resource/cloudflare_ruleset: fix various attributes

[zakcutner]

• Make some minor fixes to the Rulesets acceptance resource tests

  Use the skip action, rather than the allow action. The allow
  action does not exist in Rulesets, and only existed in Firewall Rules.

  Make the Origin Rules tests agnostic of the zone they are run with.

  Add (cf.zone.plan eq "ENT") to the expression of account-level WAF
  rulesets, as this is a new requirement.

  Also add the stringplanmodifier.UseStateForUnknown() modifier to the
  description attribute for rules, since this should never change when
  it is computed.

• Update preservation of rules to use refs rather than IDs

  This is safe because all rules have a ref, as it defaults to the ID if
  it is not explicitly set. The advantage of using refs is that we can
  take into account whether the user has explicitly set the ref
  themselves. If they have, then we avoid changing it, or using that ref
  for other rules.

• Fix ruleset rule shareable entitlement name attribute

  Add the stringplanmodifier.RequiresReplace() modifier since this
  attribute cannot be changed without re-creating the ruleset.

  Also populate this attribute in API requests and from API responses.

• Mark ruleset rule ref attribute as Computed

  If users do not set this attribute, it is computed by the Ruleset API
  (it will be set to the same value as the rule's ID).

• Prevent ruleset rule ID, version and last updated attributes being set

  These attributes are solely computed by the Rulesets API and so should
  never be set by users of the API. Having these as Optional attributes
  implied that users had control over them.

  This was particularly confusing because they were being populated by
  cf-terraforming, since they were marked as Optional.

  Also populate the last updated attribute from API responses.

• Fix typo in semaphoreErr variable name

[github-actions]

changelog detected ✅

[jacobbednarz]

we'll also need to add the newly computed fields to https://github.com/zakcutner/terraform-provider-cloudflare/blob/0f6d5c7d0611c27116fbc0fee96cc3388d76c669/internal/framework/service/rulesets/resource.go#L1341 so that they aren't a part of the hash.

[zakcutner]

we'll also need to add the newly computed fields to https://github.com/zakcutner/terraform-provider-cloudflare/blob/0f6d5c7d0611c27116fbc0fee96cc3388d76c669/internal/framework/service/rulesets/resource.go#L1341 so that they aren't a part of the hash.

Thanks for pointing me to this! I've updated the way it works a little in 1b4d844. The important change (in addition to the one you mentioned) is to ensure that setting the ref manually causes you to be "opted out" of this remapping.

[zakcutner]

Also, I wanted to ask if you would recommend adding a state migration for the breaking change to make the id, version and last_updated attributes read-only?

[jacobbednarz]

Also, I wanted to ask if you would recommend adding a state migration for the breaking change to make the id, version and last_updated attributes read-only?

as we discussed, i don't think we need this given the hoops folks would have had to jump through to get id working and the others are noops.

[jacobbednarz]

