release: 5.13.0 (#6397)

* chore(workers): integrate generated changes for Workers resources

The following resources are modified by these generated changes:
- workers_cron_trigger
- workers_custom_domain
- workers_deployment
- workers_for_platforms_dispatch_namespace
- workers_kv
- workers_kv_namespace
- workers_route
- workers_script

* chore(load_balancing): integrate generated changes for Load Balancing resources

The following resources are modified by these generated changes:
- healthcheck
- load_balancer
- load_balancer_monitor
- load_balancer_pool

* chore(iam): integrate generated changes for IAM resources

The following resources are modified by these generated changes:
- account
- account_member
- account_token
- api_token
- token_validation_config (added)
- token_validation_rules (added)

* chore(zero_trust, cfone): integrate generated changes for ZT and CFONE resources

The following resources are modified by these generated changes:
- cloudforce_one_request
- cloudforce_one_request_asset
- cloudforce_one_request_message
- cloudforce_one_request_priority
- zero_trust_access_custom_page
- zero_trust_access_group
- zero_trust_access_identity_provider
- zero_trust_access_infrastructure_target
- zero_trust_access_key_configuration
- zero_trust_access_mtls_certificate
- zero_trust_access_policy
- zero_trust_access_service_token
- zero_trust_access_short_lived_certificate
- zero_trust_access_tag
- zero_trust_device_custom_profile
- zero_trust_device_custom_profile_local_domain_fallback
- zero_trust_device_default_profile
- zero_trust_device_default_profile_local_domain_fallback
- zero_trust_device_managed_networks
- zero_trust_device_posture_integration
- zero_trust_device_posture_rule
- zero_trust_dex_test
- zero_trust_dlp_custom_entry
- zero_trust_dlp_custom_profile
- zero_trust_dlp_entry
- zero_trust_dlp_integration_entry
- zero_trust_dlp_predefined_entry
- zero_trust_dlp_predefined_profile
- zero_trust_dns_location
- zero_trust_gateway_certificate
- zero_trust_gateway_policy
- zero_trust_gateway_proxy_endpoint
- zero_trust_gateway_settings
- zero_trust_list
- zero_trust_network_hostname_route
- zero_trust_risk_scoring_integration
- zero_trust_tunnel_cloudflared
- zero_trust_tunnel_cloudflared_config
- zero_trust_tunnel_cloudflared_route
- zero_trust_tunnel_cloudflared_virtual_network
- zero_trust_tunnel_warp_connector
- zero_trust_access_ai_controls_mcp_portal (added)
- zero_trust_access_ai_controls_mcp_server (added)

* chore(d1): integrate generated changes for D1 resources

* chore(byoip): integrate generated changes for BYOIP resources

* chore(logpush): integrate generated changes for Logpush resources

* chore(pages): integrate generated changes for Pages resources

* chore(worker): integrate generated changes for Worker resources

* chore(stainless): integrate changes from unpinned codegen version

* feat: add new resources and data sources

* chore: include new sections for pr template (#6395)

* feat(magic_transit_connector): support self-serve license key (#6398)

Co-authored-by: yihuaf <yihuaf@cloudflare.com>

* ci(test): integrate migrator v2 (#6396)

* ci: build migrator v2 in ci

* chore: uptake migrator v2 for dns_record

* chore(certificate_pack): docs show safe rotation instructions (#6388)

* chore(test): increase legacy migrator test coverage (#6401)

* fix(zero_trust_dex_test): correct configurability for 'targeted' attribute to fix drift

* chore(test): acceptance tests for token validation resources (#6417)

This adds acceptance test for token validation resources:

```
$ TF_ACC=1 go test ./internal/services/token_validation_* -run "^TestAccCloudflareTokenValidationConfig|TestAccCloudflareTokenValidationRules" -v -count 1
=== RUN   TestAccCloudflareTokenValidationConfig
--- PASS: TestAccCloudflareTokenValidationConfig (42.65s)
PASS
ok      github.com/cloudflare/terraform-provider-cloudflare/internal/services/token_validation_config   46.029s
=== RUN   TestAccCloudflareTokenValidationRules
--- PASS: TestAccCloudflareTokenValidationRules (21.90s)
PASS
ok      github.com/cloudflare/terraform-provider-cloudflare/internal/services/token_validation_rules    23.824s
```

* chore(zones): data source tests (#6414)

* chore(test): add schema and token validation acceptance tests to CI (#6421)

This change adds the token validation and schema validation acceptance tests to CI runner.
Acceptance test zone `terraform.cfapi.net` seems to already be entitled to utilize both services.

