fix zero_trust_organization import

internal/services/zero_trust_organization/normalizations.go

@@ -2,7 +2,9 @@ package zero_trust_organization
 
 import (
 	"context"
+
 	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/hashicorp/terraform-plugin-framework/types/basetypes"
 )
 
@@ -34,3 +36,17 @@ func normalizeReadZeroTrustOrganizationAPIData(_ context.Context, data, sourceDa
 
 	return diags
 }
+
+func normalizeImportZeroTrustOrganizationAPIData(_ context.Context, data *ZeroTrustOrganizationModel) diag.Diagnostics {
+	diags := make(diag.Diagnostics, 0)
+
+	if data.AutoRedirectToIdentity.IsNull() {
+		data.AutoRedirectToIdentity = types.BoolValue(false)
+	}
+
+	if data.LoginDesign != nil && *data.LoginDesign == (ZeroTrustOrganizationLoginDesignModel{}) {
+		data.LoginDesign = nil
+	}
+
+	return diags
+}

internal/services/zero_trust_organization/resource.go

@@ -5,11 +5,12 @@ package zero_trust_organization
 import (
 	"context"
 	"fmt"
-	"github.com/cloudflare/terraform-provider-cloudflare/internal/importpath"
-	"github.com/hashicorp/terraform-plugin-framework/types"
 	"io"
 	"net/http"
 
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/importpath"
+	"github.com/hashicorp/terraform-plugin-framework/types"
+
 	"github.com/cloudflare/cloudflare-go/v5"
 	"github.com/cloudflare/cloudflare-go/v5/option"
 	"github.com/cloudflare/cloudflare-go/v5/zero_trust"
@@ -257,6 +258,7 @@ func (r *ZeroTrustOrganizationResource) ImportState(ctx context.Context, req res
 	}
 	data = &env.Result
 
+	resp.Diagnostics.Append(normalizeImportZeroTrustOrganizationAPIData(ctx, data)...)
 	resp.Diagnostics.Append(resp.State.Set(ctx, &data)...)
 }
 

internal/services/zero_trust_organization/resource_test.go

@@ -81,6 +81,25 @@ func TestAccCloudflareAccessOrganization(t *testing.T) {
 				ImportStateId:    accountID,
 				ImportStateCheck: accessOrgImportStateCheck,
 			},
+			{
+				Config: testAccCloudflareAccessOrganizationConfigEmpty(rnd, accountID, testAuthDomain()),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID),
+					resource.TestCheckResourceAttr(name, "name", testAuthDomain()),
+					resource.TestCheckResourceAttr(name, "auth_domain", rnd+"-"+testAuthDomain()),
+					resource.TestCheckResourceAttr(name, "session_duration", "12h"),
+					// Verify that login_design is not present in the state
+					resource.TestCheckNoResourceAttr(name, "login_design.background_color"),
+					resource.TestCheckNoResourceAttr(name, "login_design.text_color"),
+					resource.TestCheckNoResourceAttr(name, "login_design.logo_path"),
+					resource.TestCheckNoResourceAttr(name, "login_design.header_text"),
+					resource.TestCheckNoResourceAttr(name, "login_design.footer_text"),
+				),
+				ResourceName:     name,
+				ImportState:      true,
+				ImportStateId:    accountID,
+				ImportStateCheck: accessOrgImportStateCheckEmpty,
+			},
 		},
 	})
 }
@@ -122,3 +141,56 @@ func accessOrgImportStateCheck(instanceStates []*terraform.InstanceState) error
 func testAccCloudflareAccessOrganizationConfigBasic(rnd, accountID, headerText, authDomain string) string {
 	return acctest.LoadTestCase("accessorganizationconfigbasic.tf", rnd, accountID, headerText, authDomain)
 }
+
+func testAccCloudflareAccessOrganizationConfigEmpty(rnd, accountID, authDomain string) string {
+	return acctest.LoadTestCase("accessorganizationconfigempty.tf", rnd, accountID, authDomain)
+}
+
+func accessOrgImportStateCheckEmpty(instanceStates []*terraform.InstanceState) error {
+	state := instanceStates[0]
+	attrs := state.Attributes
+	wantAuthDomain := testAuthDomain()
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+
+	if stateName := attrs["name"]; !strings.HasSuffix(stateName, wantAuthDomain) {
+		return fmt.Errorf("name has value %q and does not match expected suffix %q", stateName, wantAuthDomain)
+	}
+
+	if stateAuthdomain := attrs["auth_domain"]; !strings.HasSuffix(stateAuthdomain, wantAuthDomain) {
+		return fmt.Errorf("auth_domain has value %q and does not match expected suffix %q", stateAuthdomain, wantAuthDomain)
+	}
+
+	stateChecks := []struct {
+		field         string
+		stateValue    string
+		expectedValue string
+	}{
+		{field: consts.AccountIDSchemaKey, stateValue: attrs[consts.AccountIDSchemaKey], expectedValue: accountID},
+		{field: "is_ui_read_only", stateValue: attrs["is_ui_read_only"], expectedValue: "false"},
+		{field: "auto_redirect_to_identity", stateValue: attrs["auto_redirect_to_identity"], expectedValue: "false"},
+		{field: "user_seat_expiration_inactive_time", stateValue: attrs["user_seat_expiration_inactive_time"], expectedValue: "1460h"},
+	}
+
+	for _, check := range stateChecks {
+		if check.stateValue != check.expectedValue {
+			return fmt.Errorf("%s has value %q and does not match expected value %q", check.field, check.stateValue, check.expectedValue)
+		}
+	}
+
+	loginDesignAttrs := []string{
+		"login_design.background_color",
+		"login_design.text_color",
+		"login_design.logo_path",
+		"login_design.header_text",
+		"login_design.footer_text",
+	}
+
+	// Verify login_design attributes are not present
+	for _, attr := range loginDesignAttrs {
+		if _, exists := attrs[attr]; exists {
+			return fmt.Errorf("%s exists in state but should not be present", attr)
+		}
+	}
+
+	return nil
+}

internal/services/zero_trust_organization/testdata/accessorganizationconfigempty.tf

@@ -0,0 +1,6 @@
+resource "cloudflare_zero_trust_organization" "%[1]s" {
+  account_id                         = "%[2]s"      
+  name                               = "%[3]s"      
+  auth_domain                        = "%[1]s-%[3]s"
+  session_duration                   = "12h"
+}