Merge pull request #5720 from GreenStage/egomes/AUTH-7151

AUTH-7151 fix self-hosted-app destination validations

Author: musa-cf

internal/customvalidator/required_when_other_attribute_is_one_of_validator.go

@@ -41,12 +41,13 @@ func (i requiredWhenOtherAttributeIsOneOfValidator) MarkdownDescription(ctx cont
 	return i.Description(ctx)
 }
 
-func (i requiredWhenOtherAttributeIsOneOfValidator) validateAny(ctx context.Context, cfg *tfsdk.Config, attrPath path.Path, value attr.Value, resDiagnostics *diag.Diagnostics) {
+func (i requiredWhenOtherAttributeIsOneOfValidator) validateAny(ctx context.Context, cfg *tfsdk.Config, attrPathExpr path.Expression, attrPath path.Path, value attr.Value, resDiagnostics *diag.Diagnostics) {
 	if !value.IsNull() || value.IsUnknown() {
 		return
 	}
 
-	matchedPaths, diags := cfg.PathMatches(ctx, i.pathExpr)
+	expression := attrPathExpr.Merge(i.pathExpr)
+	matchedPaths, diags := cfg.PathMatches(ctx, expression)
 	resDiagnostics.Append(diags...)
 
 	for _, mp := range matchedPaths {
@@ -82,5 +83,5 @@ func (i requiredWhenOtherAttributeIsOneOfValidator) validateAny(ctx context.Cont
 }
 
 func (i requiredWhenOtherAttributeIsOneOfValidator) ValidateObject(ctx context.Context, req validator.ObjectRequest, res *validator.ObjectResponse) {
-	i.validateAny(ctx, &req.Config, req.Path, req.ConfigValue, &res.Diagnostics)
+	i.validateAny(ctx, &req.Config, req.PathExpression, req.Path, req.ConfigValue, &res.Diagnostics)
 }

internal/customvalidator/requires_other_attribute_to_be_one_of_validator.go

@@ -47,12 +47,13 @@ func (i requiresOtherAttributeToBeOneOfValidator) MarkdownDescription(ctx contex
 	return i.Description(ctx)
 }
 
-func (i requiresOtherAttributeToBeOneOfValidator) validateAny(ctx context.Context, cfg *tfsdk.Config, attrPath path.Path, value attr.Value, resDiagnostics *diag.Diagnostics) {
+func (i requiresOtherAttributeToBeOneOfValidator) validateAny(ctx context.Context, cfg *tfsdk.Config, attrPathExpr path.Expression, attrPath path.Path, value attr.Value, resDiagnostics *diag.Diagnostics) {
 	if value.IsNull() || value.IsUnknown() {
 		return
 	}
 
-	matchedPaths, diags := cfg.PathMatches(ctx, i.pathExpr)
+	expression := attrPathExpr.Merge(i.pathExpr)
+	matchedPaths, diags := cfg.PathMatches(ctx, expression)
 	resDiagnostics.Append(diags...)
 
 	for _, mp := range matchedPaths {
@@ -94,17 +95,17 @@ func (i requiresOtherAttributeToBeOneOfValidator) validateAny(ctx context.Contex
 }
 
 func (i requiresOtherAttributeToBeOneOfValidator) ValidateBool(ctx context.Context, req validator.BoolRequest, res *validator.BoolResponse) {
-	i.validateAny(ctx, &req.Config, req.Path, req.ConfigValue, &res.Diagnostics)
+	i.validateAny(ctx, &req.Config, req.PathExpression, req.Path, req.ConfigValue, &res.Diagnostics)
 }
 
 func (i requiresOtherAttributeToBeOneOfValidator) ValidateString(ctx context.Context, req validator.StringRequest, res *validator.StringResponse) {
-	i.validateAny(ctx, &req.Config, req.Path, req.ConfigValue, &res.Diagnostics)
+	i.validateAny(ctx, &req.Config, req.PathExpression, req.Path, req.ConfigValue, &res.Diagnostics)
 }
 
 func (i requiresOtherAttributeToBeOneOfValidator) ValidateObject(ctx context.Context, req validator.ObjectRequest, res *validator.ObjectResponse) {
-	i.validateAny(ctx, &req.Config, req.Path, req.ConfigValue, &res.Diagnostics)
+	i.validateAny(ctx, &req.Config, req.PathExpression, req.Path, req.ConfigValue, &res.Diagnostics)
 }
 
