making resource groups and perm groups sets

steve-thousand · steve-thousand · commit 9d1f3ba1593d · 2025-12-04T14:11:49.000-06:00
diff --git a/internal/services/account_member/model.go b/internal/services/account_member/model.go
@@ -31,9 +31,9 @@ func (m AccountMemberModel) MarshalJSONForUpdate(state AccountMemberModel) (data
 }
 
 type AccountMemberPoliciesModel struct {
-	Access           types.String                                   `tfsdk:"access" json:"access,required"`
-	PermissionGroups *[]*AccountMemberPoliciesPermissionGroupsModel `tfsdk:"permission_groups" json:"permission_groups,required"`
-	ResourceGroups   *[]*AccountMemberPoliciesResourceGroupsModel   `tfsdk:"resource_groups" json:"resource_groups,required"`
+	Access           types.String                                                            `tfsdk:"access" json:"access,required"`
+	PermissionGroups customfield.NestedObjectSet[AccountMemberPoliciesPermissionGroupsModel] `tfsdk:"permission_groups" json:"permission_groups,required"`
+	ResourceGroups   customfield.NestedObjectSet[AccountMemberPoliciesResourceGroupsModel]   `tfsdk:"resource_groups" json:"resource_groups,required"`
 }
 
 type AccountMemberPoliciesPermissionGroupsModel struct {
diff --git a/internal/services/account_member/resource_test.go b/internal/services/account_member/resource_test.go
@@ -391,6 +391,11 @@ func TestAccCloudflareAccountMember_PoliciesAddResourceGroup(t *testing.T) {
 	domainGroupID1 := createDomainGroup(t, rnd, accountID, zones[0].ID)
 	domainGroupID2 := createDomainGroup(t, rnd, accountID, zones[1].ID)
 
+	t.Cleanup(func() {
+		deleteDomainGroup(accountID, domainGroupID1)
+		deleteDomainGroup(accountID, domainGroupID2)
+	})
+
 	resource.Test(t, resource.TestCase{
 		PreCheck: func() {
 			acctest.TestAccPreCheck_AccountID(t)
@@ -412,7 +417,46 @@ func TestAccCloudflareAccountMember_PoliciesAddResourceGroup(t *testing.T) {
 				},
 			},
 			{
+				// Another apply should not cause any changes (stable state)
+				Config: acctest.LoadTestCase("cloudflare_account_member-add-resource-group1.tf", accountID, email, permissionGroupID, domainGroupID1),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionNoop),
+					},
+				},
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New(consts.AccountIDSchemaKey), knownvalue.StringExact(accountID)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("email"), knownvalue.StringExact(email)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("policies"), knownvalue.ListSizeExact(1)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("policies").AtSliceIndex(0).AtMapKey("access"), knownvalue.StringExact("allow")),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("policies").AtSliceIndex(0).AtMapKey("permission_groups"), knownvalue.ListSizeExact(1)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("policies").AtSliceIndex(0).AtMapKey("permission_groups").AtSliceIndex(0).AtMapKey("id"), knownvalue.StringExact(permissionGroupID)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("policies").AtSliceIndex(0).AtMapKey("resource_groups"), knownvalue.ListSizeExact(1)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("policies").AtSliceIndex(0).AtMapKey("resource_groups").AtSliceIndex(0).AtMapKey("id"), knownvalue.StringExact(domainGroupID1)),
+				},
+			},
+			{
+				Config: acctest.LoadTestCase("cloudflare_account_member-add-resource-group2.tf", accountID, email, permissionGroupID, domainGroupID1, domainGroupID2),
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New(consts.AccountIDSchemaKey), knownvalue.StringExact(accountID)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("email"), knownvalue.StringExact(email)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("policies"), knownvalue.ListSizeExact(1)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("policies").AtSliceIndex(0).AtMapKey("access"), knownvalue.StringExact("allow")),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("policies").AtSliceIndex(0).AtMapKey("permission_groups"), knownvalue.ListSizeExact(1)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("policies").AtSliceIndex(0).AtMapKey("permission_groups").AtSliceIndex(0).AtMapKey("id"), knownvalue.StringExact(permissionGroupID)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("policies").AtSliceIndex(0).AtMapKey("resource_groups"), knownvalue.ListSizeExact(2)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("policies").AtSliceIndex(0).AtMapKey("resource_groups").AtSliceIndex(0).AtMapKey("id"), knownvalue.StringExact(domainGroupID1)),
+					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("policies").AtSliceIndex(0).AtMapKey("resource_groups").AtSliceIndex(1).AtMapKey("id"), knownvalue.StringExact(domainGroupID2)),
+				},
+			},
+			{
+				// Another apply should not cause any changes (stable state)
 				Config: acctest.LoadTestCase("cloudflare_account_member-add-resource-group2.tf", accountID, email, permissionGroupID, domainGroupID1, domainGroupID2),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionNoop),
+					},
+				},
 				ConfigStateChecks: []statecheck.StateCheck{
 					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New(consts.AccountIDSchemaKey), knownvalue.StringExact(accountID)),
 					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("email"), knownvalue.StringExact(email)),
@@ -425,12 +469,14 @@ func TestAccCloudflareAccountMember_PoliciesAddResourceGroup(t *testing.T) {
 					statecheck.ExpectKnownValue(resourceName, tfjsonpath.New("policies").AtSliceIndex(0).AtMapKey("resource_groups").AtSliceIndex(1).AtMapKey("id"), knownvalue.StringExact(domainGroupID2)),
 				},
 			},
+			{
+				ResourceName:        resourceName,
+				ImportState:         true,
+				ImportStateVerify:   true,
+				ImportStateIdPrefix: fmt.Sprintf("%s/", accountID),
+			},
 		},
 	})
-
-	//cleanup
-	deleteDomainGroup(accountID, domainGroupID1)
-	deleteDomainGroup(accountID, domainGroupID2)
 }
 
