Merge pull request #5798 from zakcutner/zak/ruleset

Fix regressions in drift prevention `cloudflare_ruleset`

Author: musa-cf

internal/services/ruleset/model.go

@@ -36,7 +36,7 @@ type RulesetRulesModel struct {
 	Action                 types.String                             `tfsdk:"action" json:"action,optional"`
 	ActionParameters       *RulesetRulesActionParametersModel       `tfsdk:"action_parameters" json:"action_parameters,optional"`
 	Categories             customfield.List[types.String]           `tfsdk:"categories" json:"categories,optional"`
-	Description            types.String                             `tfsdk:"description" json:"description,computed_optional"`
+	Description            types.String                             `tfsdk:"description" json:"description,optional"`
 	Enabled                types.Bool                               `tfsdk:"enabled" json:"enabled,computed_optional"`
 	ExposedCredentialCheck *RulesetRulesExposedCredentialCheckModel `tfsdk:"exposed_credential_check" json:"exposed_credential_check,optional"`
 	Expression             types.String                             `tfsdk:"expression" json:"expression,optional"`

internal/services/ruleset/resource.go

@@ -12,6 +12,7 @@ import (
 	"github.com/cloudflare/cloudflare-go/v4/option"
 	"github.com/cloudflare/cloudflare-go/v4/rulesets"
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/apijson"
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/customfield"
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/importpath"
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/logging"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
@@ -305,27 +306,25 @@ func (r *RulesetResource) ModifyPlan(ctx context.Context, req resource.ModifyPla
 
 	ruleIDsByRef := make(map[string]types.String)
 
-	stateElements := make([]RulesetRulesModel, 0, len(state.Rules.Elements()))
-	diags := state.Rules.ElementsAs(ctx, &stateElements, false)
-	if diags != nil {
-		resp.Diagnostics.Append(diags...)
+	stateRules, diags := state.Rules.AsStructSliceT(ctx)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
 		return
 	}
 
-	for _, rule := range stateElements {
+	for _, rule := range stateRules {
 		if ref := rule.Ref.ValueString(); ref != "" {
 			ruleIDsByRef[ref] = rule.ID
 		}
 	}
 
-	planElements := make([]RulesetRulesModel, 0, len(state.Rules.Elements()))
-	diags = state.Rules.ElementsAs(ctx, &planElements, false)
-	if diags != nil {
-		resp.Diagnostics.Append(diags...)
+	planRules, diags := plan.Rules.AsStructSliceT(ctx)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
 		return
 	}
 
-	for _, rule := range planElements {
+	for i, rule := range planRules {
 		// Do nothing if the rule's ID is a known planned value.
 		if !rule.ID.IsUnknown() {
 			continue
@@ -335,10 +334,16 @@ func (r *RulesetResource) ModifyPlan(ctx context.Context, req resource.ModifyPla
 		// value of its ID with the corresponding ID from the state.
 		if ref := rule.Ref.ValueString(); ref != "" {
 			if id, ok := ruleIDsByRef[ref]; ok {
-				rule.ID = id
+				planRules[i].ID = id
 			}
 		}
 	}
 
+	plan.Rules, diags = customfield.NewObjectList(ctx, planRules)
+	resp.Diagnostics.Append(diags...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
 	resp.Diagnostics.Append(resp.Plan.Set(ctx, plan)...)
 }

internal/services/ruleset/resource_test.go

@@ -11,7 +11,9 @@ import (
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/acctest"
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/utils"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
-	"github.com/hashicorp/terraform-plugin-testing/terraform"
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
 )
 
 func TestMain(m *testing.M) {
@@ -2408,6 +2410,237 @@ func TestAccCloudflareRuleset_CacheSettingsHandleDefaultHeaderExcludeOrigin(t *t
 	})
 }
 
