Merge branch 'main' into ssicard/managed-transforms

Author: ssicard

cmd/tf-migrate/main.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strings"
 
 	"github.com/cloudflare/cloudflare-go/v6"
@@ -336,14 +337,16 @@ func processConfigFiles(log hclog.Logger, p *pipeline.Pipeline, cfg config, stat
 	return parsedConfigs, nil
 }
 
-// applyGlobalPostprocessing applies cross-file reference updates for resource renames
+// applyGlobalPostprocessing applies cross-file reference updates for resource and attribute renames
 func applyGlobalPostprocessing(log hclog.Logger, cfg config, outputPaths []string) error {
-	// Collect resource renames from all migrators
+	// Collect resource renames and attribute renames from all migrators
 	providers := getProviders(cfg.resourcesToMigrate...)
 	migrators := providers.GetAllMigrators(cfg.sourceVersion, cfg.targetVersion, cfg.resourcesToMigrate...)
 
 	// Map to store old type -> new type mappings
 	renames := make(map[string]string)
+	// Slice to store attribute renames
+	var attributeRenames []transform.AttributeRename
 
 	for _, migrator := range migrators {
 		// Check if this migrator implements ResourceRenamer interface
@@ -367,15 +370,30 @@ func applyGlobalPostprocessing(log hclog.Logger, cfg config, outputPaths []strin
 			log.Warn("Migrator does not implement ResourceRenamer interface - cross-file references may not be updated",
 				"migrator", fmt.Sprintf("%T", migrator))
 		}
+
+		// Check if this migrator implements AttributeRenamer interface
+		if attrRenamer, ok := migrator.(transform.AttributeRenamer); ok {
+			renames := attrRenamer.GetAttributeRenames()
+			if len(renames) > 0 {
+				attributeRenames = append(attributeRenames, renames...)
+				for _, r := range renames {
+					log.Debug("Collected attribute rename",
+						"resource_type", r.ResourceType,
+						"old_attr", r.OldAttribute,
+						"new_attr", r.NewAttribute)
+				}
+			}
+		}
 	}
 
 	// If no renames found, skip global postprocessing
-	if len(renames) == 0 {
-		log.Debug("No resource renames found, skipping global postprocessing")
+	if len(renames) == 0 && len(attributeRenames) == 0 {
+		log.Debug("No renames found, skipping global postprocessing")
 		return nil
 	}
 
-	fmt.Printf("\nApplying cross-file reference updates (%d renames across %d files)...\n", len(renames), len(outputPaths))
+	totalUpdates := len(renames) + len(attributeRenames)
+	fmt.Printf("\nApplying cross-file reference updates (%d updates across %d files)...\n", totalUpdates, len(outputPaths))
 
 	// Apply renames to all files
 	for _, outputPath := range outputPaths {
@@ -388,7 +406,7 @@ func applyGlobalPostprocessing(log hclog.Logger, cfg config, outputPaths []strin
 		contentStr := string(content)
 		modified := false
 
-		// Apply all renames
+		// Apply all resource type renames
 		for oldType, newType := range renames {
 			newContent := strings.ReplaceAll(contentStr, oldType+".", newType+".")
 			if newContent != contentStr {
@@ -398,6 +416,30 @@ func applyGlobalPostprocessing(log hclog.Logger, cfg config, outputPaths []strin
 			}
 		}
 
+		// Apply all attribute renames
+		// Pattern: data.cloudflare_zones.<instance_name>.zones → data.cloudflare_zones.<instance_name>.result
+		// We need to match: <ResourceType>.<instance_name>.<OldAttribute>
+		for _, rename := range attributeRenames {
+			// Build regex pattern: data\.cloudflare_zones\.([a-zA-Z0-9_-]+)\.zones
+			// The instance name can contain letters, numbers, underscores, and hyphens
+			pattern := regexp.QuoteMeta(rename.ResourceType) + `\.([a-zA-Z0-9_-]+)\.` + regexp.QuoteMeta(rename.OldAttribute)
+			re := regexp.MustCompile(pattern)
+
+			// Replace with: data.cloudflare_zones.$1.result (preserving instance name)
+			replacement := rename.ResourceType + ".$1." + rename.NewAttribute
+			newContent := re.ReplaceAllString(contentStr, replacement)
+
+			if newContent != contentStr {
+				modified = true
+				contentStr = newContent
+				log.Debug("Updated attribute references",
+					"file", filepath.Base(outputPath),
+					"resource_type", rename.ResourceType,
+					"old_attr", rename.OldAttribute,
+					"new_attr", rename.NewAttribute)
+			}
+		}
+
 		// Write back if modified
 		if modified {
 			if err := os.WriteFile(outputPath, []byte(contentStr), 0644); err != nil {
@@ -406,7 +448,7 @@ func applyGlobalPostprocessing(log hclog.Logger, cfg config, outputPaths []strin
 		}
 	}
 
