From 6cda8f6fb5ae0bce48e501e8f32173b1a9df99b7 Mon Sep 17 00:00:00 2001
From: kevholditch-f3 <82885135+kevholditch-f3@users.noreply.github.com>
Date: Mon, 9 Aug 2021 22:21:41 +0100
Subject: [PATCH] Feature/add missing fields (#128)

* fixing code warnings

* added 3 of the missing service fields

* adding missing fields on service

* implemented all missing fields on route except header

* implemented all missing fields on route

* implemented all missing fields

Co-authored-by: kevholditch <kevholditch@hotmail.com>
---
 docs/resources/route.md                   |   6 +-
 docs/resources/service.md                 |  48 +++++-
 docs/resources/upstream.md                |  18 +++
 kong/provider.go                          |  16 +-
 kong/resource_kong_certificate.go         |  15 +-
 kong/resource_kong_consumer.go            |  57 ++++---
 kong/resource_kong_consumer_acl.go        |  21 ++-
 kong/resource_kong_consumer_basic_auth.go |  23 ++-
 kong/resource_kong_consumer_jwt_auth.go   |  35 +++--
 kong/resource_kong_plugin.go              |  66 ++++++---
 kong/resource_kong_route.go               | 173 +++++++++++++++++++---
 kong/resource_kong_route_test.go          |  64 +++++++-
 kong/resource_kong_service.go             | 136 ++++++++++++++---
 kong/resource_kong_service_test.go        | 138 ++++++++++++++---
 kong/resource_kong_target.go              |  21 ++-
 kong/resource_kong_upstream.go            | 153 +++++++++++++------
 kong/resource_kong_upstream_test.go       |  43 +++++-
 kong/resource_reader.go                   |  50 +++++--
 18 files changed, 873 insertions(+), 210 deletions(-)

diff --git a/docs/resources/route.md b/docs/resources/route.md
index e62104c..f20b9ce 100644
--- a/docs/resources/route.md
+++ b/docs/resources/route.md
@@ -17,6 +17,10 @@ resource "kong_route" "route" {
 	preserve_host 	= true
 	regex_priority 	= 1
 	service_id 	     = kong_service.service.id
+    header {
+      name   = "x-test-1"
+      values = ["a", "b"]
+    }
 }
 
 ```
@@ -52,7 +56,7 @@ resource "kong_route" "route" {
 * `methods` - (Optional) A list of HTTP methods that match this Route
 * `hosts` - (Optional) A list of domain names that match this Route  
 * `paths` - (Optional) A list of paths that match this Route
-* `headers` - (Optional) One or more lists of values indexed by header name that will cause this Route to match if present in the request. The Host header cannot be used with this attribute: hosts should be specified using the hosts attribute.
+* `header` - (Optional) One or more blocks of `name` to set name of header and `values` which is a list of `string` for the header values to match on.  See above example of how to set.  These headers will cause this Route to match if present in the request. The Host header cannot be used with this attribute: hosts should be specified using the hosts attribute.
 * `https_redirect_status_code` - (Optional) The status code Kong responds with when all properties of a Route match except the protocol i.e. if the protocol of the request is HTTP instead of HTTPS. Location header is injected by Kong if the field is set to `301`, `302`, `307` or `308`. Accepted values are: `426`, `301`, `302`, `307`, `308`. Default: `426`.  
 * `strip_path` - (Optional) When matching a Route via one of the paths, strip the matching prefix from the upstream request URL. Default: true.
 * `regex_priority` - (Optional) A number used to choose which route resolves a given request when several routes match it using regexes simultaneously.
diff --git a/docs/resources/service.md b/docs/resources/service.md
index c88f44f..0f0d665 100644
--- a/docs/resources/service.md
+++ b/docs/resources/service.md
@@ -18,6 +18,48 @@ resource "kong_service" "service" {
 }
 ```
 
+To use a client certificate and ca certificates combine with certificate resource (note protocol must be `https`):
+
+```hcl
+resource "kong_certificate" "certificate" {
+	certificate  = <<EOF
+    -----BEGIN CERTIFICATE-----
+    ......
+    -----END CERTIFICATE-----
+EOF
+	private_key =  <<EOF
+    -----BEGIN PRIVATE KEY-----
+    .....
+    -----END PRIVATE KEY-----
+EOF
+   snis			= ["foo.com"]
+}
+
+resource "kong_certificate" "ca" {
+	certificate  = <<EOF
+    -----BEGIN CERTIFICATE-----
+    ......
+    -----END CERTIFICATE-----
+EOF
+	private_key =  <<EOF
+    -----BEGIN PRIVATE KEY-----
+    .....
+    -----END PRIVATE KEY-----
+EOF
+   snis			= ["ca.com"]
+}
+
+resource "kong_service" "service" {
+	name                  = "test"
+	protocol              = "https"
+	host                  = "test.org"
+    tls_verify            = true
+    tls_verify_depth      = 2
+	client_certificate_id = kong_certificate.certificate.id
+    ca_certificate_ids    = [kong_certificate.ca.id]
+}
+```
+
 ## Argument reference
 
 * `name` - (Required) Service name
@@ -30,10 +72,10 @@ resource "kong_service" "service" {
 * `write_timeout` - (Optional, int) Write timout. Default(ms): 60000
 * `read_timeout` - (Optional, int) Read timeout. Default(ms): 60000
 * `tags` - (Optional) A list of strings associated with the Service for grouping and filtering.
-* `client_certificate` - (Optional) Certificate to be used as client certificate while TLS handshaking to the upstream server.
-* `tls_verify` - (Optional) Whether to enable verification of upstream server TLS certificate.
+* `client_certificate_id` - (Optional) ID of Certificate to be used as client certificate while TLS handshaking to the upstream server. Use ID from `kong_certificate` resource
+* `tls_verify` - (Optional) Whether to enable verification of upstream server TLS certificate. If not set then the nginx default is respected.
 * `tls_verify_depth` - (Optional) Maximum depth of chain while verifying Upstream server’s TLS certificate.
-* `ca_certificates` - (Optional) A of CA Certificate IDs (created from the certificate resource). that are used to build the trust store while verifying upstream server’s TLS certificate.
+* `ca_certificate_ids` - (Optional) A of CA Certificate IDs (created from the certificate resource). that are used to build the trust store while verifying upstream server’s TLS certificate.
 
 
 ## Import
diff --git a/docs/resources/upstream.md b/docs/resources/upstream.md
index 0077422..344e3d7 100644
--- a/docs/resources/upstream.md
+++ b/docs/resources/upstream.md
@@ -3,6 +3,20 @@
 ## Example Usage
 
 ```hcl
+resource "kong_certificate" "certificate" {
+  certificate  = <<EOF
+    -----BEGIN CERTIFICATE-----
+    ......
+    -----END CERTIFICATE-----
+EOF
+  private_key =  <<EOF
+    -----BEGIN PRIVATE KEY-----
+    .....
