Fix RDP & Infrastructure types of zero_trust_access_application

Author: GreenStage

internal/services/zero_trust_access_application/normalizations.go

@@ -83,6 +83,34 @@ func normalizeReadZeroTrustApplicationOidcAppData(data *ZeroTrustAccessApplicati
 	normalizeFalseAndNullBool(&data.AllowPKCEWithoutClientSecret, stateData.AllowPKCEWithoutClientSecret)
 }
 
+func normalizeZeroTrustApplicationPolicyConnectionRulesAPIData(_ context.Context, data, stateData *ZeroTrustAccessApplicationPoliciesConnectionRulesModel) {
+	if data.SSH != nil && stateData.SSH != nil {
+		normalizeFalseAndNullBool(&data.SSH.AllowEmailAlias, stateData.SSH.AllowEmailAlias)
+	}
+}
+
+func normalizeZeroTrustApplicationPolicyAPIData(ctx context.Context, data, stateData *ZeroTrustAccessApplicationPoliciesModel) {
+	// Preserve null values from the Terraform state, even if the API response returns actual values.
+	// This is important because the API may populate these fields when it expands the attached reusable policy
+	// from its given ID.
+	//
+	// However, we intentionally avoid storing the full expanded policy inside the application resource's
+	// nested block, as its source of truth is the reusable policy resource itself.
+	// Only the policy ID should be persisted in state for reusable policies.
+	// For legacy policies, the ID should be ignored as they are not a standalone resource, but rather
+	// live as a nested object owned by the application.
+	persistNullFromState(&data.ID, stateData.ID)
+	persistNullFromState(&data.Decision, stateData.Decision)
+	persistNullFromState(&data.Name, stateData.Name)
+	persistNullFromState(&data.Include, stateData.Include)
+	persistNullFromState(&data.Require, stateData.Require)
+	persistNullFromState(&data.Exclude, stateData.Exclude)
+
+	if data.ConnectionRules != nil && stateData.ConnectionRules != nil {
+		normalizeZeroTrustApplicationPolicyConnectionRulesAPIData(ctx, data.ConnectionRules, stateData.ConnectionRules)
+	}
+}
+
 // Normalizing function to ensure consistency between the state and the meaning of the API response.
 // Alters the API response before applying it to the state by laxing equalities between null & zero-value
 // for some attributes, and nullifies fields that terraform should not be saving in the state.
@@ -129,21 +157,7 @@ func normalizeReadZeroTrustApplicationAPIData(ctx context.Context, data, stateDa
 
 	if data.Policies != nil && stateData.Policies != nil {
 		for i := range *data.Policies {
-			// Preserve null values from the Terraform state, even if the API response returns actual values.
-			// This is important because the API may populate these fields when it expands the attached reusable policy
-			// from its given ID.
-			//
-			// However, we intentionally avoid storing the full expanded policy inside the application resource's
-			// nested block, as its source of truth is the reusable policy resource itself.
-			// Only the policy ID should be persisted in state for reusable policies.
-			// For legacy policies, the ID should be ignored as they are not a standalone resource, but rather
-			// live as a nested object owned by the application.
-			persistNullFromState(&(*data.Policies)[i].ID, (*stateData.Policies)[i].ID)
-			persistNullFromState(&(*data.Policies)[i].Decision, (*stateData.Policies)[i].Decision)
-			persistNullFromState(&(*data.Policies)[i].Name, (*stateData.Policies)[i].Name)
-			persistNullFromState(&(*data.Policies)[i].Include, (*stateData.Policies)[i].Include)
-			persistNullFromState(&(*data.Policies)[i].Require, (*stateData.Policies)[i].Require)
-			persistNullFromState(&(*data.Policies)[i].Exclude, (*stateData.Policies)[i].Exclude)
+			normalizeZeroTrustApplicationPolicyAPIData(ctx, &(*data.Policies)[i], &(*stateData.Policies)[i])
 		}
 	}
 

internal/services/zero_trust_access_application/plan_modifiers.go

@@ -13,11 +13,12 @@ import (
 )
 