acceptance tests all looking good

TF_ACC=1 go test ./internal/framework/service/rulesets -v -count 1 -run ^TestAccCloudflareRuleset_ -timeout 120m -parallel 1
=== RUN   TestAccCloudflareRuleset_WAFBasic
--- PASS: TestAccCloudflareRuleset_WAFBasic (16.22s)
=== RUN   TestAccCloudflareRuleset_WAFManagedRuleset
--- PASS: TestAccCloudflareRuleset_WAFManagedRuleset (13.00s)
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetWithoutDescription
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetWithoutDescription (12.11s)
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetOWASP
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetOWASP (12.24s)
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetOWASPBlockXSSWithAnomalyOver60
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetOWASPBlockXSSWithAnomalyOver60 (13.19s)
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetOWASPOnlyPL1
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetOWASPOnlyPL1 (12.31s)
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetDeployMultiple
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetDeployMultiple (13.70s)
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetDeployMultipleWithSkip
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetDeployMultipleWithSkip (14.57s)
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetDeployMultipleWithTopSkipAndLastSkip
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetDeployMultipleWithTopSkipAndLastSkip (14.63s)
=== RUN   TestAccCloudflareRuleset_SkipPhaseAndProducts
--- PASS: TestAccCloudflareRuleset_SkipPhaseAndProducts (13.01s)
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetWithCategoryAndRuleBasedOverrides
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetWithCategoryAndRuleBasedOverrides (12.58s)
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetWithIDBasedOverrides
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetWithIDBasedOverrides (12.70s)
=== RUN   TestAccCloudflareRuleset_MagicTransitUpdateWithHigherPriority
    acctest.go:75: Skipping acceptance test for default account (f037e56e89293a057740de681ac9abbe). Default account is not configured for Magic Transit.
--- SKIP: TestAccCloudflareRuleset_MagicTransitUpdateWithHigherPriority (0.00s)
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetWithPayloadLogging
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetWithPayloadLogging (12.17s)
=== RUN   TestAccCloudflareRuleset_RateLimit
--- PASS: TestAccCloudflareRuleset_RateLimit (15.48s)
=== RUN   TestAccCloudflareRuleset_RateLimitScorePerPeriod
--- PASS: TestAccCloudflareRuleset_RateLimitScorePerPeriod (11.99s)
=== RUN   TestAccCloudflareRuleset_PreserveRuleRefs
--- PASS: TestAccCloudflareRuleset_PreserveRuleRefs (108.00s)
=== RUN   TestAccCloudflareRuleset_CustomErrors
--- PASS: TestAccCloudflareRuleset_CustomErrors (12.05s)
=== RUN   TestAccCloudflareRuleset_RequestOrigin
--- PASS: TestAccCloudflareRuleset_RequestOrigin (12.17s)
=== RUN   TestAccCloudflareRuleset_TransformationRuleURIPath
--- PASS: TestAccCloudflareRuleset_TransformationRuleURIPath (12.08s)
=== RUN   TestAccCloudflareRuleset_TransformationRuleURIQuery
--- PASS: TestAccCloudflareRuleset_TransformationRuleURIQuery (11.92s)
=== RUN   TestAccCloudflareRuleset_TransformationRuleURIPathAndQueryCombination
--- PASS: TestAccCloudflareRuleset_TransformationRuleURIPathAndQueryCombination (11.94s)
=== RUN   TestAccCloudflareRuleset_TransformationRuleRequestHeaders
--- PASS: TestAccCloudflareRuleset_TransformationRuleRequestHeaders (12.34s)
=== RUN   TestAccCloudflareRuleset_TransformationRuleResponseHeaders
--- PASS: TestAccCloudflareRuleset_TransformationRuleResponseHeaders (12.50s)
=== RUN   TestAccCloudflareRuleset_ResponseCompression
--- PASS: TestAccCloudflareRuleset_ResponseCompression (11.90s)
=== RUN   TestAccCloudflareRuleset_ActionParametersMultipleSkips
--- PASS: TestAccCloudflareRuleset_ActionParametersMultipleSkips (13.85s)
=== RUN   TestAccCloudflareRuleset_ActionParametersOverridesAction
--- PASS: TestAccCloudflareRuleset_ActionParametersOverridesAction (12.10s)
=== RUN   TestAccCloudflareRuleset_ActionParametersHTTPDDoSOverride
--- PASS: TestAccCloudflareRuleset_ActionParametersHTTPDDoSOverride (11.90s)
=== RUN   TestAccCloudflareRuleset_ActionParametersOverrideAllRulesetRules
--- PASS: TestAccCloudflareRuleset_ActionParametersOverrideAllRulesetRules (12.00s)