 func testCloudflareAccountMemberPoliciesConfig(accountID, emailAddress, permgroupId string) string {
diff --git a/internal/services/account_member/schema.go b/internal/services/account_member/schema.go
@@ -66,7 +66,7 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 								stringvalidator.OneOfCaseInsensitive("allow", "deny"),
 							},
 						},
-						"permission_groups": schema.ListNestedAttribute{
+						"permission_groups": schema.SetNestedAttribute{
 							Description: "A set of permission groups that are specified to the policy.",
 							Required:    true,
 							NestedObject: schema.NestedAttributeObject{
@@ -78,7 +78,7 @@ func ResourceSchema(ctx context.Context) schema.Schema {
 								},
 							},
 						},
-						"resource_groups": schema.ListNestedAttribute{
+						"resource_groups": schema.SetNestedAttribute{
 							Description: "A list of resource groups that the policy applies to.",
 							Required:    true,
 							NestedObject: schema.NestedAttributeObject{

Original file line number	Diff line number	Diff line change
`@@ -31,9 +31,9 @@ func (m AccountMemberModel) MarshalJSONForUpdate(state AccountMemberModel) (data`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`type AccountMemberPoliciesModel struct {`
`34`		- Access types.String `tfsdk:"access" json:"access,required"`
`35`		- PermissionGroups []AccountMemberPoliciesPermissionGroupsModel `tfsdk:"permission_groups" json:"permission_groups,required"`
`36`		- ResourceGroups []AccountMemberPoliciesResourceGroupsModel `tfsdk:"resource_groups" json:"resource_groups,required"`
	`34`	+ Access types.String `tfsdk:"access" json:"access,required"`
	`35`	+ PermissionGroups customfield.NestedObjectSet[AccountMemberPoliciesPermissionGroupsModel] `tfsdk:"permission_groups" json:"permission_groups,required"`
	`36`	+ ResourceGroups customfield.NestedObjectSet[AccountMemberPoliciesResourceGroupsModel] `tfsdk:"resource_groups" json:"resource_groups,required"`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`type AccountMemberPoliciesPermissionGroupsModel struct {`