-	fmt.Printf("✓ Updated cross-file references (%d renames applied)\n", len(renames))
+	fmt.Printf("✓ Updated cross-file references (%d updates applied)\n", totalUpdates)
 	return nil
 }
 

integration/v4_to_v5/testdata/api_token/expected/api_token.tf

@@ -14,9 +14,9 @@ resource "cloudflare_api_token" "basic_token" {
 
   policies = [{
     effect = "allow"
-    resources = {
+    resources = jsonencode({
       "com.cloudflare.api.account.*" = "*"
-    }
+    })
     permission_groups = [{
       id = "c8fed203ed3043cba015a93ad1616f1f"
       }, {
@@ -32,17 +32,17 @@ resource "cloudflare_api_token" "multi_policy_token" {
 
   policies = [{
     effect = "allow"
-    resources = {
+    resources = jsonencode({
       "com.cloudflare.api.account.*" = "*"
-    }
+    })
     permission_groups = [{
       id = "c8fed203ed3043cba015a93ad1616f1f"
     }]
     }, {
     effect = "deny"
-    resources = {
+    resources = jsonencode({
       "com.cloudflare.api.account.zone.*" = "*"
-    }
+    })
     permission_groups = [{
       id = "82e64a83756745bbbb1c9c2701bf816b"
     }]
@@ -56,9 +56,9 @@ resource "cloudflare_api_token" "conditional_token" {
 
   policies = [{
     effect = "allow"
-    resources = {
+    resources = jsonencode({
       "com.cloudflare.api.account.*" = "*"
-    }
+    })
     permission_groups = [{
       id = "c8fed203ed3043cba015a93ad1616f1f"
     }]
@@ -80,10 +80,10 @@ resource "cloudflare_api_token" "advanced_condition_token" {
 
   policies = [{
     effect = "allow"
-    resources = {
+    resources = jsonencode({
       "com.cloudflare.api.account.*"      = "*"
       "com.cloudflare.api.account.zone.*" = "*"
-    }
+    })
     permission_groups = [{
       id = "c8fed203ed3043cba015a93ad1616f1f"
     }]
@@ -111,9 +111,9 @@ resource "cloudflare_api_token" "time_limited_token" {
 
   policies = [{
     effect = "allow"
-    resources = {
+    resources = jsonencode({
       "com.cloudflare.api.account.*" = "*"
-    }
+    })
     permission_groups = [{
       id = "c8fed203ed3043cba015a93ad1616f1f"
     }]
@@ -126,9 +126,9 @@ resource "cloudflare_api_token" "empty_perms_token" {
 
   policies = [{
     effect = "allow"
-    resources = {
+    resources = jsonencode({
       "com.cloudflare.api.account.*" = "*"
-    }
+    })
     permission_groups = [{
       id = "c8fed203ed3043cba015a93ad1616f1f"
     }]
@@ -145,18 +145,18 @@ resource "cloudflare_api_token" "full_example" {
 
   policies = [{
     effect = "allow"
-    resources = {
+    resources = jsonencode({
       "com.cloudflare.api.account.*"      = "*"
       "com.cloudflare.api.account.zone.*" = "*"
-    }
+    })
     permission_groups = [{
       id = "c8fed203ed3043cba015a93ad1616f1f"
     }]
     }, {
     effect = "deny"
-    resources = {
+    resources = jsonencode({
       "com.cloudflare.api.account.zone.*" = "*"
-    }
+    })
     permission_groups = [{
       id = "e086da7e2179491d91ee5f35b3ca210a"
     }]
@@ -186,9 +186,9 @@ resource "cloudflare_api_token" "api_token_create" {
   expires_on = "2035-12-31T23:59:59Z"
 
   policies = [{
-    resources = {
+    resources = jsonencode({
       "com.cloudflare.api.account.*" = "*"
-    }
+    })
     effect = "allow"
     permission_groups = [{
       id = "c8fed203ed3043cba015a93ad1616f1f"
@@ -200,4 +200,68 @@ resource "cloudflare_api_token" "api_token_create" {
       not_in = ["198.51.100.1/32"]
     }
   }
-}
+}
+
+# Test Case 9: Token with complex multi-key resources map
+resource "cloudflare_api_token" "complex_resources_token" {
+  name = "Complex Resources Token"
+
+  policies = [{
+    effect = "allow"
+    resources = jsonencode({
+      "com.cloudflare.api.account.*"      = "*"
+      "com.cloudflare.api.account.zone.*" = "*"
+    })
+    permission_groups = [{
+      id = "c8fed203ed3043cba015a93ad1616f1f"
+    }]
+  }]
+}
+
+# Test Case 10: Token with multiple permission groups (v4 string format)
+resource "cloudflare_api_token" "multi_perms_token" {
+  name = "Multiple Permissions Token"
+
+  policies = [{
+    effect = "allow"
+    resources = jsonencode({
+      "com.cloudflare.api.account.*" = "*"
+    })
+    permission_groups = [{
+      id = "c8fed203ed3043cba015a93ad1616f1f"
+      }, {
+      id = "82e64a83756745bbbb1c9c2701bf816b"
+    }]
+  }]
+}
+
+# Test Case 11: Token without effect (should default to allow)
+resource "cloudflare_api_token" "no_effect_token" {
+  name = "No Effect Token"
+
+  policies = [{
+    resources = jsonencode({
+      "com.cloudflare.api.account.*" = "*"
+    })
+    effect = "allow"
+    permission_groups = [{
+      id = "c8fed203ed3043cba015a93ad1616f1f"
+    }]
+  }]
+}
+
+# Test Case 12: Token with variable references in resources
+resource "cloudflare_api_token" "variable_resources_token" {
+  name = "Variable Resources Token"
+
+  policies = [{
+    effect = "allow"
+    resources = jsonencode({
+      "com.cloudflare.api.account.${var.cloudflare_account_id}"   = "*"
+      "com.cloudflare.api.account.zone.${var.cloudflare_zone_id}" = "*"
+    })
+    permission_groups = [{
+      id = "c8fed203ed3043cba015a93ad1616f1f"
+    }]
+  }]
+}