 var (
-	selfHostedAppTypes         = []string{"self_hosted", "ssh", "vnc", "rdp"}
-	saasAppTypes               = []string{"saas", "dash_sso"}
-	appLauncherVisibleAppTypes = []string{"self_hosted", "ssh", "vnc", "rdp", "saas", "bookmark", "infrastructure"}
-	targetCompatibleAppTypes   = []string{"rdp", "infrastructure"}
-	durationRegex              = regexp.MustCompile(`^(?:0|[-+]?(\d+(?:\.\d*)?|\.\d+)(?:ns|us|µs|ms|s|m|h)(?:(\d+(?:\.\d*)?|\.\d+)(?:ns|us|µs|ms|s|m|h))*)$`)
+	selfHostedAppTypes                = []string{"self_hosted", "ssh", "vnc", "rdp"}
+	saasAppTypes                      = []string{"saas", "dash_sso"}
+	appLauncherVisibleAppTypes        = []string{"self_hosted", "ssh", "vnc", "rdp", "saas", "bookmark"}
+	targetCompatibleAppTypes          = []string{"rdp", "infrastructure"}
+	sessionDurationCompatibleAppTypes = []string{"saas", "dash_sso", "self_hosted", "ssh", "vnc", "rdp", "app_launcher"}
+	durationRegex                     = regexp.MustCompile(`^(?:0|[-+]?(\d+(?:\.\d*)?|\.\d+)(?:ns|us|µs|ms|s|m|h)(?:(\d+(?:\.\d*)?|\.\d+)(?:ns|us|µs|ms|s|m|h))*)$`)
 )
 
 // Sets a specific default value for a computed attribute specific to a set of app types, in case the attribute is unknown.
@@ -124,6 +125,7 @@ func modifyPlan(ctx context.Context, req resource.ModifyPlanRequest, res *resour
 	setDefaultAccordingToAppTypes(selfHostedAppTypes, appType, &planApp.HTTPOnlyCookieAttribute, types.BoolValue(true), types.BoolNull())
 	setDefaultAccordingToAppTypes(appLauncherVisibleAppTypes, appType, &planApp.AppLauncherVisible, types.BoolValue(true), types.BoolNull())
 	setDefaultAccordingToAppType("app_launcher", appType, &planApp.SkipAppLauncherLoginPage, types.BoolValue(false), types.BoolNull())
+	setDefaultAccordingToAppTypes(sessionDurationCompatibleAppTypes, appType, &planApp.SessionDuration, types.StringValue("24h"), types.StringNull())
 
 	if appType == "saas" {
 		res.Diagnostics.Append(modifySaasAppNestedObjectPlan(ctx, planApp)...)

internal/services/zero_trust_access_application/resource_test.go

@@ -1163,6 +1163,82 @@ func TestAccCloudflareAccessApplication_WithAppLauncherCustomization(t *testing.
 	})
 }
 