It also ensures that the schema validation tests can be executed in parallel without interferring with each other:
```
$ TF_ACC=1 go test ./internal/services/token_validation_* ./internal/services/schema_validation_* -run "^TestAccCloudflareTokenValidationConfig|TestAccCloudflareTokenValidationRules|TestAccCloudflarePerOperationSetting|TestAccCloudflareSchemaValidationSchemas|TestAccCloudflareSchemaValidationZoneSettings" -v -count 1
=== RUN   TestAccCloudflareTokenValidationConfig
--- PASS: TestAccCloudflareTokenValidationConfig (36.15s)
PASS
ok  	github.com/cloudflare/terraform-provider-cloudflare/internal/services/token_validation_config	37.827s
=== RUN   TestAccCloudflareTokenValidationRules
--- PASS: TestAccCloudflareTokenValidationRules (26.03s)
PASS
ok  	github.com/cloudflare/terraform-provider-cloudflare/internal/services/token_validation_rules	28.480s
=== RUN   TestAccCloudflarePerOperationSetting
--- PASS: TestAccCloudflarePerOperationSetting (15.87s)
PASS
ok  	github.com/cloudflare/terraform-provider-cloudflare/internal/services/schema_validation_operation_settings	21.278s
=== RUN   TestAccCloudflareSchemaValidationSchemas
--- PASS: TestAccCloudflareSchemaValidationSchemas (13.31s)
PASS
ok  	github.com/cloudflare/terraform-provider-cloudflare/internal/services/schema_validation_schemas	16.719s
=== RUN   TestAccCloudflareSchemaValidationZoneSettings
--- PASS: TestAccCloudflareSchemaValidationZoneSettings (18.18s)
PASS
ok  	github.com/cloudflare/terraform-provider-cloudflare/internal/services/schema_validation_settings	22.567s
```

* Add mcp portals acctests (#6411)

* Add mcp portals acceptance tests

* Fix mcp portals acceptance tests

* Fix mcp portals acceptance tests

* chore(zero_trust_access_service_token): add migration test for zero_trust_access_service_token (#6416)

Co-authored-by: cortlyons <cortlyons@cloudflare.com>

* chore(ci): skip flaky test in CI

* chore(sso_connector): add acceptance tests (#6427)

* Add acceptance tests for sso connector resource

* Removing test staging option

* Create ZT IDP before attempting SSO connector operations

---------

Co-authored-by: scabell <scabell@cloudflare.com>

* chore(email_routing): improved email routing sweepers (#6429)

* chore(dns_record): improve dns sweepers (#6430)

* chore(workers_kv_namespace): v4 to v5 migration tests for workers_kv_namespace (#6424)

* chore(zero_trust_gateway_policy): v4 to v5 migration for zero_trust_gateway_policy (#6413)

* chore(zero_trust_list): v4 to v5 migration tests for zero trust list records (#6400)

* chore(account_member): add migration test (#6425)

* Add migration test for account_member

* chore(logpull_retention): add migration test for (#6426)

* add migration tests for logpull_retention

* chore(cloudflare_zero_trust_dlp_custom_profile): migration test and ignore order as set (#6428)

* fix(workers_script_subdomain): add note to cloudflare_workers_script_subdomain about redundancy with cloudflare_worker (#6383)

People using cloudflare_worker should not use cloudflare_workers_script_subdomain since cloudflare_worker already includes subdomain settings.

