors during planning, which avoids misleading errors from the API during applies. * fix: state * chore: tests * chore(account_member): update acceptance tests Modernized test patterns: - uses `ConfigStateChecks` with `statecheck.ExpectKnownValue()` - added `ConfigPlanChecks` with `plancheck.ExpectResourceAction()` Improved coverage: - added plan validation for `RolesUpdate` to ensure only intended fields change - added no-op plan checks to `RolesVsPolicies` for stable state validation - modernized `Policies` with detailed nested attribute validation - added CRUD test for a full lifecycle test with Create -> Update -> Import flow Wasn't able to get sweepers to work. * fix: zero trust migrations * feat: modernize r2_bucket tests * fix: zero_trust_device_custom_profile sweeper * chore(api_token): update acceptance tests Modernized test patterns: - uses `ConfigStateChecks` with `statecheck.ExpectKnownValue()` - adds `ConfigPlanChecks` with `plancheck.ExpectResourceAction()` Handle deletes better: - adds `CheckDestroy` - adds sweeper - adds CRUD test (Create, Read, Update, Delete, and Import) - fixes client API usage to use `SharedClient()` and User.Tokens endpoints * chore(account): update acceptance tests Modernized test patterns: - uses `ConfigStateChecks` with `statecheck.ExpectKnownValue()` - adds `ConfigPlanChecks` with `plancheck.ExpectResourceAction()` - adds import state tests Handle deletes better: - adds `CheckDestroy` - adds sweeper - adds CRUD test (Create, Read, Update, Delete, and Import) - fixes client API usage to use `SharedClient()` and User.Tokens endpoints * chore(account_token): update acceptance tests Modernized test patterns: - uses `ConfigStateChecks` with `statecheck.ExpectKnownValue()` Improved coverage: - adds `ImportState*` checks Wasn't able to get sweepers to work. * chore(account_member): remove bad test * fix: zero_trust_access_mtls_certificate acceptance tests * feat: modernize zero_trust_dlp_entry tests * fix: required field ttl * feat: add migration tool support for cloudflare_snippet * feat: add migration tool support for cloudflare_snippet_rules * fix(migrate): custom_pages state migrations Previously state migrations for v4 -> v5 took place using state upgraders which would have been problematic for existing v5 users. This patch updates the migrate tool to fully handle `custom_pages` migrations for both config and state. - adds state migration for `custom_pages` to `cmd/migrate` - adds tests for new state migration in `cmd/migrate` - replaces _implicit_ migration tests with _explicit_ migration tests using `cmd/migrate` * fix: zero trust access mtls certificate acceptance tests * feat: modernize zero_trust_dlp_custom_profile tests * fix: zero trust access indetity provider migration * fix: fix zero_trust_dlp_entry acceptance tests * chore: increase parallel jobs * KV-1751: Add namespace rename check * fix: state test * KV-1750: Add KV metadata test * KV-1750: Add import test * KV-1750: Remove duplicated withAccountId test AccountIds are required. Existing test was using the same terraform file * spectrum_application: add v5 test for port ranges * spectrum_application: migration from v4->v5 * spectrum_application: fix test data to be more representative, migrate state using cmd/migrate * chore: ci tests dependencies and job tracking * chore(cloudflare_list) add acceptance test for null items * chore: run goimport * chore: enable more ci tests * spectrum_application: update structure of tests * fix: fix snippets tests * fix: run spinnets in sequence * feat(zone): add v4 -> v5 migrations Implements config and state migrations for `cloudflare_zone`. - removes all grit patterns - migrates config and state to its new shape: - rename attribute `zone` -> `name` - rename and restructure attribute `account_id` -> `account = { id = "..." }` - remove jump_start (no v5 equivalent) - remove plan (becomes computed-only) - adds tests for migration tooling * feat: modernize zero_trust_list tests * chore(zone): add migration tests Tests required transformations - `zone` -> `name` attribute rename - `account_id` -> account = { id = "..." } nested object - `jump_start` attribute removal - `plan` attribute removal (becomes computed) Handles edge cases - unicode domain names - different zone types (full, partial, secondary) - complex expressions and variables - multiple zones in same configuration - vanity name servers - meta field structure changes * feat(migrate): support migrations for workers_route and workers_script Adds migration support for `workers_route` and `workers_script`. - uses `cmd/migrate` for source and state migrations - handles both singular and plural versions from v4 (`workers_...` vs `worker_...