+func TestAccCloudflareAccessApplication_Infrastructure(t *testing.T) {
+	rnd := utils.GenerateRandomResourceName()
+	name := fmt.Sprintf("cloudflare_zero_trust_access_application.%s", rnd)
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.TestAccPreCheck(t)
+			acctest.TestAccPreCheck_AccountID(t)
+		},
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		CheckDestroy:             testAccCheckCloudflareAccessApplicationDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudflareAccessApplicationInfrastructure(rnd, accountID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID),
+					resource.TestCheckNoResourceAttr(name, "session_duration"),
+					resource.TestCheckResourceAttr(name, "type", "infrastructure"),
+					resource.TestCheckResourceAttr(name, "target_criteria.#", "1"),
+					resource.TestCheckResourceAttr(name, "target_criteria.0.port", "22"),
+					resource.TestCheckResourceAttr(name, "target_criteria.0.protocol", "SSH"),
+					resource.TestCheckResourceAttr(name, "target_criteria.0.target_attributes.hostname.#", "1"),
+					resource.TestCheckResourceAttr(name, "target_criteria.0.target_attributes.hostname.0", rnd),
+					resource.TestCheckResourceAttr(name, "policies.#", "1"),
+					resource.TestCheckResourceAttr(name, "policies.0.connection_rules.ssh.usernames.#", "1"),
+					resource.TestCheckResourceAttr(name, "policies.0.connection_rules.ssh.usernames.0", "root"),
+				),
+			},
+			{
+				// Ensures no diff on last plan
+				Config:   testAccCloudflareAccessApplicationInfrastructure(rnd, accountID),
+				PlanOnly: true,
+			},
+		},
+	})
+}
+
+func TestAccCloudflareAccessApplication_RDP(t *testing.T) {
+	rnd := utils.GenerateRandomResourceName()
+	name := fmt.Sprintf("cloudflare_zero_trust_access_application.%s", rnd)
+	appDomain := fmt.Sprintf("%[1]s.%[2]s", rnd, domain)
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.TestAccPreCheck(t)
+			acctest.TestAccPreCheck_AccountID(t)
+		},
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		CheckDestroy:             testAccCheckCloudflareAccessApplicationDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudflareAccessApplicationRDP(rnd, accountID, domain),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID),
+					resource.TestCheckResourceAttr(name, "session_duration", "24h"),
+					resource.TestCheckResourceAttr(name, "type", "rdp"),
+					resource.TestCheckResourceAttr(name, "domain", appDomain),
+					resource.TestCheckResourceAttr(name, "destinations.#", "1"),
+					resource.TestCheckResourceAttr(name, "destinations.0.uri", appDomain),
+					resource.TestCheckResourceAttr(name, "target_criteria.#", "1"),
+					resource.TestCheckResourceAttr(name, "target_criteria.0.port", "3389"),
+					resource.TestCheckResourceAttr(name, "target_criteria.0.protocol", "RDP"),
+					resource.TestCheckResourceAttr(name, "target_criteria.0.target_attributes.hostname.#", "1"),
+					resource.TestCheckResourceAttr(name, "target_criteria.0.target_attributes.hostname.0", rnd),
+					resource.TestCheckResourceAttr(name, "policies.#", "1"),
+				),
+			},
+			{
+				// Ensures no diff on last plan
+				Config:   testAccCloudflareAccessApplicationRDP(rnd, accountID, domain),
+				PlanOnly: true,
+			},
+		},
+	})
+}
+
 func testAccCloudflareAccessApplicationConfigBasic(rnd string, domain string, identifier *cloudflare.ResourceContainer) string {
 	return acctest.LoadTestCase("accessapplicationconfigbasic.tf", rnd, domain, identifier.Type, identifier.Identifier)
 }
@@ -1171,6 +1247,14 @@ func testAccCloudflareAccessApplicationConfigWithCORS(rnd, zoneID, domain string
 	return acctest.LoadTestCase("accessapplicationconfigwithcors.tf", rnd, zoneID, domain)
 }
 
+func testAccCloudflareAccessApplicationInfrastructure(rnd, accID string) string {
+	return acctest.LoadTestCase("accessapplicationconfiginfrastructure.tf", rnd, accID)
+}
+
+func testAccCloudflareAccessApplicationRDP(rnd, accID, domain string) string {
+	return acctest.LoadTestCase("accessapplicationconfigrdp.tf", rnd, accID, domain)
+}
+
 func testAccCloudflareAccessApplicationConfigWithSAMLSaas(rnd, accountID string) string {
 	return acctest.LoadTestCase("accessapplicationconfigwithsamlsaas.tf", rnd, accountID)
 }

