Validate zero_trust_access_application.policies.precedence >= 1

Author: GreenStage

internal/services/zero_trust_access_application/resource_test.go

@@ -1124,6 +1124,25 @@ func TestAccCloudflareAccessApplication_WithReusablePolicies(t *testing.T) {
 	})
 }
 
+func TestAccCloudflareAccessApplication_WithReusablePolicies_InvalidPrecedence(t *testing.T) {
+	rnd := utils.GenerateRandomResourceName()
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.TestAccPreCheck(t)
+			acctest.TestAccPreCheck_AccountID(t)
+		},
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		CheckDestroy:             testAccCheckCloudflareAccessApplicationDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccCloudflareAccessApplicationConfigWithReusablePoliciesInvalidPrecedence(rnd, domain, accountID),
+				ExpectError: regexp.MustCompile(`Attribute policies\[0].precedence value must be at least 1, got: 0`),
+			},
+		},
+	})
+}
+
 func TestAccCloudflareAccessApplication_WithAppLauncherCustomization(t *testing.T) {
 	rnd := utils.GenerateRandomResourceName()
 	name := fmt.Sprintf("cloudflare_zero_trust_access_application.%s", rnd)
@@ -1609,6 +1628,10 @@ func testAccCloudflareAccessApplicationConfigWithReusablePolicies(rnd, domain st
 	return acctest.LoadTestCase("accessapplicationconfigwithreusablepolicies.tf", rnd, domain, accountID)
 }
 
+func testAccCloudflareAccessApplicationConfigWithReusablePoliciesInvalidPrecedence(rnd, domain string, accountID string) string {
+	return acctest.LoadTestCase("accessapplicationconfigwithreusablepolicies_invalid_precedence.tf", rnd, domain, accountID)
+}
+
 func testAccessApplicationWithInvalidSaas(resourceID, accountID string) string {
 	return acctest.LoadTestCase("accessapplicationconfigwithinvalidsaas.tf", resourceID, accountID)
 }

internal/services/zero_trust_access_application/schema.go

@@ -9,6 +9,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework-timetypes/timetypes"
 	"github.com/hashicorp/terraform-plugin-framework-validators/boolvalidator"
 	"github.com/hashicorp/terraform-plugin-framework-validators/float64validator"
+	"github.com/hashicorp/terraform-plugin-framework-validators/int64validator"
 	"github.com/hashicorp/terraform-plugin-framework-validators/listvalidator"
 	"github.com/hashicorp/terraform-plugin-framework-validators/objectvalidator"
 	"github.com/hashicorp/terraform-plugin-framework-validators/setvalidator"
@@ -598,6 +599,9 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 							Description: "The order of execution for this policy. Must be unique for each policy within an app.",
 							Optional:    true,
 							Computed:    true,
+							Validators: []validator.Int64{
+								int64validator.AtLeast(1),
+							},
 						},
 						"decision": schema.StringAttribute{
 							Description: "The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.\nAvailable values: \"allow\", \"deny\", \"non_identity\", \"bypass\".",

internal/services/zero_trust_access_application/testdata/accessapplicationconfigwithreusablepolicies_invalid_precedence.tf

@@ -0,0 +1,37 @@
+resource "cloudflare_zero_trust_access_policy" "%[1]s_p1" {
+  account_id = "%[3]s"
+  name       = "%[1]s"
+  decision   = "allow"
+  include = [
+    {
+      email = { email = "[email protected]" }
+    }
+  ]
+}
+
+resource "cloudflare_zero_trust_access_policy" "%[1]s_p2" {
+  account_id = "%[3]s"
+  name       = "%[1]s"
+  decision   = "non_identity"
+  include = [
+    {
+      ip = { ip = "127.0.0.1/32" }
+    }
+  ]
+}
+
+resource "cloudflare_zero_trust_access_application" "%[1]s" {
+  account_id = "%[3]s"
+  name       = "%[1]s"
+  domain     = "%[1]s.%[2]s"
+  type       = "self_hosted"
+  policies = [
+    {
+      id         = cloudflare_zero_trust_access_policy.%[1]s_p1.id
+      precedence = 0
+    },
+    {
+      id = cloudflare_zero_trust_access_policy.%[1]s_p2.id
+    }
+  ]
+}