+    -----END PRIVATE KEY-----
+EOF
+  snis			= ["foo.com"]
+}
+
 resource "kong_upstream" "upstream" {
     name                 = "sample_upstream"
     slots                = 10
@@ -12,6 +26,10 @@ resource "kong_upstream" "upstream" {
     hash_fallback_header = "FallbackHeaderName"
     hash_on_cookie       = "CookieName"
     hash_on_cookie_path  = "/path"
+    host_header          = "x-host"
+    tags                 = ["a", "b"]
+    client_certificate_id = kong_certificate.certificate.id
+  
     healthchecks {
         active {
             type                     = "https"
diff --git a/kong/provider.go b/kong/provider.go
index f89e971..6b06d9c 100644
--- a/kong/provider.go
+++ b/kong/provider.go
@@ -16,48 +16,48 @@ type config struct {
 func Provider() *schema.Provider {
 	return &schema.Provider{
 		Schema: map[string]*schema.Schema{
-			"kong_admin_uri": &schema.Schema{
+			"kong_admin_uri": {
 				Type:        schema.TypeString,
 				Required:    true,
 				DefaultFunc: envDefaultFuncWithDefault("KONG_ADMIN_ADDR", "http://localhost:8001"),
 				Description: "The address of the kong admin url e.g. http://localhost:8001",
 			},
-			"kong_admin_username": &schema.Schema{
+			"kong_admin_username": {
 				Type:        schema.TypeString,
 				Optional:    true,
 				DefaultFunc: envDefaultFuncWithDefault("KONG_ADMIN_USERNAME", ""),
 				Description: "An basic auth user for kong admin",
 			},
-			"kong_admin_password": &schema.Schema{
+			"kong_admin_password": {
 				Type:        schema.TypeString,
 				Optional:    true,
 				DefaultFunc: envDefaultFuncWithDefault("KONG_ADMIN_PASSWORD", ""),
 				Description: "An basic auth password for kong admin",
 			},
-			"tls_skip_verify": &schema.Schema{
+			"tls_skip_verify": {
 				Type:        schema.TypeBool,
 				Optional:    true,
 				DefaultFunc: envDefaultFuncWithDefault("TLS_SKIP_VERIFY", "false"),
 				Description: "Whether to skip tls verify for https kong api endpoint using self signed or untrusted certs",
 			},
-			"kong_api_key": &schema.Schema{
+			"kong_api_key": {
 				Type:        schema.TypeString,
 				Optional:    true,
 				DefaultFunc: envDefaultFuncWithDefault("KONG_API_KEY", ""),
 				Description: "API key for the kong api (if you have locked it down)",
 			},
-			"kong_admin_token": &schema.Schema{
+			"kong_admin_token": {
 				Type:        schema.TypeString,
 				Optional:    true,
 				DefaultFunc: envDefaultFuncWithDefault("KONG_ADMIN_TOKEN", ""),
 				Description: "API key for the kong api (Enterprise Edition)",
 			},
-			"kong_workspace": &schema.Schema{
+			"kong_workspace": {
 				Type:        schema.TypeString,
 				Optional:    true,
 				Description: "Workspace context (Enterprise Edition)",
 			},
-			"strict_plugins_match": &schema.Schema{
+			"strict_plugins_match": {
 				Type:        schema.TypeBool,
 				Optional:    true,
 				ForceNew:    false,
diff --git a/kong/resource_kong_certificate.go b/kong/resource_kong_certificate.go
index f13cab6..9dc16fe 100644
--- a/kong/resource_kong_certificate.go
+++ b/kong/resource_kong_certificate.go
@@ -99,15 +99,24 @@ func resourceKongCertificateRead(ctx context.Context, d *schema.ResourceData, me
 		d.SetId("")
 	} else {
 		if certificate.Cert != nil {
-			d.Set("certificate", &certificate.Cert)
+			err := d.Set("certificate", &certificate.Cert)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if certificate.Key != nil {
-			d.Set("private_key", &certificate.Key)
+			err := d.Set("private_key", &certificate.Key)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if certificate.SNIs != nil {
-			d.Set("snis", StringValueSlice(certificate.SNIs))
+			err := d.Set("snis", StringValueSlice(certificate.SNIs))
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 	}
 
diff --git a/kong/resource_kong_consumer.go b/kong/resource_kong_consumer.go
index 8a7568b..9802e4f 100644
--- a/kong/resource_kong_consumer.go
+++ b/kong/resource_kong_consumer.go
@@ -3,6 +3,7 @@ package kong
 import (
 	"context"
 	"fmt"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/kong/go-kong/kong"
@@ -10,21 +11,21 @@ import (
 
 func resourceKongConsumer() *schema.Resource {
 	return &schema.Resource{
-		Create: resourceKongConsumerCreate,
-		Read:   resourceKongConsumerRead,
-		Delete: resourceKongConsumerDelete,
-		Update: resourceKongConsumerUpdate,
+		CreateContext: resourceKongConsumerCreate,
+		ReadContext:   resourceKongConsumerRead,
+		DeleteContext: resourceKongConsumerDelete,
+		UpdateContext: resourceKongConsumerUpdate,
 		Importer: &schema.ResourceImporter{
 			State: schema.ImportStatePassthrough,
 		},
 
 		Schema: map[string]*schema.Schema{
-			"username": &schema.Schema{
+			"username": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
 			},
-			"custom_id": &schema.Schema{
+			"custom_id": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
@@ -33,7 +34,7 @@ func resourceKongConsumer() *schema.Resource {
 	}
 }
 
-func resourceKongConsumerCreate(d *schema.ResourceData, meta interface{}) error {
+func resourceKongConsumerCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 
 	consumerRequest := &kong.Consumer{
 		Username: kong.String(d.Get("username").(string)),
@@ -41,18 +42,18 @@ func resourceKongConsumerCreate(d *schema.ResourceData, meta interface{}) error
 	}
 
 	client := meta.(*config).adminClient.Consumers
-	consumer, err := client.Create(context.Background(), consumerRequest)
+	consumer, err := client.Create(ctx, consumerRequest)
 
 	if err != nil {
-		return fmt.Errorf("failed to create kong consumer: %v error: %v", consumerRequest, err)
+		return diag.FromErr(fmt.Errorf("failed to create kong consumer: %v error: %v", consumerRequest, err))
 	}
 
 	d.SetId(*consumer.ID)
 
-	return resourceKongConsumerRead(d, meta)
+	return resourceKongConsumerRead(ctx, d, meta)
 }
 
-func resourceKongConsumerUpdate(d *schema.ResourceData, meta interface{}) error {
+func resourceKongConsumerUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	d.Partial(false)
 
 	consumerRequest := &kong.Consumer{
@@ -62,46 +63,54 @@ func resourceKongConsumerUpdate(d *schema.ResourceData, meta interface{}) error
 	}
 
 	client := meta.(*config).adminClient.Consumers
-	_, err := client.Update(context.Background(), consumerRequest)
+	_, err := client.Update(ctx, consumerRequest)
 
 	if err != nil {
-		return fmt.Errorf("error updating kong consumer: %s", err)
+		return diag.FromErr(fmt.Errorf("error updating kong consumer: %s", err))
 	}
 
-	return resourceKongConsumerRead(d, meta)
+	return resourceKongConsumerRead(ctx, d, meta)
 }
 
-func resourceKongConsumerRead(d *schema.ResourceData, meta interface{}) error {
+func resourceKongConsumerRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 
+	var diags diag.Diagnostics
 	id := d.Id()
 
 	client := meta.(*config).adminClient.Consumers
-	consumer, err := client.Get(context.Background(), kong.String(id))
+	consumer, err := client.Get(ctx, kong.String(id))
 
 	if kong.IsNotFoundErr(err) {
 		d.SetId("")
 	} else if err != nil {
-		return fmt.Errorf("could not find kong consumer with id: %s error: %v", id, err)
+		return diag.FromErr(fmt.Errorf("could not find kong consumer with id: %s error: %v", id, err))
 	}
 
 	if consumer == nil {
 		d.SetId("")
 	} else {
-		d.Set("username", consumer.Username)
-		d.Set("custom_id", consumer.CustomID)
+		err := d.Set("username", consumer.Username)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("custom_id", consumer.CustomID)
+		if err != nil {
+			return diag.FromErr(err)
+		}
 	}
 