+func TestAccCloudflareRuleset_RuleRefs(t *testing.T) {
+	rnd := utils.GenerateRandomResourceName()
+	zoneID := os.Getenv("CLOUDFLARE_ZONE_ID")
+	resourceName := "cloudflare_ruleset." + rnd
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { acctest.TestAccPreCheck(t) },
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudflareRulesetWithRuleRefs(rnd, zoneID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "rules.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.expression", "ip.src eq 1.1.1.1"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.ref", "one"),
+					resource.TestCheckResourceAttr(resourceName, "rules.1.expression", "ip.src eq 2.2.2.2"),
+					resource.TestCheckResourceAttr(resourceName, "rules.1.ref", "two"),
+				),
+			},
+			{
+				Config: testAccCloudflareRulesetWithRuleRefs(rnd, zoneID),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectEmptyPlan(),
+					},
+				},
+			},
+			{
+				Config: testAccCloudflareRulesetWithRuleRefsAdded(rnd, zoneID),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
+						plancheck.ExpectKnownValue(
+							resourceName,
+							tfjsonpath.New("rules"),
+							knownvalue.ListExact([]knownvalue.Check{
+								knownvalue.ObjectPartial(map[string]knownvalue.Check{
+									"id":         knownvalue.NotNull(),
+									"expression": knownvalue.StringExact("ip.src eq 1.1.1.1"),
+									"ref":        knownvalue.StringExact("one"),
+								}),
+								knownvalue.ObjectPartial(map[string]knownvalue.Check{
+									"expression": knownvalue.StringExact("ip.src eq 3.3.3.3"),
+									"ref":        knownvalue.StringExact("three"),
+								}),
+								knownvalue.ObjectPartial(map[string]knownvalue.Check{
+									"id":         knownvalue.NotNull(),
+									"expression": knownvalue.StringExact("ip.src eq 2.2.2.2"),
+									"ref":        knownvalue.StringExact("two"),
+								}),
+							}),
+						),
+						plancheck.ExpectUnknownValue(
+							resourceName,
+							tfjsonpath.New("rules").AtSliceIndex(1).AtMapKey("id"),
+						),
+					},
+				},
+			},
+			{
+				Config: testAccCloudflareRulesetWithRuleRefs(rnd, zoneID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "rules.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.expression", "ip.src eq 1.1.1.1"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.ref", "one"),
+					resource.TestCheckResourceAttr(resourceName, "rules.1.expression", "ip.src eq 2.2.2.2"),
+					resource.TestCheckResourceAttr(resourceName, "rules.1.ref", "two"),
+				),
+			},
+			{
+				Config: testAccCloudflareRulesetWithRuleRefsAppended(rnd, zoneID),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
+						plancheck.ExpectKnownValue(
+							resourceName,
+							tfjsonpath.New("rules"),
+							knownvalue.ListExact([]knownvalue.Check{
+								knownvalue.ObjectPartial(map[string]knownvalue.Check{
+									"id":         knownvalue.NotNull(),
+									"expression": knownvalue.StringExact("ip.src eq 1.1.1.1"),
+									"ref":        knownvalue.StringExact("one"),
+								}),
+								knownvalue.ObjectPartial(map[string]knownvalue.Check{
+									"id":         knownvalue.NotNull(),
+									"expression": knownvalue.StringExact("ip.src eq 2.2.2.2"),
+									"ref":        knownvalue.StringExact("two"),
+								}),
+								knownvalue.ObjectPartial(map[string]knownvalue.Check{
+									"expression": knownvalue.StringExact("ip.src eq 3.3.3.3"),
+									"ref":        knownvalue.StringExact("three"),
+								}),
+							}),
+						),
+						plancheck.ExpectUnknownValue(
+							resourceName,
+							tfjsonpath.New("rules").AtSliceIndex(2).AtMapKey("id"),
+						),
+					},
+				},
+			},
+			{
+				Config: testAccCloudflareRulesetWithRuleRefs(rnd, zoneID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "rules.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.expression", "ip.src eq 1.1.1.1"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.ref", "one"),
+					resource.TestCheckResourceAttr(resourceName, "rules.1.expression", "ip.src eq 2.2.2.2"),
+					resource.TestCheckResourceAttr(resourceName, "rules.1.ref", "two"),
+				),
+			},
+			{
+				Config: testAccCloudflareRulesetWithRuleRefsModified(rnd, zoneID),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
+						plancheck.ExpectKnownValue(
+							resourceName,
+							tfjsonpath.New("rules"),
+							knownvalue.ListExact([]knownvalue.Check{
+								knownvalue.ObjectPartial(map[string]knownvalue.Check{
+									"id":         knownvalue.NotNull(),
+									"expression": knownvalue.StringExact("ip.src eq 1.1.1.1"),
+									"ref":        knownvalue.StringExact("one"),
+								}),
+								knownvalue.ObjectPartial(map[string]knownvalue.Check{
+									"id":         knownvalue.NotNull(),
+									"expression": knownvalue.StringExact("ip.src eq 3.3.3.3"),
+									"ref":        knownvalue.StringExact("two"),
+								}),
+							}),
+						),
+					},
+				},
+			},
+			{
+				Config: testAccCloudflareRulesetWithRuleRefs(rnd, zoneID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "rules.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.expression", "ip.src eq 1.1.1.1"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.ref", "one"),
+					resource.TestCheckResourceAttr(resourceName, "rules.1.expression", "ip.src eq 2.2.2.2"),
+					resource.TestCheckResourceAttr(resourceName, "rules.1.ref", "two"),
+				),
+			},
+			{
+				Config: testAccCloudflareRulesetWithRuleRefsRemoved(rnd, zoneID),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
+						plancheck.ExpectKnownValue(
+							resourceName,
+							tfjsonpath.New("rules"),
+							knownvalue.ListExact([]knownvalue.Check{
+								knownvalue.ObjectPartial(map[string]knownvalue.Check{
+									"id":         knownvalue.NotNull(),
+									"expression": knownvalue.StringExact("ip.src eq 2.2.2.2"),
+									"ref":        knownvalue.StringExact("two"),
+								}),
+							}),
+						),
+					},
+				},
+			},
+			{
+				Config: testAccCloudflareRulesetWithRuleRefs(rnd, zoneID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "rules.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.expression", "ip.src eq 1.1.1.1"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.ref", "one"),
+					resource.TestCheckResourceAttr(resourceName, "rules.1.expression", "ip.src eq 2.2.2.2"),
+					resource.TestCheckResourceAttr(resourceName, "rules.1.ref", "two"),
+				),
+			},
+			{
+				Config: testAccCloudflareRulesetWithRuleRefsReversed(rnd, zoneID),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
+						plancheck.ExpectKnownValue(
+							resourceName,
+							tfjsonpath.New("rules"),
+							knownvalue.ListExact([]knownvalue.Check{
+								knownvalue.ObjectPartial(map[string]knownvalue.Check{
+									"id":         knownvalue.NotNull(),
+									"expression": knownvalue.StringExact("ip.src eq 2.2.2.2"),
+									"ref":        knownvalue.StringExact("two"),
+								}),
+								knownvalue.ObjectPartial(map[string]knownvalue.Check{
+									"id":         knownvalue.NotNull(),
+									"expression": knownvalue.StringExact("ip.src eq 1.1.1.1"),
+									"ref":        knownvalue.StringExact("one"),
+								}),
+							}),
+						),
+					},
+				},
+			},
+			{
+				Config: testAccCloudflareRulesetWithRuleRefs(rnd, zoneID),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "rules.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.expression", "ip.src eq 1.1.1.1"),
+					resource.TestCheckResourceAttr(resourceName, "rules.0.ref", "one"),
+					resource.TestCheckResourceAttr(resourceName, "rules.1.expression", "ip.src eq 2.2.2.2"),
+					resource.TestCheckResourceAttr(resourceName, "rules.1.ref", "two"),
+				),
+			},
+			{
+				Config: testAccCloudflareRulesetWithRuleRefsTruncated(rnd, zoneID),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
+						plancheck.ExpectKnownValue(
+							resourceName,
+							tfjsonpath.New("rules"),
+							knownvalue.ListExact([]knownvalue.Check{
+								knownvalue.ObjectPartial(map[string]knownvalue.Check{
+									"id":         knownvalue.NotNull(),
+									"expression": knownvalue.StringExact("ip.src eq 1.1.1.1"),
+									"ref":        knownvalue.StringExact("one"),
+								}),
+							}),
+						),
+					},
+				},
+			},
+		},
+	})
+}
+
 func testAccCheckCloudflareRulesetMagicTransitSingle(rnd, name, accountID string) string {
 	return acctest.LoadTestCase("rulesetmagictransitsingle.tf", rnd, name, accountID)
 }
@@ -2512,26 +2745,6 @@ func testAccCheckCloudflareRulesetRateLimitWithMitigationTimeoutOfZero(rnd, name
 	return acctest.LoadTestCase("rulesetratelimitwithmitigationtimeoutofzero.tf", rnd, name, zoneID, zoneName)
 }
 