* chore(logpush_job): add import tests for resource (#6402)

* DS-15398: Add import tests for cloudflare_logpush_jobs resource

This adds import tests for `cloudflare_logpush_jobs` resource, per https://wiki.cfdata.org/display/API/Terraform+Acceptance+Tests

* DS-15398: Change LogpushJobModel optional,no_refresh to computed_optional,decode_null_to_zero (except OwnershipChallenge)

This changes `LogpushJobModel` `optional,no_refresh` to `computed_optional,decode_null_to_zero` (except `OwnershipChallenge`).
 - Changed `apijson` to `apijsoncustom` in `model.go` and `resource.go`.

This is based on similar fixes done for #5909

* chore(logpull_retention): update acceptance test (#6277)

This updates `logpull_retention` test:
 1. Add import test.
 2. Switch to Plan and State Checks from legacy Checks.

Test passes locally:
```
go test ./internal/services/logpull_retention -run "^TestAccLogpullRetention" -v -count 1

=== RUN   TestAccLogpullRetention_Basic
--- PASS: TestAccLogpullRetention_Basic (10.48s)
PASS
ok      github.com/cloudflare/terraform-provider-cloudflare/internal/services/logpull_retention 10.487s
```

* chore(zone_dnssec): v4 to v5 migration tests for zone_dnssec (#6432)

TF_ACC=1 TF_MIGRATE_BINARY_PATH=~/cf-repos/terraform-devstack/tf-migrate/tf-migrate go test -v -run "TestMigrate" ./internal/services/zone_dnssec
=== RUN   TestMigrateZoneDNSSECBasic
--- PASS: TestMigrateZoneDNSSECBasic (15.62s)
=== RUN   TestMigrateZoneDNSSECWithModifiedOn
--- PASS: TestMigrateZoneDNSSECWithModifiedOn (20.48s)
=== RUN   TestMigrateZoneDNSSECStatusActive
--- PASS: TestMigrateZoneDNSSECStatusActive (14.33s)
PASS
ok      github.com/cloudflare/terraform-provider-cloudflare/internal/services/zone_dnssec       51.780s

* chore(workers_kv): v4 to v5 migration tests for workers_kv (#6435)

* chore(r2_bucket): v4 to v5 migration tests for cloudflare_r2_bucket (#6437)

* chore(notification_policy_webhook): add migration test for notification-policy-webhook (#6443)

* chore(zero_trust_tunnel_cloudflared_route): v4 to v5 migration tests for zero_trust_tunnel_cloudflared_route (#6409)

* chore(docs): document configurations and examples (#6449)

* feat(zero_trust_access_application): add proxy_endpoint for ZT Access Application (#6453)

Adds a new app type for the session duration compatible app types for the zero type access application resource. The newly supported type is proxy_endpoint.

* chore(universal_ssl_setting): add acceptance tests for universal_ssl_setting

- Add TestAccCloudflareUniversalSSLSetting_Basic with create, update, and import steps
- Validates resource adoption with enabled = true
- Validates update to enabled = false
- Validates terraform import functionality with ImportStateVerify
- Add testdata template for universal SSL setting configuration

* feat(zero_trust_dlp_predefined_profile):  Switch DLP Predefined Profile endpoints, introduce enabled_entries attribute

The new endpoints contain a new field `enabled_entries` which will be
the preferred way to manage entries within a predefined profile. The
existing `entries` field will be supported but now be computed optional

* feat(zero_trust_tunnel_cloudflared): v4 to v5 migration tests (#6461)

* provider migration test for zero-trust-device-posture-rule 

Co-authored-by: cortlyons <cortlyons@cloudflare.com>

* Deprecate API Shield Schema Validation resources (#6446)

This change reflects the deprecation of the API Shield schema validation APIs to terraform.
The deprecation notice for each of them mentions the replacements.