-	return nil
+	return diags
 }
 
-func resourceKongConsumerDelete(d *schema.ResourceData, meta interface{}) error {
+func resourceKongConsumerDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 
+	var diags diag.Diagnostics
 	client := meta.(*config).adminClient.Consumers
-	err := client.Delete(context.Background(), kong.String(d.Id()))
+	err := client.Delete(ctx, kong.String(d.Id()))
 
 	if err != nil {
-		return fmt.Errorf("could not delete kong consumer: %v", err)
+		return diag.FromErr(fmt.Errorf("could not delete kong consumer: %v", err))
 	}
 
-	return nil
+	return diags
 }
diff --git a/kong/resource_kong_consumer_acl.go b/kong/resource_kong_consumer_acl.go
index 4678590..1f9a938 100644
--- a/kong/resource_kong_consumer_acl.go
+++ b/kong/resource_kong_consumer_acl.go
@@ -18,17 +18,17 @@ func resourceKongConsumerACL() *schema.Resource {
 			State: schema.ImportStatePassthrough,
 		},
 		Schema: map[string]*schema.Schema{
-			"consumer_id": &schema.Schema{
+			"consumer_id": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: false,
 			},
-			"group": &schema.Schema{
+			"group": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: false,
 			},
-			"tags": &schema.Schema{
+			"tags": {
 				Type:     schema.TypeList,
 				Optional: true,
 				ForceNew: false,
@@ -98,9 +98,18 @@ func resourceKongConsumerACLRead(ctx context.Context, d *schema.ResourceData, me
 	if ACLGroup == nil {
 		d.SetId("")
 	} else {
-		d.Set("consumer_id", ACLGroup.Consumer.ID)
-		d.Set("group", ACLGroup.Group)
-		d.Set("tags", ACLGroup.Tags)
+		err := d.Set("consumer_id", ACLGroup.Consumer.ID)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("group", ACLGroup.Group)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("tags", ACLGroup.Tags)
+		if err != nil {
+			return diag.FromErr(err)
+		}
 	}
 
 	return diags
diff --git a/kong/resource_kong_consumer_basic_auth.go b/kong/resource_kong_consumer_basic_auth.go
index be893de..78b08cb 100644
--- a/kong/resource_kong_consumer_basic_auth.go
+++ b/kong/resource_kong_consumer_basic_auth.go
@@ -15,22 +15,22 @@ func resourceKongConsumerBasicAuth() *schema.Resource {
 		DeleteContext: resourceKongConsumerBasicAuthDelete,
 		UpdateContext: resourceKongConsumerBasicAuthUpdate,
 		Schema: map[string]*schema.Schema{
-			"consumer_id": &schema.Schema{
+			"consumer_id": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: false,
 			},
-			"username": &schema.Schema{
+			"username": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: false,
 			},
-			"password": &schema.Schema{
+			"password": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: false,
 			},
-			"tags": &schema.Schema{
+			"tags": {
 				Type:     schema.TypeList,
 				Optional: true,
 				ForceNew: false,
@@ -102,9 +102,18 @@ func resourceKongConsumerBasicAuthRead(ctx context.Context, d *schema.ResourceDa
 	if basicAuth == nil {
 		d.SetId("")
 	} else {
-		d.Set("consumer_id", basicAuth.Consumer.ID)
-		d.Set("username", basicAuth.Username)
-		d.Set("tags", basicAuth.Tags)
+		err = d.Set("consumer_id", basicAuth.Consumer.ID)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("username", basicAuth.Username)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("tags", basicAuth.Tags)
+		if err != nil {
+			return diag.FromErr(err)
+		}
 	}
 
 	return diags
diff --git a/kong/resource_kong_consumer_jwt_auth.go b/kong/resource_kong_consumer_jwt_auth.go
index 7b520df..d8a0bf2 100644
--- a/kong/resource_kong_consumer_jwt_auth.go
+++ b/kong/resource_kong_consumer_jwt_auth.go
@@ -20,27 +20,27 @@ func resourceKongConsumerJWTAuth() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
-			"consumer_id": &schema.Schema{
+			"consumer_id": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: false,
 			},
-			"algorithm": &schema.Schema{
+			"algorithm": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
 			},
-			"key": &schema.Schema{
+			"key": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
 			},
-			"rsa_public_key": &schema.Schema{
+			"rsa_public_key": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: false,
 			},
-			"secret": &schema.Schema{
+			"secret": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
@@ -133,11 +133,26 @@ func resourceKongConsumerJWTAuthRead(ctx context.Context, d *schema.ResourceData
 	if JWTAuth == nil {
 		d.SetId("")
 	} else {
-		d.Set("consumer_id", JWTAuth.Consumer.ID)
-		d.Set("key", JWTAuth.Key)
-		d.Set("secret", JWTAuth.Secret)
-		d.Set("rsa_public_key", JWTAuth.RSAPublicKey)
-		d.Set("algorithm", JWTAuth.Algorithm)
+		err = d.Set("consumer_id", JWTAuth.Consumer.ID)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("key", JWTAuth.Key)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("secret", JWTAuth.Secret)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("rsa_public_key", JWTAuth.RSAPublicKey)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("algorithm", JWTAuth.Algorithm)
+		if err != nil {
+			return diag.FromErr(err)
+		}
 	}
 
 	return diags
diff --git a/kong/resource_kong_plugin.go b/kong/resource_kong_plugin.go
index a1d011a..f092c6f 100644
--- a/kong/resource_kong_plugin.go
+++ b/kong/resource_kong_plugin.go
@@ -23,33 +23,33 @@ func resourceKongPlugin() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
-			"name": &schema.Schema{
+			"name": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: true,
 			},
-			"consumer_id": &schema.Schema{
+			"consumer_id": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
 			},
-			"service_id": &schema.Schema{
+			"service_id": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
 			},
-			"route_id": &schema.Schema{
+			"route_id": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
 			},
-			"enabled": &schema.Schema{
+			"enabled": {
 				Type:     schema.TypeBool,
 				Optional: true,
 				ForceNew: false,
 				Default:  true,
 			},
-			"config_json": &schema.Schema{
+			"config_json": {
 				Type:         schema.TypeString,
 				Optional:     true,
 				StateFunc:    normalizeDataJSON,
@@ -59,13 +59,13 @@ func resourceKongPlugin() *schema.Resource {
 					return new == ""
 				},
 			},
-			"strict_match": &schema.Schema{
+			"strict_match": {
 				Type:     schema.TypeBool,
 				Optional: true,
 				ForceNew: false,
 				Default:  false,
 			},
-			"computed_config": &schema.Schema{
+			"computed_config": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
@@ -122,33 +122,61 @@ func resourceKongPluginRead(ctx context.Context, d *schema.ResourceData, meta in
 		d.SetId("")
 	} else {
 		d.SetId(*plugin.ID)
-		d.Set("name", plugin.Name)
+		err = d.Set("name", plugin.Name)
+		if err != nil {
+			return diag.FromErr(err)
+		}
 		if plugin.Service != nil {
-			d.Set("service_id", plugin.Service.ID)
+			err = d.Set("service_id", plugin.Service.ID)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 		if plugin.Route != nil {
-			d.Set("route_id", plugin.Route.ID)
+			err = d.Set("route_id", plugin.Route.ID)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 		if plugin.Consumer != nil {
-			d.Set("consumer_id", plugin.Consumer.ID)
+			err = d.Set("consumer_id", plugin.Consumer.ID)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+		}
+		err = d.Set("enabled", plugin.Enabled)
+		if err != nil {
+			return diag.FromErr(err)
 		}
-		d.Set("enabled", plugin.Enabled)
 
 		// We sync this property from upstream as a method to allow you to import a resource with the config tracked in
 		// terraform state. We do not track `config` as it will be a source of a perpetual diff.