-func testAccCheckCloudflareRulesetTwoCustomRules(rnd, zoneID string) string {
-	return acctest.LoadTestCase("rulesettwocustomrules.tf", rnd, zoneID)
-}
-
-func testAccCheckCloudflareRulesetTwoCustomRulesReversed(rnd, zoneID string) string {
-	return acctest.LoadTestCase("rulesettwocustomrulesreversed.tf", rnd, zoneID)
-}
-
-func testAccCheckCloudflareRulesetThreeCustomRules(rnd, zoneID string, enableLoginRule bool) string {
-	return acctest.LoadTestCase("rulesetthreecustomrules.tf", rnd, zoneID, enableLoginRule)
-}
-
-func testAccCheckCloudflareRulesetTwoCustomRulesWithRef(rnd, zoneID string, enableAdminRule bool) string {
-	return acctest.LoadTestCase("rulesettwocustomruleswithref.tf", rnd, zoneID, enableAdminRule)
-}
-
-func testAccCheckCloudflareRulesetThreeCustomRulesWithRef(rnd, zoneID string) string {
-	return acctest.LoadTestCase("rulesetthreecustomruleswithref.tf", rnd, zoneID)
-}
-
 func testAccCheckCloudflareRulesetActionParametersOverridesActionEnabled(rnd, name, zoneID, zoneName string) string {
 	return acctest.LoadTestCase("rulesetactionparametersoverridesactionenabled.tf", rnd, name, zoneID, zoneName)
 }
@@ -2668,10 +2881,6 @@ func testAccCloudflareRulesetConfigSingleFalseyValue(rnd, zoneID string) string
 	return acctest.LoadTestCase("rulesetconfigsinglefalseyvalue.tf", rnd, zoneID)
 }
 