 func (i requiresOtherAttributeToBeOneOfValidator) ValidateList(ctx context.Context, req validator.ListRequest, res *validator.ListResponse) {
-	i.validateAny(ctx, &req.Config, req.Path, req.ConfigValue, &res.Diagnostics)
+	i.validateAny(ctx, &req.Config, req.PathExpression, req.Path, req.ConfigValue, &res.Diagnostics)
 }

internal/services/zero_trust_access_application/model.go

@@ -123,7 +123,7 @@ type ZeroTrustAccessApplicationTargetCriteriaModel struct {
 }
 
 type ZeroTrustAccessApplicationDestinationsModel struct {
-	Type       types.String `tfsdk:"type" json:"type,optional"`
+	Type       types.String `tfsdk:"type" json:"type,computed_optional"`
 	URI        types.String `tfsdk:"uri" json:"uri,optional"`
 	CIDR       types.String `tfsdk:"cidr" json:"cidr,optional"`
 	Hostname   types.String `tfsdk:"hostname" json:"hostname,optional"`

internal/services/zero_trust_access_application/resource_test.go

@@ -1360,6 +1360,60 @@ func TestAccCloudflareAccessApplicationWithInvalidSessionDuration(t *testing.T)
 	})
 }
 
+func TestAccCloudflareAccessApplicationWithInvalidPrivateDestination(t *testing.T) {
+	rnd := utils.GenerateRandomResourceName()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.TestAccPreCheck(t)
+			acctest.TestAccPreCheck_AccountID(t)
+		},
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccessApplicationWithInvalidPrivateDestination(rnd, accountID),
+				ExpectError: regexp.MustCompile(`"destinations\[0]\.(hostname|port_range)" can only be set if "<\.type" is one of: "private"`),
+			},
+		},
+	})
+}
+
+func TestAccCloudflareAccessApplicationWithDestinations(t *testing.T) {
+	rnd := utils.GenerateRandomResourceName()
+
+	name := fmt.Sprintf("cloudflare_zero_trust_access_application.%s", rnd)
+	publicDomain := fmt.Sprintf("d1.%[1]s.%[2]s", rnd, domain)
+	privateDomain := fmt.Sprintf("%[1]s.private", rnd)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.TestAccPreCheck(t)
+			acctest.TestAccPreCheck_AccountID(t)
+		},
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		CheckDestroy:             testAccCheckCloudflareAccessApplicationDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccessApplicationWithDestinations(rnd, domain, cloudflare.AccountIdentifier(accountID)),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID),
+					resource.TestCheckResourceAttr(name, "name", rnd),
+					resource.TestCheckResourceAttr(name, "destinations.#", "2"),
+					resource.TestCheckResourceAttr(name, "destinations.0.type", "private"),
+					resource.TestCheckResourceAttr(name, "destinations.0.hostname", privateDomain),
+					resource.TestCheckResourceAttr(name, "destinations.1.type", "public"),
+					resource.TestCheckResourceAttr(name, "destinations.1.uri", publicDomain),
+				),
+			},
+			{
+				// Ensures no diff on last plan
+				Config:   testAccessApplicationWithDestinations(rnd, domain, cloudflare.AccountIdentifier(accountID)),
+				PlanOnly: true,
+			},
+		},
+	})
+}
+
 func TestAccCloudflareAccessApplicationMisconfiguredCORSCredentialsAllowingAllOrigins(t *testing.T) {
 	rnd := utils.GenerateRandomResourceName()
 	zone := os.Getenv("CLOUDFLARE_DOMAIN")
@@ -1419,6 +1473,14 @@ func testAccessApplicationWithInvalidSessionDuration(resourceID, zone, zoneID st
 	return acctest.LoadTestCase("accessapplicationwithinvalidsessionduration.tf", resourceID, zone, zoneID)
 }
 