 		// https://www.terraform.io/docs/extend/best-practices/detecting-drift.html#capture-all-state-in-read
 		upstreamJSON := pluginConfigJSONToString(plugin.Config)
-		setConfig := func(strict bool) {
+		setConfig := func(strict bool) error {
 			if strict {
-				d.Set("config_json", upstreamJSON)
+				err := d.Set("config_json", upstreamJSON)
+				if err != nil {
+					return err
+				}
 			} else {
-				d.Set("computed_config", upstreamJSON)
+				err := d.Set("computed_config", upstreamJSON)
+				if err != nil {
+					return err
+				}
 			}
+			return nil
 		}
 		if value, ok := d.GetOk("strict_match"); ok {
-			setConfig(value.(bool))
+			err := setConfig(value.(bool))
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		} else {
-			setConfig(meta.(*config).strictPlugins)
+			err := setConfig(meta.(*config).strictPlugins)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 	}
 
@@ -226,7 +254,7 @@ func pluginConfigJSONToString(data map[string]interface{}) string {
 	return string(rawJSON)
 }
 
-func validateDataJSON(configI interface{}, k string) ([]string, []error) {
+func validateDataJSON(configI interface{}, _ string) ([]string, []error) {
 	dataJSON := configI.(string)
 	dataMap := map[string]interface{}{}
 	err := json.Unmarshal([]byte(dataJSON), &dataMap)
diff --git a/kong/resource_kong_route.go b/kong/resource_kong_route.go
index f8633f2..046a0d8 100644
--- a/kong/resource_kong_route.go
+++ b/kong/resource_kong_route.go
@@ -20,42 +20,42 @@ func resourceKongRoute() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
-			"name": &schema.Schema{
+			"name": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
 			},
-			"protocols": &schema.Schema{
+			"protocols": {
 				Type:     schema.TypeList,
 				Required: true,
 				ForceNew: false,
 				Elem:     &schema.Schema{Type: schema.TypeString},
 			},
-			"methods": &schema.Schema{
+			"methods": {
 				Type:     schema.TypeList,
 				Optional: true,
 				ForceNew: false,
 				Elem:     &schema.Schema{Type: schema.TypeString},
 			},
-			"hosts": &schema.Schema{
+			"hosts": {
 				Type:     schema.TypeList,
 				Optional: true,
 				ForceNew: false,
 				Elem:     &schema.Schema{Type: schema.TypeString},
 			},
-			"paths": &schema.Schema{
+			"paths": {
 				Type:     schema.TypeList,
 				Optional: true,
 				ForceNew: false,
 				Elem:     &schema.Schema{Type: schema.TypeString},
 			},
-			"strip_path": &schema.Schema{
+			"strip_path": {
 				Type:     schema.TypeBool,
 				Optional: true,
 				ForceNew: false,
 				Default:  true,
 			},
-			"source": &schema.Schema{
+			"source": {
 				Type:     schema.TypeSet,
 				Optional: true,
 				ForceNew: false,
@@ -72,7 +72,7 @@ func resourceKongRoute() *schema.Resource {
 					},
 				},
 			},
-			"destination": &schema.Schema{
+			"destination": {
 				Type:     schema.TypeSet,
 				Optional: true,
 				ForceNew: false,
@@ -89,27 +89,77 @@ func resourceKongRoute() *schema.Resource {
 					},
 				},
 			},
-			"snis": &schema.Schema{
+			"snis": {
 				Type:     schema.TypeList,
 				Optional: true,
 				ForceNew: false,
 				Elem:     &schema.Schema{Type: schema.TypeString},
 			},
-			"preserve_host": &schema.Schema{
+			"preserve_host": {
 				Type:     schema.TypeBool,
 				Optional: true,
 				ForceNew: false,
 			},
-			"regex_priority": &schema.Schema{
+			"regex_priority": {
 				Type:     schema.TypeInt,
 				Optional: true,
 				ForceNew: false,
 			},
-			"service_id": &schema.Schema{
+			"service_id": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: false,
 			},
+			"path_handling": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: false,
+				Default:  "v0",
+			},
+			"https_redirect_status_code": {
+				Type:     schema.TypeInt,
+				Optional: true,
+				ForceNew: false,
+				Default:  426,
+			},
+			"request_buffering": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				ForceNew: false,
+				Default:  true,
+			},
+			"response_buffering": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				ForceNew: false,
+				Default:  true,
+			},
+			"tags": {
+				Type:     schema.TypeList,
+				Optional: true,
+				ForceNew: false,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			"header": {
+				Type:     schema.TypeSet,
+				Optional: true,
+				ForceNew: false,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"name": {
+							Type:     schema.TypeString,
+							Required: true,
+						},
+						"values": {
+							Type:     schema.TypeList,
+							Required: true,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -158,50 +208,119 @@ func resourceKongRouteRead(ctx context.Context, d *schema.ResourceData, meta int
 		d.SetId("")
 	} else {
 		if route.Name != nil {
-			d.Set("name", route.Name)
+			err := d.Set("name", route.Name)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 		if route.Protocols != nil {
-			d.Set("protocols", StringValueSlice(route.Protocols))
+			err := d.Set("protocols", StringValueSlice(route.Protocols))
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if route.Methods != nil {
-			d.Set("methods", StringValueSlice(route.Methods))
+			err := d.Set("methods", StringValueSlice(route.Methods))
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if route.Hosts != nil {
-			d.Set("hosts", StringValueSlice(route.Hosts))
+			err := d.Set("hosts", StringValueSlice(route.Hosts))
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if route.Paths != nil {
-			d.Set("paths", StringValueSlice(route.Paths))
+			err := d.Set("paths", StringValueSlice(route.Paths))
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if route.StripPath != nil {
-			d.Set("strip_path", route.StripPath)
+			err := d.Set("strip_path", route.StripPath)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if route.Sources != nil {
-			d.Set("source", flattenIpCidrArray(route.Sources))
+			err := d.Set("source", flattenIpCidrArray(route.Sources))
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if route.Destinations != nil {
-			d.Set("destination", flattenIpCidrArray(route.Destinations))
+			err := d.Set("destination", flattenIpCidrArray(route.Destinations))
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if route.PreserveHost != nil {
-			d.Set("preserve_host", route.PreserveHost)
+			err := d.Set("preserve_host", route.PreserveHost)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if route.RegexPriority != nil {
-			d.Set("regex_priority", route.RegexPriority)
+			err := d.Set("regex_priority", route.RegexPriority)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if route.SNIs != nil {
-			d.Set("snis", StringValueSlice(route.SNIs))
+			err := d.Set("snis", StringValueSlice(route.SNIs))
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if route.Service != nil {
-			d.Set("service_id", route.Service.ID)
+			err := d.Set("service_id", route.Service.ID)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+		}
+
+		if route.PathHandling != nil {
+			err := d.Set("path_handling", route.PathHandling)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+		}
+
+		if route.HTTPSRedirectStatusCode != nil {
+			err := d.Set("https_redirect_status_code", route.HTTPSRedirectStatusCode)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+		}
+
+		if route.RequestBuffering != nil {
+			err := d.Set("request_buffering", route.RequestBuffering)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+		}
+
+		if route.ResponseBuffering != nil {
+			err := d.Set("response_buffering", route.ResponseBuffering)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+		}
+
+		err = d.Set("tags", route.Tags)
+		if err != nil {
+			return diag.FromErr(err)
 		}
 
 	}
@@ -252,6 +371,12 @@ func createKongRouteRequestFromResourceData(d *schema.ResourceData) *kong.Route
 		Service: &kong.Service{
 			ID: readIdPtrFromResource(d, "service_id"),
 		},
+		PathHandling:            readStringPtrFromResource(d, "path_handling"),
+		HTTPSRedirectStatusCode: readIntPtrFromResource(d, "https_redirect_status_code"),
+		RequestBuffering:        readBoolPtrFromResource(d, "request_buffering"),
+		ResponseBuffering:       readBoolPtrFromResource(d, "response_buffering"),
+		Tags:                    readStringArrayPtrFromResource(d, "tags"),
+		Headers:                 readMapStringArrayFromResource(d, "header"),
 	}
 	if d.Id() != "" {
 		route.ID = kong.String(d.Id())
diff --git a/kong/resource_kong_route_test.go b/kong/resource_kong_route_test.go
index ab9ff14..736d90d 100644
--- a/kong/resource_kong_route_test.go
+++ b/kong/resource_kong_route_test.go
@@ -31,6 +31,20 @@ func TestAccKongRoute(t *testing.T) {