* fix(pages_project): unintended resource state drift (#6377)

* fix(cloudflare_worker+cloudflare_worker_version): import for the resources (#6357)

* fix: cloudflare_worker resource can be cleanly imported

- Add plan modifiers for created_on and updated_on to prevent these
  properties from incorrectly appearing in the diff
- Fill in all default values to prevent user-configurable properties
  from being marked as unknown
- These were causing an unnecessary update to be performed on import

* fix: cloudflare_worker_version resource can be cleanly imported

- Allow in-place updates to write provider-only attributes (module content_file) to state
- This allows the resource to be imported without recreation

* fix(workers_script): allow config.run_worker_first to accept list input

- This property can either be a boolean or list of strings, the API accepts both
- Update resource to accept list of strings in addition to boolean values

* feat(worker_version): boolean support for run_worker_first (#6407)

* chore: add support for boolean run_worker_first

* chore: adding upgrade test

---------

Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com>

* feat(worker_version): add content_base64 support

* fix(pages_domain): resource tests (#6338)

* chore(api): update composite API spec

---------

Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com>
Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com>

* fix(workers_kv): updating workers metadata attribute to be read from endpoint (#6386)

Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com>

* feat(workers_script_subdomains): add import support  (#6375)

Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com>

* fix(workers_kv): multipart request  (#6367)

* chore(api): update composite API spec

* fix: multipart request in cloudflare_workers_kv

---------

Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com>
Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com>

* fix(zero_trust_tunnel_cloudflared_config): remove warp_routing from cloudflared_config (#6471)

Co-authored-by: João "Pisco" Fernandes <joaocarlos@cloudflare.com>

* chore(workers_script): add workers scripts sweeper (#6351)

* chore(api): update composite API spec

* chore: adding sweeper

* chore: adding sweeper for workers

---------

Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com>
Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com>

* fix(dns_record): inconsistent apply error (#6452)

* chore(dns_record): rename testdata

* chore(dns_record): update test data refs

* fix(dns_record): method to compare two dns records are equal

* fix(dns_record): inconsistent apply

* fix(account_token)!: token policy order and nested resources (#6440)

* removing computed fields to fix policy order

* using jsonencode for resources

* feat(api_token+account_tokens): state upgrader and schema bump (#6472)

* feat(api_token): api token migrator
- state upgrader for api tokens
- migration test
- bumps schema version to 1

* feat(account_token): account token migrator
- state upgrader for account tokens
- migration test
- bumps schema version to 1

* chore(zt_access): add sweepers for policy and service token (#6465)

* fix(zero_trust_device_custom_profile): resolve drift issues (#6364)

Adds UseStateForUnknown plan modifier for some computed attributes

Co-authored-by: Tyler Stanish <tstanish@cloudflare.com>

* fix: allow r2_bucket_event_notification to be applied twice without failing (#6419)

* chore(zone_settings): acceptance test to repro issue #6363 (#6445)

* fix(zero_trust_device_custom_profile_local_domain_fallback): drift issues (#6365)

When domains are not specified in alphabetical order, the plan shows changes
after refreshing from the API. This is because the API returns them in alphabetical order.  To
resolve, this change switches the zero_trust_device_custom_profile_local_domain_fallback
attribute from a list to set.

Co-authored-by: Tyler Stanish <tstanish@cloudflare.com>

* TUN-9846: Fix cloudflare_zero_trust_tunnel_warp_connector_token datasource

* chore(workers_script): fix resource names in tests

* chore(workers_script): fix resource name in TestAccCloudflareWorkerScript_ModuleWithDurableObject

* fix(queue_consumer): id population (#6181)

* resolves #5652

* Unifying queue consumer script and script_name in terraform state

* Populate queue consumer info in queue resource

* Modify mtls resource and mtls, org, and app tests

* feat(api): api update

* fixing bad merge

* Marking consumer_id as computed because it is generated from the create consumer response

* Adding tests for queue_consumer

* Refactoring tests to have test configs in files

* Adding more tests for different config cases

* Updating queue consumer tests

---------

Co-authored-by: Alex Holland <aholland@cloudflare.com>
Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com>

* feat: chore(build): point Terraform to released Go v6.3.0

* chore(build): point Terraform to released Go v6.3.0

* feat(docs): make docs explicit when a resource does not have import support

* chore(docs): generate docs and examples

* chore(queue_consumer):  testdata refactor

* chore(ci): clean up leftover files in resources (#6474)