`) - handles attribute renames - `workers_route`: `script_name` → `script` - `workers_script`: `name` → `script_name` * refactor(migrate): add resource rename support to workers_route and workers_script Handle `cloudflare_worker_route` -> `cloudflare_workers_route` and `cloudflare_worker_script` -> `cloudflare_workers_script` resource renames * feat(migrate): add comprehensive workers cross-resource reference support Handle resource type and attribute renames in cross-resource references: - `cloudflare_worker_script.foo.name` -> `cloudflare_workers_script.foo.script_name` - `cloudflare_worker_route.bar.script_name` -> `cloudflare_workers_route.bar.script` * feat(migrate): implement comprehensive workers_script v4→v5 bindings migration Handles binding transformations: - converts v4 binding blocks to v5 bindings list - transform bindings: - `plain_text` - `kv_namespace` - `secret_text` - `r2_bucket` - `queue` - `d1_database` - `analytics_engine` - `service` - `webassembly - removes old `binding` blocks from config ("unsupported block type" errors) - adds state transformation for v4 → v5 - cleans up incompatible v4 attributes: - `dispatch_namespace - `hyperdrive_config_binding - `module` - fixes `placement` attribute format from array `[]` to object `{}` Adds test for migrations - adds migration tests * fix(workers_script): resolve binding order infinite loop in v5 provider Fixes a provider bug where bindings were constantly reordered causing infinite plan diffs. Root cause was `UpdateSecretTextsFromState` iterating through API response order instead of preserving state order. Provider changes: - fix `UpdateSecretTextsFromState` to iterate through state elements first - preserve user-intended binding ordering from configuration - add new elements from API that weren't in state (append at end) Migration changes: - remove alphabetical sorting from state transformation (no longer needed) - add d1_database_binding → d1 type mapping - add hyperdrive_config_binding → hyperdrive type mapping - add migration tests for d1/hyperdrive binding transformations * feat(migrate): implement remaining workers_script binding migration fixes `webassembly_binding` handling: - remove webassembly_binding from supported binding types - generate migration warning when encountered in config - explain that WASM modules must be bundled into script content `binding` attribute renames: - implement database_id → id mapping for d1_database_binding - add renameBindingAttributes for state transformation - add renameBindingAttribute for config transformation Test: - add webassembly_binding warning test case - update d1 test to expect "id" instead of "database_id" * refactor(migrate): clean up duplicate bindings maps * fix(migrate): implement workers_secret cross-resource migration to secret_text bindings The existing migration incorrectly tried to rename cloudflare_workers_secret to cloudflare_workers_secret, but v5 doesn't have workers_secret at all. Now properly migrates workers_secret resources to secret_text bindings within their corresponding workers_script resources: - collect workers_secret resources by script_name + account_id - merge as secret_text bindings into matching workers_script resources - handle both config and state transformation - remove workers_secret resources completely after migration - add migration tests for commont scenarios * fix(migrate): implement dispatch_namespace attribute to binding migration The existing migration incorrectly deleted dispatch_namespace instead of transforming it to v5's unified bindings system. Now properly migrates dispatch_namespace from v4 attribute to v5 binding: - transform dispatch_namespace = "value" → `bindings = [{type = "dispatch_namespace", namespace_id = "value"}]` - merge with existing bindings when present - handle both config and state transformation - add manual migration warnings for complex expressions (variables, references) * fix(migrate): implement module attribute to main_module/body_part migration The existing migration incorrectly deleted module instead of transforming it to v5's ES module vs Service Worker syntax attributes. Properly migrates module boolean to appropriate v5 attributes: - transforms `module = true → main_module = "worker.js"` (ES Module syntax) - transforms `module = false → body_part = "worker.js"` (Service Worker syntax) - handles both config and state transformation - adds manual migration warnings for unparseable values * fix(migrate): add missing hyperdrive binding attribute renames The existing hyperdrive binding migration was missing attribute renames, causing incorrect v4→v5 transformations. This patch ensures we properly rename hyperdrive binding attributes: - transforms `binding → name` in both config and state - transforms `id → binding_id` in both config and state - fixes test to use correct v4 attribute names (binding/id vs name/binding_id) * fix(workers_script): get tests passing again Remove unsupported features in v5 - removes tags from state - removes dispatch_namespace from state Handle resource renames (again) - reimplements singular-to-plural renames Updates tests to pass: - fixes workers_route tests to include workers_scripts it depends on * chore(workers_script): add lots of missing bindings tests * fix(workers_script): fix/improve bindings tests * fix(migrate): correct module transformation and clean up dead code tests Fixes module attribute transformation to properly implement v4→v5 migration per PR feedback instead of incorrectly deleting the attribute. Migration changes: - fix `transformModule()` to actually transform boolean values: - `module = true` → `main_module = "worker.js"` (ES Module syntax) - `module = false` → `body_part = "worker.js"` (Service Worker syntax) - fix `transformModuleInState()` with same transformation logic