 					resource.TestCheckResourceAttr("kong_route.route", "strip_path", "true"),
 					resource.TestCheckResourceAttr("kong_route.route", "preserve_host", "false"),
 					resource.TestCheckResourceAttr("kong_route.route", "regex_priority", "1"),
+					resource.TestCheckResourceAttr("kong_route.route", "path_handling", "v1"),
+					resource.TestCheckResourceAttr("kong_route.route", "https_redirect_status_code", "301"),
+					resource.TestCheckResourceAttr("kong_route.route", "request_buffering", "false"),
+					resource.TestCheckResourceAttr("kong_route.route", "response_buffering", "false"),
+					resource.TestCheckResourceAttr("kong_route.route", "header.#", "2"),
+					resource.TestCheckResourceAttr("kong_route.route", "header.0.name", "x-test-1"),
+					resource.TestCheckResourceAttr("kong_route.route", "header.0.values.#", "2"),
+					resource.TestCheckResourceAttr("kong_route.route", "header.0.values.0", "a"),
+					resource.TestCheckResourceAttr("kong_route.route", "header.0.values.1", "b"),
+					resource.TestCheckResourceAttr("kong_route.route", "header.1.values.#", "1"),
+					resource.TestCheckResourceAttr("kong_route.route", "header.1.values.0", "c"),
+					resource.TestCheckResourceAttr("kong_route.route", "tags.#", "2"),
+					resource.TestCheckResourceAttr("kong_route.route", "tags.0", "foo"),
+					resource.TestCheckResourceAttr("kong_route.route", "tags.1", "bar"),
 				),
 			},
 			{
@@ -50,6 +64,16 @@ func TestAccKongRoute(t *testing.T) {
 					resource.TestCheckResourceAttr("kong_route.route", "strip_path", "false"),
 					resource.TestCheckResourceAttr("kong_route.route", "preserve_host", "true"),
 					resource.TestCheckResourceAttr("kong_route.route", "regex_priority", "2"),
+					resource.TestCheckResourceAttr("kong_route.route", "path_handling", "v0"),
+					resource.TestCheckResourceAttr("kong_route.route", "https_redirect_status_code", "426"),
+					resource.TestCheckResourceAttr("kong_route.route", "request_buffering", "true"),
+					resource.TestCheckResourceAttr("kong_route.route", "response_buffering", "true"),
+					resource.TestCheckResourceAttr("kong_route.route", "header.#", "1"),
+					resource.TestCheckResourceAttr("kong_route.route", "header.0.name", "x-test-1"),
+					resource.TestCheckResourceAttr("kong_route.route", "header.0.values.#", "1"),
+					resource.TestCheckResourceAttr("kong_route.route", "header.0.values.0", "a"),
+					resource.TestCheckResourceAttr("kong_route.route", "tags.#", "1"),
+					resource.TestCheckResourceAttr("kong_route.route", "tags.0", "foo"),
 				),
 			},
 		},
@@ -69,7 +93,14 @@ func TestAccKongRouteWithSourcesAndDestinations(t *testing.T) {
 					resource.TestCheckResourceAttr("kong_route.route", "strip_path", "true"),
 					resource.TestCheckResourceAttr("kong_route.route", "preserve_host", "false"),
 					resource.TestCheckResourceAttr("kong_route.route", "source.#", "2"),
+					resource.TestCheckResourceAttr("kong_route.route", "source.0.ip", "192.168.1.1"),
+					resource.TestCheckResourceAttr("kong_route.route", "source.0.port", "80"),
+					resource.TestCheckResourceAttr("kong_route.route", "source.1.ip", "192.168.1.2"),
+					resource.TestCheckResourceAttr("kong_route.route", "source.1.port", "82"),
 					resource.TestCheckResourceAttr("kong_route.route", "destination.#", "1"),
+					resource.TestCheckResourceAttr("kong_route.route", "destination.0.ip", "172.10.1.1"),
+					resource.TestCheckResourceAttr("kong_route.route", "destination.0.port", "81"),
+					resource.TestCheckResourceAttr("kong_route.route", "snis.#", "1"),
 					resource.TestCheckResourceAttr("kong_route.route", "snis.0", "foo.com"),
 				),
 			},
@@ -81,7 +112,14 @@ func TestAccKongRouteWithSourcesAndDestinations(t *testing.T) {
 					resource.TestCheckResourceAttr("kong_route.route", "strip_path", "true"),
 					resource.TestCheckResourceAttr("kong_route.route", "preserve_host", "false"),
 					resource.TestCheckResourceAttr("kong_route.route", "source.#", "1"),
+					resource.TestCheckResourceAttr("kong_route.route", "source.0.ip", "192.168.1.1"),
+					resource.TestCheckResourceAttr("kong_route.route", "source.0.port", "80"),
 					resource.TestCheckResourceAttr("kong_route.route", "destination.#", "2"),
+					resource.TestCheckResourceAttr("kong_route.route", "destination.0.ip", "172.10.1.1"),
+					resource.TestCheckResourceAttr("kong_route.route", "destination.0.port", "81"),
+					resource.TestCheckResourceAttr("kong_route.route", "destination.1.ip", "172.10.1.2"),
+					resource.TestCheckResourceAttr("kong_route.route", "destination.1.port", "82"),
+					resource.TestCheckResourceAttr("kong_route.route", "snis.#", "1"),
 					resource.TestCheckResourceAttr("kong_route.route", "snis.0", "bar.com"),
 				),
 			},
@@ -95,11 +133,11 @@ func TestAccKongRouteImport(t *testing.T) {
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckKongRouteDestroy,
 		Steps: []resource.TestStep{
-			resource.TestStep{
+			{
 				Config: testImportRouteConfig,
 			},
 
-			resource.TestStep{
+			{
 				ResourceName:      "kong_route.route",
 				ImportState:       true,
 				ImportStateVerify: true,
@@ -176,6 +214,19 @@ resource "kong_route" "route" {
 	preserve_host 	= false
 	regex_priority  = 1
 	service_id  	= "${kong_service.service.id}"
+    path_handling   = "v1"
+    https_redirect_status_code = 301
+    request_buffering  = false
+	response_buffering = false
+    header {
+        name   = "x-test-1"
+        values = ["a", "b"] 
+    }
+	header {
+        name   = "x-test-2"
+        values = ["c"] 
+    }
+    tags               = ["foo", "bar"]
 }
 `
 const testUpdateRouteConfig = `
@@ -195,6 +246,15 @@ resource "kong_route" "route" {
 	preserve_host 	= true
 	regex_priority  = 2
 	service_id 		= "${kong_service.service.id}"
+    path_handling   = "v0"
+    https_redirect_status_code = 426
+    request_buffering  = true
+	response_buffering = true
+	header {
+        name   = "x-test-1"
+        values = ["a"] 
+    }
+    tags               = ["foo"]
 }
 `
 
diff --git a/kong/resource_kong_service.go b/kong/resource_kong_service.go
index 946b6a4..0d8c82c 100644
--- a/kong/resource_kong_service.go
+++ b/kong/resource_kong_service.go
@@ -20,56 +20,84 @@ func resourceKongService() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
-			"name": &schema.Schema{
+			"name": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: false,
 			},
-			"protocol": &schema.Schema{
+			"protocol": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: false,
 			},
-			"host": &schema.Schema{
+			"host": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
 			},
-			"port": &schema.Schema{
+			"port": {
 				Type:     schema.TypeInt,
 				Optional: true,
 				ForceNew: false,
 				Default:  80,
 			},
-			"path": &schema.Schema{
+			"path": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
 			},
-			"retries": &schema.Schema{
+			"retries": {
 				Type:     schema.TypeInt,
 				Optional: true,
 				ForceNew: false,
 				Default:  5,
 			},
-			"connect_timeout": &schema.Schema{
+			"connect_timeout": {
 				Type:     schema.TypeInt,
 				Optional: true,
 				ForceNew: false,
 				Default:  60000,
 			},
-			"write_timeout": &schema.Schema{
+			"write_timeout": {
 				Type:     schema.TypeInt,
 				Optional: true,
 				ForceNew: false,
 				Default:  60000,
 			},
-			"read_timeout": &schema.Schema{
+			"read_timeout": {
 				Type:     schema.TypeInt,
 				Optional: true,
 				ForceNew: false,
 				Default:  60000,
 			},
+			"tags": {
+				Type:     schema.TypeList,
+				Optional: true,
+				ForceNew: false,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			"tls_verify": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				ForceNew: false,
+			},
+			"tls_verify_depth": {
+				Type:     schema.TypeInt,
+				Optional: true,
+				ForceNew: false,
+				Default:  nil,
+			},
+			"client_certificate_id": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: false,
+			},
+			"ca_certificate_ids": {
+				Type:     schema.TypeList,
+				Optional: true,
+				ForceNew: false,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
 		},
 	}
 }
@@ -117,39 +145,97 @@ func resourceKongServiceRead(ctx context.Context, d *schema.ResourceData, meta i
 		d.SetId("")
 	} else {
 		if service.Name != nil {
-			d.Set("name", service.Name)
+			err := d.Set("name", service.Name)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if service.Protocol != nil {
-			d.Set("protocol", service.Protocol)
+			err := d.Set("protocol", service.Protocol)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if service.Host != nil {