=== RUN   TestAccCloudflareRuleset_AccountLevelCustomWAFRule
--- PASS: TestAccCloudflareRuleset_AccountLevelCustomWAFRule (13.86s)
=== RUN   TestAccCloudflareRuleset_ExposedCredentialCheck
--- PASS: TestAccCloudflareRuleset_ExposedCredentialCheck (11.15s)
=== RUN   TestAccCloudflareRuleset_Logging
--- PASS: TestAccCloudflareRuleset_Logging (12.05s)
=== RUN   TestAccCloudflareRuleset_ConditionallySetActionParameterVersion
--- PASS: TestAccCloudflareRuleset_ConditionallySetActionParameterVersion (21.95s)
=== RUN   TestAccCloudflareRuleset_WAFManagedRulesetWithActionManagedChallenge
--- PASS: TestAccCloudflareRuleset_WAFManagedRulesetWithActionManagedChallenge (23.81s)
=== RUN   TestAccCloudflareRuleset_LogCustomField
--- PASS: TestAccCloudflareRuleset_LogCustomField (11.99s)
=== RUN   TestAccCloudflareRuleset_ActionParametersOverridesThrashingStatus
--- PASS: TestAccCloudflareRuleset_ActionParametersOverridesThrashingStatus (69.14s)
=== RUN   TestAccCloudflareRuleset_CacheSettingsAllEnabled
--- PASS: TestAccCloudflareRuleset_CacheSettingsAllEnabled (13.96s)
=== RUN   TestAccCloudflareRuleset_CacheSettingsOptionalsEmpty
--- PASS: TestAccCloudflareRuleset_CacheSettingsOptionalsEmpty (12.31s)
=== RUN   TestAccCloudflareRuleset_CacheSettingsEdgeTTLRespectOrigin
--- PASS: TestAccCloudflareRuleset_CacheSettingsEdgeTTLRespectOrigin (12.73s)
=== RUN   TestAccCloudflareRuleset_CacheSettingsNoCacheForStatus
--- PASS: TestAccCloudflareRuleset_CacheSettingsNoCacheForStatus (12.76s)
=== RUN   TestAccCloudflareRuleset_CacheSettingsStatusRangeGreaterThan
--- PASS: TestAccCloudflareRuleset_CacheSettingsStatusRangeGreaterThan (13.04s)
=== RUN   TestAccCloudflareRuleset_CacheSettingsStatusRangeLessThan
--- PASS: TestAccCloudflareRuleset_CacheSettingsStatusRangeLessThan (13.15s)
=== RUN   TestAccCloudflareRuleset_CacheSettingsFalse
--- PASS: TestAccCloudflareRuleset_CacheSettingsFalse (11.95s)
=== RUN   TestAccCloudflareRuleset_Config
--- PASS: TestAccCloudflareRuleset_Config (13.29s)
=== RUN   TestAccCloudflareRuleset_Redirect
--- PASS: TestAccCloudflareRuleset_Redirect (13.77s)
=== RUN   TestAccCloudflareRuleset_DynamicRedirect
--- PASS: TestAccCloudflareRuleset_DynamicRedirect (12.19s)
=== RUN   TestAccCloudflareRuleset_DynamicRedirectWithoutPreservingQueryString
--- PASS: TestAccCloudflareRuleset_DynamicRedirectWithoutPreservingQueryString (12.16s)
=== RUN   TestAccCloudflareRuleset_TransformationRuleURIStripOffQueryString
--- PASS: TestAccCloudflareRuleset_TransformationRuleURIStripOffQueryString (11.94s)
=== RUN   TestAccCloudflareRuleset_TransformationRuleURIStripOffPath
--- PASS: TestAccCloudflareRuleset_TransformationRuleURIStripOffPath (12.00s)
=== RUN   TestAccCloudflareRuleset_ConfigSingleFalseyValue
--- PASS: TestAccCloudflareRuleset_ConfigSingleFalseyValue (11.90s)
=== RUN   TestAccCloudflareRuleset_ConfigConflictingCacheByDevice
--- PASS: TestAccCloudflareRuleset_ConfigConflictingCacheByDevice (2.49s)
=== RUN   TestAccCloudflareRuleset_CacheSettingsMissingEdgeTTLWithOverrideOrigin
--- PASS: TestAccCloudflareRuleset_CacheSettingsMissingEdgeTTLWithOverrideOrigin (2.41s)
=== RUN   TestAccCloudflareRuleset_CacheSettingsMissingBrowserTTLWithOverrideOrigin
--- PASS: TestAccCloudflareRuleset_CacheSettingsMissingBrowserTTLWithOverrideOrigin (2.42s)
=== RUN   TestAccCloudflareRuleset_CacheSettingsInvalidEdgeTTLWithOverrideOrigin
--- PASS: TestAccCloudflareRuleset_CacheSettingsInvalidEdgeTTLWithOverrideOrigin (2.38s)
=== RUN   TestAccCloudflareRuleset_CacheSettingsInvalidBrowserTTLWithOverrideOrigin
--- PASS: TestAccCloudflareRuleset_CacheSettingsInvalidBrowserTTLWithOverrideOrigin (2.39s)
=== RUN   TestAccCloudflareRuleset_CacheSettingsDefinedQueryStringExcludeKeys
--- PASS: TestAccCloudflareRuleset_CacheSettingsDefinedQueryStringExcludeKeys (12.37s)
=== RUN   TestAccCloudflareRuleset_CacheSettingsDefinedQueryStringIncludeKeys
--- PASS: TestAccCloudflareRuleset_CacheSettingsDefinedQueryStringIncludeKeys (19.74s)
=== RUN   TestAccCloudflareRuleset_ImportHandlesMissingValues
--- PASS: TestAccCloudflareRuleset_ImportHandlesMissingValues (4.18s)
PASS
ok  	github.com/cloudflare/terraform-provider-cloudflare/internal/framework/service/rulesets	844.637s

[github-actions]

This functionality has been released in v4.8.0 of the Terraform Cloudflare Provider.

Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!