internal/services/zero_trust_access_application/schema.go

@@ -398,7 +398,7 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 							Description: "The communication protocol your application secures.\nAvailable values: \"SSH\".",
 							Required:    true,
 							Validators: []validator.String{
-								stringvalidator.OneOfCaseInsensitive("SSH"),
+								stringvalidator.OneOfCaseInsensitive("SSH", "RDP"),
 							},
 						},
 						"target_attributes": schema.MapAttribute{
@@ -449,9 +449,9 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 				Description: "The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.",
 				Computed:    true,
 				Optional:    true,
-				Default:     stringdefault.StaticString("24h"),
 				Validators: []validator.String{
 					stringvalidator.RegexMatches(durationRegex, `"session_duration" only supports "ns", "us" (or "µs"), "ms", "s", "m", or "h" as valid units`),
+					customvalidator.RequiresOtherStringAttributeToBeOneOf(path.MatchRoot("type"), sessionDurationCompatibleAppTypes...),
 				},
 			},
 			"skip_app_launcher_login_page": schema.BoolAttribute{
@@ -469,7 +469,6 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 				DeprecationMessage: "This attribute is deprecated.",
 				CustomType:         customfield.NewListType[types.String](ctx),
 				ElementType:        types.StringType,
-
 				Validators: []validator.List{
 					customvalidator.RequiresOtherStringAttributeToBeOneOf(path.MatchRoot("type"), selfHostedAppTypes...),
 					listvalidator.ConflictsWith(path.Expressions{
@@ -882,6 +881,7 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 							Optional:    true,
 							Validators: []validator.Object{
 								objectvalidator.AlsoRequires(path.MatchRelative().AtParent().AtName("include")),
+								customvalidator.RequiredWhenOtherStringIsOneOf(path.MatchRoot("type"), "infrastructure"),
 							},
 							Attributes: map[string]schema.Attribute{
 								"ssh": schema.SingleNestedAttribute{

internal/services/zero_trust_access_application/testdata/accessapplicationconfiginfrastructure.tf

@@ -0,0 +1,48 @@
+resource "cloudflare_zero_trust_tunnel_cloudflared_virtual_network" "%[1]s" {
+  account_id         = "%[2]s"
+  name               = "%[1]s"
+  comment            = "%[1]s"
+  is_default_network = "false"
+}
+
+resource "cloudflare_zero_trust_access_infrastructure_target" "%[1]s" {
+  account_id = "%[2]s"
+  hostname   = "%[1]s"
+  ip = {
+    ipv4 = {
+      ip_addr            = "127.0.0.1"
+      virtual_network_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.%[1]s.id
+    }
+  }
+}
+
+resource "cloudflare_zero_trust_access_application" "%[1]s" {
+  account_id = "%[2]s"
+  name       = "%[1]s"
+  type       = "infrastructure"
+  target_criteria = [
+    {
+      port     = 22
+      protocol = "SSH"
+      target_attributes = {
+        "hostname" = ["%[1]s"]
+      }
+    }
+  ]
+  policies = [
+    {
+      name     = "%[1]s-policy-1"
+      decision = "allow"
+      include = [
+        {
+          email = { email = "[email protected]" }
+        }
+      ]
+      connection_rules = {
+        ssh = {
+          usernames = ["root"]
+        }
+      }
+    }
+  ]
+}

internal/services/zero_trust_access_application/testdata/accessapplicationconfigrdp.tf

@@ -0,0 +1,49 @@
+resource "cloudflare_zero_trust_tunnel_cloudflared_virtual_network" "%[1]s" {
+  account_id         = "%[2]s"
+  name               = "%[1]s"
+  comment            = "%[1]s"
+  is_default_network = "false"
+}
+
+resource "cloudflare_zero_trust_access_infrastructure_target" "%[1]s" {
+  account_id = "%[2]s"
+  hostname   = "%[1]s"
+  ip = {
+    ipv4 = {
+      ip_addr            = "127.0.0.1"
+      virtual_network_id = cloudflare_zero_trust_tunnel_cloudflared_virtual_network.%[1]s.id
+    }
+  }
+}
+
+resource "cloudflare_zero_trust_access_application" "%[1]s" {
+  account_id = "%[2]s"
+  name       = "%[1]s"
+  type       = "rdp"
+  destinations = [
+    {
+      type = "public"
+      uri = "%[1]s.%[3]s"
+    }
+  ]
+  target_criteria = [
+    {
+      port     = 3389
+      protocol = "RDP"
+      target_attributes = {
+        "hostname" = ["%[1]s"]
+      }
+    }
+  ]
+  policies = [
+    {
+      name     = "%[1]s-policy-1"
+      decision = "allow"
+      include = [
+        {
+          email = { email = "[email protected]" }
+        }
+      ]
+    }
+  ]
+}