-			d.Set("host", service.Host)
+			err := d.Set("host", service.Host)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if service.Port != nil {
-			d.Set("port", service.Port)
+			err := d.Set("port", service.Port)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if service.Path != nil {
-			d.Set("path", service.Path)
+			err := d.Set("path", service.Path)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if service.Retries != nil {
-			d.Set("retries", service.Retries)
+			err := d.Set("retries", service.Retries)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if service.ConnectTimeout != nil {
-			d.Set("connect_timeout", service.ConnectTimeout)
+			err := d.Set("connect_timeout", service.ConnectTimeout)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if service.WriteTimeout != nil {
-			d.Set("write_timeout", service.WriteTimeout)
+			err := d.Set("write_timeout", service.WriteTimeout)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 
 		if service.ReadTimeout != nil {
-			d.Set("read_timeout", service.ReadTimeout)
+			err := d.Set("read_timeout", service.ReadTimeout)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+		}
+
+		err = d.Set("tags", service.Tags)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+
+		if service.TLSVerify != nil {
+			err = d.Set("tls_verify", service.TLSVerify)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+		}
+
+		if service.TLSVerifyDepth != nil {
+			err = d.Set("tls_verify_depth", service.TLSVerifyDepth)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+		}
+		if service.ClientCertificate != nil {
+			err = d.Set("client_certificate_id", service.ClientCertificate.ID)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+		}
+		if service.CACertificates != nil {
+			err = d.Set("ca_certificate_ids", service.CACertificates)
+			if err != nil {
+				return diag.FromErr(err)
+			}
 		}
 	}
 
@@ -176,11 +262,23 @@ func createKongServiceRequestFromResourceData(d *schema.ResourceData) *kong.Serv
 		Host:           readStringPtrFromResource(d, "host"),
 		Port:           readIntPtrFromResource(d, "port"),
 		Path:           readStringPtrFromResource(d, "path"),
-		Retries:        readIntPtrFromResource(d, "retries"),
+		Retries:        readIntWithZeroPtrFromResource(d, "retries"),
 		ConnectTimeout: readIntPtrFromResource(d, "connect_timeout"),
 		WriteTimeout:   readIntPtrFromResource(d, "write_timeout"),
 		ReadTimeout:    readIntPtrFromResource(d, "read_timeout"),
+		Tags:           readStringArrayPtrFromResource(d, "tags"),
+		TLSVerify:      readBoolPtrFromResource(d, "tls_verify"),
+		TLSVerifyDepth: readIntPtrFromResource(d, "tls_verify_depth"),
+		CACertificates: readStringArrayPtrFromResource(d, "ca_certificate_ids"),
 	}
+
+	clientCertificateID := readIdPtrFromResource(d, "client_certificate_id")
+	if clientCertificateID != nil {
+		service.ClientCertificate = &kong.Certificate{
+			ID: clientCertificateID,
+		}
+	}
+
 	if d.Id() != "" {
 		service.ID = kong.String(d.Id())
 	}
diff --git a/kong/resource_kong_service_test.go b/kong/resource_kong_service_test.go
index eecc64c..bd4e0da 100644
--- a/kong/resource_kong_service_test.go
+++ b/kong/resource_kong_service_test.go
@@ -28,6 +28,9 @@ func TestAccKongService(t *testing.T) {
 					resource.TestCheckResourceAttr("kong_service.service", "connect_timeout", "1000"),
 					resource.TestCheckResourceAttr("kong_service.service", "write_timeout", "2000"),
 					resource.TestCheckResourceAttr("kong_service.service", "read_timeout", "3000"),
+					resource.TestCheckResourceAttr("kong_service.service", "tags.#", "2"),
+					resource.TestCheckResourceAttr("kong_service.service", "tags.0", "foo"),
+					resource.TestCheckResourceAttr("kong_service.service", "tags.1", "bar"),
 				),
 			},
 			{
@@ -42,11 +45,17 @@ func TestAccKongService(t *testing.T) {
 					resource.TestCheckResourceAttr("kong_service.service", "connect_timeout", "6000"),
 					resource.TestCheckResourceAttr("kong_service.service", "write_timeout", "5000"),
 					resource.TestCheckResourceAttr("kong_service.service", "read_timeout", "4000"),
+					resource.TestCheckResourceAttr("kong_service.service", "tags.#", "1"),
+					resource.TestCheckResourceAttr("kong_service.service", "tags.0", "foo"),
+					resource.TestCheckResourceAttr("kong_service.service", "tls_verify", "true"),
+					resource.TestCheckResourceAttr("kong_service.service", "tls_verify_depth", "2"),
 				),
 			},
 		},
 	})
+}
 
+func TestAccKongDefaultService(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		Providers:    testAccProviders,
 		CheckDestroy: testAccCheckKongServiceDestroy,
@@ -69,6 +78,68 @@ func TestAccKongService(t *testing.T) {
 	})
 }
 
+func TestAccKongServiceWithClientCertificate(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckKongServiceDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: fmt.Sprintf(testServiceWithClientCertificateConfig, testCert1, testKey1, testCert2, testKey2),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckKongServiceExists("kong_service.service"),
+					resource.TestCheckResourceAttr("kong_service.service", "name", "test"),
+					resource.TestCheckResourceAttr("kong_service.service", "protocol", "https"),
+					resource.TestCheckResourceAttr("kong_service.service", "host", "test.org"),
+					func(s *terraform.State) error {
+						module := s.RootModule()
+						cert, ok := module.Resources["kong_certificate.certificate"]
+						if !ok {
+							return fmt.Errorf("could not find certificate resource")
+						}
+
+						service, ok := module.Resources["kong_service.service"]
+						if !ok {
+							return fmt.Errorf("could not find service resource")
+						}
+
+						v, ok := service.Primary.Attributes["client_certificate_id"]
+						if !ok {
+							return fmt.Errorf("could not find client_certificate_id property")
+						}
+
+						if v != cert.Primary.ID {
+							return fmt.Errorf("client_certificate_id does not match certificate id")
+						}
+						return nil
+					},
+					func(s *terraform.State) error {
+						module := s.RootModule()
+						cert, ok := module.Resources["kong_certificate.ca"]
+						if !ok {
+							return fmt.Errorf("could not find ca certificate resource")
+						}
+
+						service, ok := module.Resources["kong_service.service"]
+						if !ok {
+							return fmt.Errorf("could not find service resource")
+						}
+
+						v, ok := service.Primary.Attributes["ca_certificate_ids.0"]
+						if !ok {
+							return fmt.Errorf("could not find ca_certificate_ids property")
+						}
+
+						if v != cert.Primary.ID {
+							return fmt.Errorf("ca_certificate_ids does not match ca certificate id")
+						}
+						return nil
+					},
+				),
+			},
+		},
+	})
+}
+
 func TestAccKongServiceImport(t *testing.T) {
 
 	resource.Test(t, resource.TestCase{
@@ -141,27 +212,30 @@ func testAccCheckKongServiceExists(resourceKey string) resource.TestCheckFunc {
 
 const testCreateServiceConfig = `
 resource "kong_service" "service" {
-	name     		= "test"
-	protocol 		= "http"
-	host     		= "test.org"
-	path     		= "/mypath"
-	retries  		= 5
-	connect_timeout = 1000
-	write_timeout 	= 2000
-	read_timeout  	= 3000
-	
+	name     		 = "test"
+	protocol 		 = "http"
+	host     		 = "test.org"
+	path     		 = "/mypath"
+	retries  		 = 5
+	connect_timeout  = 1000
+	write_timeout 	 = 2000
+	read_timeout  	 = 3000
+	tags             = ["foo", "bar"]
 }
 `
 const testUpdateServiceConfig = `
 resource "kong_service" "service" {
-	name     		= "test2"
-	protocol 		= "https"
-	host     		= "test2.org"
-	port     		= 8081
-	path     		= "/"
-	connect_timeout = 6000
-	write_timeout 	= 5000
-	read_timeout  	= 4000
+	name     		 = "test2"
+	protocol 		 = "https"
+	host     		 = "test2.org"
+	port     		 = 8081
+	path     		 = "/"
+	connect_timeout  = 6000
+	write_timeout 	 = 5000
+	read_timeout  	 = 4000
+	tags             = ["foo"]
+	tls_verify       = true
+	tls_verify_depth = 2
 }
 `
 const testCreateServiceConfigZero = `
@@ -189,6 +263,36 @@ resource "kong_service" "service" {
 	retries         = 0
 }
 `
+
+const testServiceWithClientCertificateConfig = `
+resource "kong_certificate" "certificate" {
+	certificate  = <<EOF
+%s
+EOF
+	private_key =  <<EOF
+%s
+EOF
+   snis			= ["foo.com"]
+}
+
+resource "kong_certificate" "ca" {
+	certificate  = <<EOF
+%s
+EOF
+	private_key =  <<EOF
+%s
+EOF
+   snis			= ["ca.com"]
+}
+
+resource "kong_service" "service" {
+	name                  = "test"
+	protocol              = "https"
+	host                  = "test.org"
+	client_certificate_id = kong_certificate.certificate.id
+	ca_certificate_ids    = [kong_certificate.ca.id]