* chore(zero_trust_connectivity_directory_service): cleanup leftovers

* chore(zero_trust_access_policy): cleanup duplicate test main

* chore(ci): fixes for parity tests and build failures (#6475)

* chore(api_token): skip migration tests if tf_acc is not set

* chore(list): fix schema parity tests

* chore(email_routing_catch_all): fix build error

* fix(zero_trust_gateway_policy): schema parity tests

* chore(ci): drop migration tests from CI (#6476)

* chore(ci): fix tests ran on release PR (#6478)

* chore(ci): modify sweepers (#6479)

* chore(organizations): sweeper

* chore(zero_trust_tunnel_cloudflared): comment out sweeper, infinite loop?

* chore(zero_trust_tunnel_cloudflared_virtual_network): dont swallow error

* release: 5.13.0

---------

Co-authored-by: Musa Jundi <musa@cloudflare.com>
Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com>
Co-authored-by: Eric Fang <github@accounts.unkies.org>
Co-authored-by: yihuaf <yihuaf@cloudflare.com>
Co-authored-by: Tamás Józsa <tamas@cloudflare.com>
Co-authored-by: Andrew Mitchell <32021055+mitch292@users.noreply.github.com>
Co-authored-by: Jan <1324490+janrueth@users.noreply.github.com>
Co-authored-by: Gabriel Massadas <5445926+G4brym@users.noreply.github.com>
Co-authored-by: Edward Cort Lyons <Lyons.Cort@gmail.com>
Co-authored-by: cortlyons <cortlyons@cloudflare.com>
Co-authored-by: Samuel <6132869+SamuelDev@users.noreply.github.com>
Co-authored-by: scabell <scabell@cloudflare.com>
Co-authored-by: Rotem Atzaba <rotem@cloudflare.com>
Co-authored-by: Sarah Sicard <18204584+ssicard@users.noreply.github.com>
Co-authored-by: Max Peterson <64494795+maxwellpeterson@users.noreply.github.com>
Co-authored-by: Sohei Okamoto <sohei@cloudflare.com>
Co-authored-by: Alex Holland <aholland@cloudflare.com>
Co-authored-by: ang-cloudflare <ang@cloudflare.com>
Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com>
Co-authored-by: Cina Saffary <cina@cloudflare.com>
Co-authored-by: Max Peterson <mpeterson@cloudflare.com>
Co-authored-by: christhorwarth <chris.thorwarth@gmail.com>
Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com>
Co-authored-by: João "Pisco" Fernandes <joaocarlos@cloudflare.com>
Co-authored-by: Steve Conrad <sconrad@cloudflare.com>
Co-authored-by: Tyler Stanish <tystanish@gmail.com>
Co-authored-by: Tyler Stanish <tstanish@cloudflare.com>
Co-authored-by: Carol Xu <37486071+Carolx715@users.noreply.github.com>
Co-authored-by: Vaishak Dinesh <vaishak@cloudflare.com>
Co-authored-by: jkoe-cf <152918105+jkoe-cf@users.noreply.github.com>

Author: 28 people

.github/pull_request_template.md

@@ -7,6 +7,13 @@
 
 ## Acceptance test run results
 
-- [ ] I have run acceptance tests for my changes and included the results below 
+- [ ] I have added or updated acceptance tests for my changes
+- [ ] I have run acceptance tests for my changes and included the results below
+
+### Steps to run acceptance tests
+<!-- Please describe the steps you took to run the acceptance tests -->
+
+### Test output
+<!-- Please paste the output of your acceptance test run below --> 
 
 ## Additional context & links

.github/workflows/acceptance-tests.yml

@@ -55,20 +55,25 @@ jobs:
       - name: Bootstrap
         run: ./scripts/bootstrap
 
+      - name: Build tf-migrate
+        run: ./scripts/build-tf-migrate.sh
+
       ######## Magic Tests ########
       - name: Run Magic Acceptance Tests
         id: magic_acceptance_tests
         run: ./scripts/run-ci-tests magic acceptance
         env:
           TF_ACC: 1
+          TF_MIGRATE_BINARY_PATH: ${{ github.workspace }}/tf-migrate
         continue-on-error: true
 
