fix(authenticated_origin_pulls): handle array response and implement full lifecycle

[ang-cloudflare]

Summary

Fixes the cloudflare_authenticated_origin_pulls resource which was completely broken due to API response format mismatch.

Problem

Primary Issue: Array Response Not Handled

The API endpoint PUT /zones/{zone_id}/origin_tls_client_auth/hostnames returns an array of all hostname associations for the zone, not just the single hostname being created/updated:

{
  "result": [
    {"hostname": "example.com", "cert_id": "abc-123", "enabled": true, ...},
    {"hostname": "api.example.com", "cert_id": "def-456", "enabled": true, ...}
  ],
  "success": true
}

The auto-generated provider code expected a single object:

{
  "result": {"hostname": "example.com", "cert_id": "abc-123", ...}
}

This caused Create/Update operations to silently fail - the API call succeeded but the response couldn't be parsed, leaving the resource state empty or incorrect.

Secondary Issues

1. Delete failed with "Certificate ID required" - The API requires cert_id in the delete payload, but it wasn't being sent
2. State drift on private_key - This is a write-only field (sent to API, never returned), causing Terraform to detect drift on every refresh

Solution

1. Array Response Handling (custom.go)

Created custom types to properly handle the array response:

// AuthenticatedOriginPullsArrayResultEnvelope handles the array response from the API
type AuthenticatedOriginPullsArrayResultEnvelope struct {
    Result []AuthenticatedOriginPullsModel `json:"result"`
}

// FindByHostname searches the array for a specific hostname
func (e *AuthenticatedOriginPullsArrayResultEnvelope) FindByHostname(hostname string) (*AuthenticatedOriginPullsModel, error) {
    for i := range e.Result {
        if e.Result[i].Hostname.ValueString() == hostname {
            return &e.Result[i], nil
        }
    }
    return nil, fmt.Errorf("hostname %q not found in response", hostname)
}

2. Fixed CRUD Operations (resource.go)

Create/Update:

// Parse array response
env := AuthenticatedOriginPullsArrayResultEnvelope{}
err = apijson.UnmarshalComputed(bytes, &env)

// Find matching hostname from the array
result, err := env.FindByHostname(targetHostname)

// Copy computed fields to state
data.CERTID = result.CERTID
data.Enabled = result.Enabled
// ... etc

Delete:

// Include cert_id as required by API
deletePayload := map[string]interface{}{
    "config": []map[string]interface{}{
        {
            "hostname": hostname,
            "cert_id":  data.CERTID.ValueString(), // Required!
            "enabled":  nil, // null voids the association
        },
    },
}

Read:

// PrivateKey is write-only, set to null to prevent drift
data.PrivateKey = types.StringNull()

3. Comprehensive Lifecycle Test (resource_test.go)

Rewrote tests to cover the full lifecycle:

• Step 1: Create hostname association with enabled=true
• Step 2: Update to enabled=false
• Step 3: Import and verify state matches

API Documentation Verification

Verified implementation against Cloudflare API docs:

API Behavior	Implementation	Status
PUT returns array of all hostname associations	AuthenticatedOriginPullsArrayResultEnvelope with FindByHostname()	✅
GET returns single hostname association	Uses AuthenticatedOriginPullsResultEnvelope (single object)	✅
Delete uses enabled: null to void association	Sends enabled: nil in payload	✅
cert_id required in request	Included in Create/Update/Delete payloads	✅
private_key is write-only	Set to types.StringNull() after API calls	✅

Files Changed

File	Purpose
custom.go	New file - Array envelope type and FindByHostname() helper
resource.go	Fixed Create/Update/Delete/Read methods
resource_test.go	Rewrote with comprehensive lifecycle test
testdata/*.tf	Removed outdated test configs

Cherry-picked Dependencies

This PR includes cherry-picked certificate normalization fixes required for the test to pass (the test creates a certificate first, then associates it with a hostname):

• Certificate normalization from PR fix(authenticated_origin_pulls_certificate): add certificate normalization and lifecycle test #6710 (authenticated_origin_pulls_certificate)
• Certificate normalization from PR fix: authenticated_origin_pulls_hostname_certificate resource and tests #6703 (authenticated_origin_pulls_hostname_certificate)

Test Results

=== RUN   TestAccAuthenticatedOriginPulls_FullLifecycle
--- PASS: TestAccAuthenticatedOriginPulls_FullLifecycle (8.21s)
PASS
ok  	github.com/cloudflare/terraform-provider-cloudflare/internal/services/authenticated_origin_pulls	9.633s

JIRA

SECENG-12970

[vaishakdinesh]

The API endpoint PUT /zones/{zone_id}/origin_tls_client_auth/hostnames returns an array of all hostname associations for the zone, not just the single hostname being created/updated:

Is the openapi definition correct?

[ang-cloudflare]

updated

Yes, the OpenAPI spec in api-docs correctly defines the response as hostname_aop_response_collection with result: type: array

[musa-cf]

Thanks for providing a great description!