+}`
+
 const testImportServiceConfig = `
 resource "kong_service" "service" {
 	name     		= "test"
diff --git a/kong/resource_kong_target.go b/kong/resource_kong_target.go
index 896db77..a52926e 100644
--- a/kong/resource_kong_target.go
+++ b/kong/resource_kong_target.go
@@ -20,17 +20,17 @@ func resourceKongTarget() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
-			"target": &schema.Schema{
+			"target": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: true,
 			},
-			"weight": &schema.Schema{
+			"weight": {
 				Type:     schema.TypeInt,
 				Required: true,
 				ForceNew: true,
 			},
-			"upstream_id": &schema.Schema{
+			"upstream_id": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: true,
@@ -79,9 +79,18 @@ func resourceKongTargetRead(ctx context.Context, d *schema.ResourceData, meta in
 	} else {
 		for _, element := range targets {
 			if *element.ID == ids[1] {
-				d.Set("target", element.Target)
-				d.Set("weight", element.Weight)
-				d.Set("upstream_id", element.Upstream.ID)
+				err := d.Set("target", element.Target)
+				if err != nil {
+					return diag.FromErr(err)
+				}
+				err = d.Set("weight", element.Weight)
+				if err != nil {
+					return diag.FromErr(err)
+				}
+				err = d.Set("upstream_id", element.Upstream.ID)
+				if err != nil {
+					return diag.FromErr(err)
+				}
 			}
 		}
 	}
diff --git a/kong/resource_kong_upstream.go b/kong/resource_kong_upstream.go
index d12d8cc..87fcf24 100644
--- a/kong/resource_kong_upstream.go
+++ b/kong/resource_kong_upstream.go
@@ -20,110 +20,126 @@ func resourceKongUpstream() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
-			"name": &schema.Schema{
+			"name": {
 				Type:     schema.TypeString,
 				Required: true,
 				ForceNew: false,
 			},
-			"slots": &schema.Schema{
+			"slots": {
 				Type:     schema.TypeInt,
 				Optional: true,
 				ForceNew: false,
 				Default:  10000,
 			},
-			"hash_on": &schema.Schema{
+			"hash_on": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
 				Default:  "none",
 			},
-			"hash_fallback": &schema.Schema{
+			"hash_fallback": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
 				Default:  "none",
 			},
-			"hash_on_header": &schema.Schema{
+			"hash_on_header": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
 				Default:  nil,
 			},
-			"hash_fallback_header": &schema.Schema{
+			"host_header": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: false,
+			},
+			"tags": {
+				Type:     schema.TypeList,
+				Optional: true,
+				ForceNew: false,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			"client_certificate_id": {
+				Type:     schema.TypeString,
+				Optional: true,
+				ForceNew: false,
+			},
+			"hash_fallback_header": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
 				Default:  nil,
 			},
-			"hash_on_cookie": &schema.Schema{
+			"hash_on_cookie": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
 				Default:  nil,
 			},
-			"hash_on_cookie_path": &schema.Schema{
+			"hash_on_cookie_path": {
 				Type:     schema.TypeString,
 				Optional: true,
 				ForceNew: false,
 				Default:  "/",
 			},
-			"healthchecks": &schema.Schema{
+			"healthchecks": {
 				Type:     schema.TypeList,
 				Optional: true,
 				MaxItems: 1,
 				Computed: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
-						"active": &schema.Schema{
+						"active": {
 							Type:     schema.TypeList,
 							Optional: true,
 							MaxItems: 1,
 							Computed: true,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
-									"type": &schema.Schema{
+									"type": {
 										Type:     schema.TypeString,
 										Optional: true,
 										Default:  "http",
 									},
-									"timeout": &schema.Schema{
+									"timeout": {
 										Type:     schema.TypeInt,
 										Optional: true,
 										Default:  1,
 									},
-									"concurrency": &schema.Schema{
+									"concurrency": {
 										Type:     schema.TypeInt,
 										Optional: true,
 										Default:  10,
 									},
-									"http_path": &schema.Schema{
+									"http_path": {
 										Type:     schema.TypeString,
 										Optional: true,
 										Default:  "/",
 									},
-									"https_verify_certificate": &schema.Schema{
+									"https_verify_certificate": {
 										Type:     schema.TypeBool,
 										Optional: true,
 										Default:  true,
 									},
-									"https_sni": &schema.Schema{
+									"https_sni": {
 										Type:     schema.TypeString,
 										Optional: true,
 										Default:  nil,
 									},
-									"healthy": &schema.Schema{
+									"healthy": {
 										Type:     schema.TypeList,
 										Optional: true,
 										MaxItems: 1,
 										Computed: true,
 										Elem: &schema.Resource{
 											Schema: map[string]*schema.Schema{
-												"interval": &schema.Schema{
+												"interval": {
 													Type:     schema.TypeInt,
 													Optional: true,
 													Computed: true,
 												},
-												"http_statuses": &schema.Schema{
+												"http_statuses": {
 													Type:     schema.TypeList,
 													Optional: true,
 													Computed: true,
@@ -131,7 +147,7 @@ func resourceKongUpstream() *schema.Resource {
 														Type: schema.TypeInt,
 													},
 												},
-												"successes": &schema.Schema{
+												"successes": {
 													Type:     schema.TypeInt,
 													Optional: true,
 													Computed: true,
@@ -139,19 +155,19 @@ func resourceKongUpstream() *schema.Resource {
 											},
 										},
 									},
-									"unhealthy": &schema.Schema{
+									"unhealthy": {
 										Type:     schema.TypeList,
 										Optional: true,
 										MaxItems: 1,
 										Computed: true,
 										Elem: &schema.Resource{
 											Schema: map[string]*schema.Schema{
-												"interval": &schema.Schema{
+												"interval": {
 													Type:     schema.TypeInt,
 													Optional: true,
 													Computed: true,
 												},
-												"http_statuses": &schema.Schema{
+												"http_statuses": {
 													Type:     schema.TypeList,
 													Optional: true,
 													Computed: true,
@@ -159,17 +175,17 @@ func resourceKongUpstream() *schema.Resource {
 														Type: schema.TypeInt,
 													},
 												},
-												"tcp_failures": &schema.Schema{
+												"tcp_failures": {
 													Type:     schema.TypeInt,
 													Optional: true,
 													Computed: true,
 												},
-												"http_failures": &schema.Schema{
+												"http_failures": {
 													Type:     schema.TypeInt,
 													Optional: true,
 													Computed: true,
 												},
-												"timeouts": &schema.Schema{
+												"timeouts": {
 													Type:     schema.TypeInt,
 													Optional: true,
 													Computed: true,
@@ -180,62 +196,62 @@ func resourceKongUpstream() *schema.Resource {
 								},
 							},
 						},
-						"passive": &schema.Schema{
+						"passive": {
 							Type:     schema.TypeList,
 							Optional: true,
 							MaxItems: 1,
 							Computed: true,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
-									"type": &schema.Schema{
+									"type": {
 										Type:     schema.TypeString,
 										Optional: true,
 										Default:  "http",
 									},
-									"healthy": &schema.Schema{
+									"healthy": {
 										Type:     schema.TypeList,
 										Optional: true,
 										MaxItems: 1,
 										Computed: true,
 										Elem: &schema.Resource{
 											Schema: map[string]*schema.Schema{
-												"http_statuses": &schema.Schema{
+												"http_statuses": {
 													Type:     schema.TypeList,
 													Optional: true,
 													Elem: &schema.Schema{
 														Type: schema.TypeInt,
 													},
 												},
-												"successes": &schema.Schema{
+												"successes": {
 													Type:     schema.TypeInt,
 													Optional: true,
 												},
 											},
 										},
 									},
-									"unhealthy": &schema.Schema{
+									"unhealthy": {
 										Type:     schema.TypeList,
 										Optional: true,
 										MaxItems: 1,
 										Computed: true,
 										Elem: &schema.Resource{
 											Schema: map[string]*schema.Schema{
-												"http_statuses": &schema.Schema{
+												"http_statuses": {
 													Type:     schema.TypeList,
 													Optional: true,
 													Elem: &schema.Schema{
 														Type: schema.TypeInt,