+func testAccessApplicationWithInvalidPrivateDestination(resourceID, accountID string) string {
+	return acctest.LoadTestCase("accessapplicationconfiginvalidprivatedestination.tf", resourceID, accountID)
+}
+
+func testAccessApplicationWithDestinations(rnd string, domain string, identifier *cloudflare.ResourceContainer) string {
+	return acctest.LoadTestCase("accessapplicationconfigwithdestinations.tf", rnd, domain, identifier.Type, identifier.Identifier)
+}
+
 func testAccessApplicationMisconfiguredCORSAllowAllOriginsWithCredentials(resourceID, zone, zoneID string) string {
 	return acctest.LoadTestCase("accessapplicationmisconfiguredcorsallowalloriginswithcredentials.tf", resourceID, zone, zoneID)
 }

internal/services/zero_trust_access_application/schema.go

@@ -499,36 +499,54 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 						"type": schema.StringAttribute{
 							Description: `Available values: "public", "private".`,
 							Optional:    true,
+							Computed:    true,
+							Default:     stringdefault.StaticString("public"),
 							Validators: []validator.String{
 								stringvalidator.OneOfCaseInsensitive("public", "private"),
 							},
 						},
 						"uri": schema.StringAttribute{
 							Description: "The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).",
 							Optional:    true,
+							Validators: []validator.String{
+								customvalidator.RequiresOtherStringAttributeToNullOrBeOneOf(path.MatchRelative().AtParent().AtName("type"), "public"),
+							},
 						},
 						"cidr": schema.StringAttribute{
 							Description: "The CIDR range of the destination. Single IPs will be computed as /32.",
 							Optional:    true,
+							Validators: []validator.String{
+								customvalidator.RequiresOtherStringAttributeToBeOneOf(path.MatchRelative().AtParent().AtName("type"), "private"),
+							},
 						},
 						"hostname": schema.StringAttribute{
 							Description: "The hostname of the destination. Matches a valid SNI served by an HTTPS origin.",
 							Optional:    true,
+							Validators: []validator.String{
+								customvalidator.RequiresOtherStringAttributeToBeOneOf(path.MatchRelative().AtParent().AtName("type"), "private"),
+							},
 						},
 						"l4_protocol": schema.StringAttribute{
 							Description: "The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.\nAvailable values: \"tcp\", \"udp\".",
 							Optional:    true,
 							Validators: []validator.String{
 								stringvalidator.OneOfCaseInsensitive("tcp", "udp"),
+								customvalidator.RequiresOtherStringAttributeToBeOneOf(path.MatchRelative().AtParent().AtName("type"), "private"),
 							},
 						},
 						"port_range": schema.StringAttribute{
 							Description: "The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.",
 							Optional:    true,
+							Validators: []validator.String{
+								customvalidator.RequiresOtherStringAttributeToBeOneOf(path.MatchRelative().AtParent().AtName("type"), "private"),
+							},
 						},
 						"vnet_id": schema.StringAttribute{
 							Description: "The VNET ID to match the destination. When omitted, all VNETs will match.",
 							Optional:    true,
+							Validators: []validator.String{
+								customvalidator.RequiresOtherStringAttributeToBeOneOf(path.MatchRelative().AtParent().AtName("type"), "private"),
+							},
 						},
 					},
 				},

internal/services/zero_trust_access_application/testdata/accessapplicationconfiginvalidprivatedestination.tf

@@ -0,0 +1,13 @@
+resource "cloudflare_zero_trust_access_application" "%[1]s" {
+  account_id                = "%[2]s"
+  name                      = "%[1]s"
+  type                      = "self_hosted"
+  session_duration          = "24h"
+  auto_redirect_to_identity = false
+  destinations = [
+    {
+      "hostname" : "abc.private"
+      "port_range": "443"
+    }
+  ]
+}

internal/services/zero_trust_access_application/testdata/accessapplicationconfigwithdestinations.tf

@@ -0,0 +1,17 @@
+resource "cloudflare_zero_trust_access_application" "%[1]s" {
+  %[3]s_id                  = "%[4]s"
+  name                      = "%[1]s"
+  type                      = "self_hosted"
+  session_duration          = "24h"
+  auto_redirect_to_identity = false
+  destinations = [
+    {
+      "type" : "private",
+      "hostname" : "%[1]s.private"
+      "port_range": "443"
+    },
+    {
+      "uri" : "d1.%[1]s.%[2]s",
+    }
+  ]
+}