-      - name: Run Magic Migration Tests
-        id: magic_migration_tests
-        run: ./scripts/run-ci-tests magic migration
-        env:
-          TF_ACC: 1
-        continue-on-error: true
+      # - name: Run Magic Migration Tests
+      #   id: magic_migration_tests
+      #   run: ./scripts/run-ci-tests magic migration
+      #   env:
+      #     TF_ACC: 1
+      #     TF_MIGRATE_BINARY_PATH: ${{ github.workspace }}/tf-migrate
+      #   continue-on-error: true
 
       ######## Organization Tests ########
       # These tests require a specific user with organization permissions
@@ -89,14 +94,16 @@ jobs:
         run: ./scripts/run-ci-tests default acceptance
         env:
           TF_ACC: 1
+          TF_MIGRATE_BINARY_PATH: ${{ github.workspace }}/tf-migrate
         continue-on-error: true
 
-      - name: Run Default Migration Tests
-        id: default_migration_tests
-        run: ./scripts/run-ci-tests default migration
-        env:
-          TF_ACC: 1
-        continue-on-error: true
+      # - name: Run Default Migration Tests
+      #   id: default_migration_tests
+      #   run: ./scripts/run-ci-tests default migration
+      #   env:
+      #     TF_ACC: 1
+      #     TF_MIGRATE_BINARY_PATH: ${{ github.workspace }}/tf-migrate
+      #   continue-on-error: true
 
       - name: Check Test Status
         if: ${{

.grit/patterns/cloudflare_terraform_v5_block_to_attribute_configuration.grit

@@ -184,7 +184,6 @@ pattern cloudflare_terraform_v5_block_to_attribute_configuration() {
     inline_cloudflare_block_to_list(`ip_rules`) as $block where { $block <: within `resource "cloudflare_tunnel_config" $_ { $_ }` },
     inline_cloudflare_block_to_map(`origin_request`) as $block where { $block <: within `resource "cloudflare_tunnel_config" $_ { $_ }` },
     inline_cloudflare_block_to_map(`access`) as $block where { $block <: within `resource "cloudflare_tunnel_config" $_ { $_ }` },
-    inline_cloudflare_block_to_map(`warp_routing`) as $block where { $block <: within `resource "cloudflare_tunnel_config" $_ { $_ }` },
     inline_cloudflare_block_to_list(`configuration`) as $block where { $block <: within `resource "cloudflare_user_agent_blocking_rule" $_ { $_ }` },
     inline_cloudflare_block_to_list(`additional_routes`) as $block where { $block <: within `resource "cloudflare_waiting_room" $_ { $_ }` },
     inline_cloudflare_block_to_list(`rules`) as $block where { $block <: within `resource "cloudflare_waiting_room_rules" $_ { $_ }` },

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "5.12.0"
+  ".": "5.13.0"
 }

.stats.yml

@@ -1,4 +1,4 @@
-configured_endpoints: 1857
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/cloudflare%2Fcloudflare-7c981c72c3b84f1b39c664311bcc286c0965bf2833955853107bc1988cc5ff25.yml
-openapi_spec_hash: d4b77a5657c299c78a79bb3e5b326fef
-config_hash: b005a07fe728e7a9d190900f93eaa41f
+configured_endpoints: 1905
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/cloudflare%2Fcloudflare-cc732ca8d1d7f1c11a1ee579060ddfd8f953a3ad94fd5053056b53370129d040.yml
+openapi_spec_hash: a3e1e833dfe13845abd1e2227993a979
+config_hash: 9e3a3f3e68822e0dc6f40af202c6c57e

CHANGELOG.md

@@ -20,7 +20,7 @@ terraform {
   required_providers {
     cloudflare = {
       source  = "cloudflare/cloudflare"
-      version = "~> 5.12.0"
+      version = "~> 5.13.0"
     }
   }
 }