 													},
 												},
-												"tcp_failures": &schema.Schema{
+												"tcp_failures": {
 													Type:     schema.TypeInt,
 													Optional: true,
 												},
-												"http_failures": &schema.Schema{
+												"http_failures": {
 													Type:     schema.TypeInt,
 													Optional: true,
 												},
-												"timeouts": &schema.Schema{
+												"timeouts": {
 													Type:     schema.TypeInt,
 													Optional: true,
 												},
@@ -296,17 +312,57 @@ func resourceKongUpstreamRead(ctx context.Context, d *schema.ResourceData, meta
 		d.SetId("")
 	} else {
 		d.SetId(*upstream.ID)
-		d.Set("name", upstream.Name)
-		d.Set("slots", upstream.Slots)
-		d.Set("hash_on", upstream.HashOn)
-		d.Set("hash_fallback", upstream.HashFallback)
-		d.Set("hash_on_header", upstream.HashOnHeader)
-		d.Set("hash_fallback_header", upstream.HashFallbackHeader)
-		d.Set("hash_on_cookie", upstream.HashOnCookie)
-		d.Set("hash_on_cookie_path", upstream.HashOnCookiePath)
+		err := d.Set("name", upstream.Name)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("slots", upstream.Slots)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("hash_on", upstream.HashOn)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("hash_fallback", upstream.HashFallback)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("hash_on_header", upstream.HashOnHeader)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("hash_fallback_header", upstream.HashFallbackHeader)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("hash_on_cookie", upstream.HashOnCookie)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		err = d.Set("hash_on_cookie_path", upstream.HashOnCookiePath)
+		if err != nil {
+			return diag.FromErr(err)
+		}
 		if err := d.Set("healthchecks", flattenHealthCheck(upstream.Healthchecks)); err != nil {
 			return diag.FromErr(err)
 		}
+		err = d.Set("tags", upstream.Tags)
+		if err != nil {
+			return diag.FromErr(err)
+		}
+		if upstream.HostHeader != nil {
+			err = d.Set("host_header", upstream.HostHeader)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+		}
+		if upstream.ClientCertificate != nil {
+			err = d.Set("client_certificate_id", upstream.ClientCertificate.ID)
+			if err != nil {
+				return diag.FromErr(err)
+			}
+		}
 	}
 
 	return diags
@@ -339,6 +395,15 @@ func createKongUpstreamRequestFromResourceData(d *schema.ResourceData) *kong.Ups
 	upstreamRequest.HashFallbackHeader = readStringPtrFromResource(d, "hash_fallback_header")
 	upstreamRequest.HashOnCookie = readStringPtrFromResource(d, "hash_on_cookie")
 	upstreamRequest.HashOnCookiePath = readStringPtrFromResource(d, "hash_on_cookie_path")
+	upstreamRequest.HostHeader = readStringPtrFromResource(d, "host_header")
+	upstreamRequest.Tags = readStringArrayPtrFromResource(d, "tags")
+
+	clientCertificateID := readIdPtrFromResource(d, "client_certificate_id")
+	if clientCertificateID != nil {
+		upstreamRequest.ClientCertificate = &kong.Certificate{
+			ID: clientCertificateID,
+		}
+	}
 
 	if healthChecksArray := readArrayFromResource(d, "healthchecks"); healthChecksArray != nil && len(healthChecksArray) > 0 {
 		healthChecksMap := healthChecksArray[0].(map[string]interface{})
diff --git a/kong/resource_kong_upstream_test.go b/kong/resource_kong_upstream_test.go
index 2416272..d6a0cc0 100644
--- a/kong/resource_kong_upstream_test.go
+++ b/kong/resource_kong_upstream_test.go
@@ -82,7 +82,7 @@ func TestAccKongUpstream(t *testing.T) {
 				),
 			},
 			{
-				Config: testUpdateUpstreamConfig,
+				Config: fmt.Sprintf(testUpdateUpstreamConfig, testCert1, testKey1),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckKongUpstreamExists("kong_upstream.upstream"),
 					resource.TestCheckResourceAttr("kong_upstream.upstream", "name", "MyUpstream"),
@@ -94,6 +94,33 @@ func TestAccKongUpstream(t *testing.T) {
 					resource.TestCheckResourceAttr("kong_upstream.upstream", "hash_on_cookie", "CookieName"),
 					resource.TestCheckResourceAttr("kong_upstream.upstream", "hash_on_cookie_path", "/path"),
 
+					resource.TestCheckResourceAttr("kong_upstream.upstream", "host_header", "x-host"),
+					resource.TestCheckResourceAttr("kong_upstream.upstream", "tags.#", "2"),
+					resource.TestCheckResourceAttr("kong_upstream.upstream", "tags.0", "a"),
+					resource.TestCheckResourceAttr("kong_upstream.upstream", "tags.1", "b"),
+					func(s *terraform.State) error {
+						module := s.RootModule()
+						cert, ok := module.Resources["kong_certificate.certificate"]
+						if !ok {
+							return fmt.Errorf("could not find certificate resource")
+						}
+
+						service, ok := module.Resources["kong_upstream.upstream"]
+						if !ok {
+							return fmt.Errorf("could not find upstream resource")
+						}
+
+						v, ok := service.Primary.Attributes["client_certificate_id"]
+						if !ok {
+							return fmt.Errorf("could not find client_certificate_id property")
+						}
+
+						if v != cert.Primary.ID {
+							return fmt.Errorf("client_certificate_id does not match certificate id")
+						}
+						return nil
+					},
+
 					resource.TestCheckResourceAttr("kong_upstream.upstream", "healthchecks.0.active.0.type", "https"),
 					resource.TestCheckResourceAttr("kong_upstream.upstream", "healthchecks.0.active.0.timeout", "10"),
 					resource.TestCheckResourceAttr("kong_upstream.upstream", "healthchecks.0.active.0.concurrency", "20"),
@@ -1048,6 +1075,16 @@ resource "kong_upstream" "upstream" {
 }
 `
 const testUpdateUpstreamConfig = `
+resource "kong_certificate" "certificate" {
+	certificate  = <<EOF
+%s
+EOF
+	private_key =  <<EOF
+%s
+EOF
+   snis			= ["foo.com"]
+}
+
 resource "kong_upstream" "upstream" {
 	name  		         = "MyUpstream"
 	slots 		         = 20
@@ -1057,6 +1094,10 @@ resource "kong_upstream" "upstream" {
 	hash_fallback_header = "FallbackHeaderName"
 	hash_on_cookie       = "CookieName"
 	hash_on_cookie_path  = "/path"
+	host_header          = "x-host"
+    tags                 = ["a", "b"]
+    client_certificate_id = kong_certificate.certificate.id
+
 	healthchecks {
 		active {
 			type                     = "https"
diff --git a/kong/resource_reader.go b/kong/resource_reader.go
index fd8082a..455940d 100644
--- a/kong/resource_reader.go
+++ b/kong/resource_reader.go
@@ -21,6 +21,27 @@ func readStringArrayPtrFromResource(d *schema.ResourceData, key string) []*strin
 	return nil
 }
 
+func readMapStringArrayFromResource(d *schema.ResourceData, key string) map[string][]string {
+	results := map[string][]string{}
+	if attr, ok := d.GetOk(key); ok {
+		set := attr.(*schema.Set)
+		for _, item := range set.List() {
+			m := item.(map[string]interface{})
+			if name, ok := m["name"].(string); ok {
+				if values, ok := m["values"].([]interface{}); ok {
+					var vals []string
+					for _, v := range values {
+						vals = append(vals, v.(string))
+					}
+					results[name] = vals
+				}
+			}
+		}
+	}
+
+	return results
+}
+
 func readIpPortArrayFromResource(d *schema.ResourceData, key string) []*kong.CIDRPort {
 	if attr, ok := d.GetOk(key); ok {
 		set := attr.(*schema.Set)
@@ -51,13 +72,6 @@ func readArrayFromResource(d *schema.ResourceData, key string) []interface{} {
 	return nil
 }
 
-func readStringFromResource(d *schema.ResourceData, key string) string {
-	if value, ok := d.GetOk(key); ok {
-		return value.(string)
-	}
-	return ""
-}
-
 func readIdPtrFromResource(d *schema.ResourceData, key string) *string {
 	if value, ok := d.GetOk(key); ok {
 		id := value.(string)
@@ -67,26 +81,30 @@ func readIdPtrFromResource(d *schema.ResourceData, key string) *string {
 }
 
 func readStringPtrFromResource(d *schema.ResourceData, key string) *string {
-	if value, ok := d.GetOkExists(key); ok {
+	if value, ok := d.GetOk(key); ok {
 		return kong.String(value.(string))
 	}
 	return nil
 }
 
 func readBoolPtrFromResource(d *schema.ResourceData, key string) *bool {
-	return kong.Bool(d.Get(key).(bool))
-}
-
-func readIntFromResource(d *schema.ResourceData, key string) int {
-	if value, ok := d.GetOk(key); ok {
-		return value.(int)
+	if value, ok := d.GetOkExists(key); ok {
+		return kong.Bool(value.(bool))
 	}
-	return 0
+	return nil
 }
 
 func readIntPtrFromResource(d *schema.ResourceData, key string) *int {
-	if value, ok := d.GetOkExists(key); ok {
+	if value, ok := d.GetOk(key); ok {
 		return kong.Int(value.(int))
 	}
 	return nil
 }
+
+func readIntWithZeroPtrFromResource(d *schema.ResourceData, key string) *int {
+	value := d.Get(key)
+	if value == nil {
+		return nil
+	}
+	return kong.Int(value.(int))
+}