for JSON state - remove dead dispatch_namespace test cases (correctly deleted, not transformed) - fix hyperdrive test expectation: `binding_id` → `id` to match implementation * chore(workers_script): remove unused tests * chore: remove grit * fix: migrations for config and state * feat: migration tests * fix: prevent resource type corruption in workers_secret state migration Replace array filtering/reconstruction with individual deletion to avoid type corruption when removing workers_secret resources from state. The previous approach using resource.Value() and sjson.Set() was corrupting resource types during JSON reconstruction. * fix: prevent resource type corruption in workers_secret state migration Replace array filtering/reconstruction with individual deletion to avoid type corruption when removing workers_secret resources from state. The previous approach using resource.Value() and sjson.Set() was corrupting resource types during JSON reconstruction. * feat: migrate list with embedded items from v4 to v5 * feat: handle list items in v4 * chore: remove grit for lists * feat: merge items into list * feat: migration tests * chore: remove files that are not needed * fix: dynamic blocks and tests * fix: tiered cache test * fix: dns record empty states * chore: add migration tool support for load_balancer and load_balancer_pool * fix: dynamic 'origins' blocks migrations * fix: tests * fix: comment_modified_on drift in DNS records Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> * fix(workers_script): referenced attribute renames (#6136) When migrating from v4 -> v5, references to `workers_script.name` weren't being correctly renamed due to a faulty lookup map. - updates `resourceTypeRenames` (lookup map) to include v4 and v5 resource names - updates conditional in `renameWorkerAttribute` to include v5 resource names - adds test for partial migration cases * fix: broken test data and block attribute conversion (#6138) * feat: add 'ruleset' support in migration tool (#6104) * feat: add 'ruleset' support in migration tool * chore: add more migration tests for ruleset and fix block attribute migrations * chore: fix action_paramters attribute for ruleset migrations * fix: inconsistent apply Issue #6076 (#6139) * chore: sequence magic tests (#6145) * chore: remove the magic resources * chore: run magic in its own step * codegen metadata * chore: fix list item state migration (#6146) * feat(internal): support CustomMarshaler interface for encoding types * feat: Merge branch 'vaishak/bump-sdk-version' into 'main' chore: bump go sdk version See merge request cloudflare/sdks/cloudflare-config!120 * feat(migrate): fix load_balancer migration test (#6148) * fix: snippet and load balancer migration tests (#6149) * fix: snippet tests * fix: load balancer tests * chore: run certain tests sequentially * chore: cleanup * chore: revert metadata * fix: snippet unit test * chore: schema version is set by grit * chore: retry tests (#6150) * fix: resolve race condition in zero_trust_access_mtls_hostname_settings migration tests (#6152) Add cleanup function to clear MTLS certificates and hostname settings before each migration test to prevent 'previous certificate settings still being updated' errors. The cleanup ensures certificates are disassociated from hostnames before deletion, matching the approach used in acceptance tests. Also updates provider version constraint from ~> 4.0 to 4.52.1 for consistency with other migration tests. * fix: more roboust retry logic for certificate tests (#6154) * fix: skip acceptance tests in unit test scope (#6155) * chore: increase retries (#6156) * chore: grit to go (#6143) * feat: grit to go chore: sunset up grit chore: transformations to download config from github chore: zone settings migrations should not generate import statements Revert "chore: sunset up grit" This reverts commit ffed790. chore: recursive directory scan chore: fix zero trust access policy transformation chore: revert grit change chore: revet zone settings change * chore: put no-grit migration behind flag * chore: fix transformation source (#6157) * fix: nil dereference in `cloudflare_workers_script` resource (#6158) Fixes #6147 * chore: revert grit to go (#6159) * Revert "chore: fix transformation source (#6157)" This reverts commit 6cc2cfb. * Revert "chore: grit to go (#6143)" This reverts commit 548f097. * chore: skip mconn test (#6161) * release: 5.10.0 --------- Co-authored-by: Brad Swenson <bswenson@cloudflare.com> Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> Co-authored-by: Vaishak Dinesh <vaishak@cloudflare.com> Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> Co-authored-by: Alex Holland <aholland@cloudflare.com> Co-authored-by: Tamas Jozsa <tamas@cloudflare.com> Co-authored-by: Tamás Józsa <jtomi92@gmail.com> Co-authored-by: Zak Cutner <zak@cloudflare.com> Co-authored-by: Mike Girouard <mgirouard@cloudflare.com> Co-authored-by: Musa Jundi <musa@cloudflare.com> Co-authored-by: Pedro Leal <pleal@cloudflare.com> Co-authored-by: Michael Girouard <206137+mgirouard@users.noreply.github.com> Co-authored-by: Nicky Semenza <nicky@cloudflare.com> Co-authored-by: David Ackerman <david.w.ackerman@gmail.com> Co-authored-by: Cina Saffary <cina@cloudflare.com>
PreviousNext