-func testAccCloudflareRulesetConfigConflictingCacheByDeviceConfigs(rnd, zoneID string) string {
-	return acctest.LoadTestCase("rulesetconfigconflictingcachebydeviceconfigs.tf", rnd, zoneID)
-}
-
 func testAccCloudflareRulesetCacheSettingsExplicitCustomKeyCacheKeysQueryStringsExclude(rnd, zoneID string) string {
 	return acctest.LoadTestCase("rulesetcachesettingsexplicitcustomkeycachekeysquerystringsexclude.tf", rnd, zoneID)
 }
@@ -2708,6 +2917,30 @@ func testAccCloudflareRulesetCacheSettingsBypassBrowserInvalid(rnd, zoneID strin
 	return acctest.LoadTestCase("rulesetcachesettingsbypassbrowserinvalid.tf", rnd, zoneID)
 }
 
-func testAccCheckCloudflareRulesetDestroy(s *terraform.State) error {
-	return nil
+func testAccCloudflareRulesetWithRuleRefs(rnd, zoneID string) string {
+	return acctest.LoadTestCase("rulesetwithrulerefs.tf", rnd, zoneID)
+}
+
+func testAccCloudflareRulesetWithRuleRefsAdded(rnd, zoneID string) string {
+	return acctest.LoadTestCase("rulesetwithrulerefsadded.tf", rnd, zoneID)
+}
+
+func testAccCloudflareRulesetWithRuleRefsAppended(rnd, zoneID string) string {
+	return acctest.LoadTestCase("rulesetwithrulerefsappended.tf", rnd, zoneID)
+}
+
+func testAccCloudflareRulesetWithRuleRefsModified(rnd, zoneID string) string {
+	return acctest.LoadTestCase("rulesetwithrulerefsmodified.tf", rnd, zoneID)
+}
+
+func testAccCloudflareRulesetWithRuleRefsRemoved(rnd, zoneID string) string {
+	return acctest.LoadTestCase("rulesetwithrulerefsremoved.tf", rnd, zoneID)
+}
+
+func testAccCloudflareRulesetWithRuleRefsReversed(rnd, zoneID string) string {
+	return acctest.LoadTestCase("rulesetwithrulerefsreversed.tf", rnd, zoneID)
+}
+
+func testAccCloudflareRulesetWithRuleRefsTruncated(rnd, zoneID string) string {
+	return acctest.LoadTestCase("rulesetwithrulerefstruncated.tf", rnd, zoneID)
 }