Merge branch 'master' into jesse/import_app

.changelog/4565.txt

@@ -0,0 +1,7 @@
+```release-note:new-resource
+cloudflare_snippet
+```
+
+```release-note:new-resource
+cloudflare_snippet_rules
+```

.changelog/4665.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/cloudflare_access_policy: adds support for Access infrastructure `allow_email_alias` connection rule flag
+```
+
+```release-note:enhancement
+resource/cloudflare_zero_trust_access_policy: adds support for Access infrastructure `allow_email_alias` connection rule flag
+```

.changelog/4676.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+cloudflare_leaked_credential_check_rule
+```

.changelog/4697.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/cloudflare_ruleset: improve diffs when only some rules are changed
+```
+
+```release-note:note
+resource/cloudflare_ruleset: rules must now be given an explicit `ref` to avoid their IDs changing across ruleset updates, see https://developers.cloudflare.com/terraform/troubleshooting/rule-id-changes/
+```

.changelog/4718.txt

@@ -0,0 +1,3 @@
+```release-note:dependency
+provider: bump golang.org/x/net from 0.31.0 to 0.32.0
+```

.changelog/4721.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/access_identity_provider: document scim_config fields
+```

.changelog/4734.txt

@@ -0,0 +1,3 @@
+```release-note:new-resource
+cloudflare_content_scanning_expression
+```

.changelog/4737.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_teams_list: use PUT call to update list items
+```

.changelog/4741.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/cloudflare_leaked_credential_check_rule: Fix bug in update method
+```

.changelog/4743.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/access_application: support multi-valued + Access service token authentication for SCIM provisioning to Access applications
+```

.changelog/4755.txt

@@ -0,0 +1,3 @@
+```release-note:dependency
+provider: bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /tools
+```

.changelog/4756.txt

@@ -0,0 +1,3 @@
+```release-note:dependency
+provider: bump golang.org/x/crypto from 0.30.0 to 0.31.0
+```

.changelog/4762.txt

@@ -0,0 +1,3 @@
+```release-note:dependency
+provider: bump github.com/hashicorp/terraform-plugin-framework-validators from 0.15.0 to 0.16.0
+```

.changelog/4802.txt

@@ -0,0 +1,3 @@
+```release-note:dependency
+provider: bump golang.org/x/net from 0.32.0 to 0.33.0
+```

.changelog/4803.txt

@@ -0,0 +1,3 @@
+```release-note:dependency
+provider: bump github.com/cloudflare/cloudflare-go from 0.111.0 to 0.112.0
+```

.changelog/4814.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/cloudflare_ruleset: handle when `disable_stale_while_updating` is an empty object but not nil
+```

.changelog/4817.txt

@@ -0,0 +1,3 @@
+```release-note:note
+resource/cloudflare_teams_location: remove unusable `policy_ids` attribute
+```

.github/workflows/next-acceptance-tests.yml

@@ -43,4 +43,4 @@ jobs:
       id: go
     - run: go install gotest.tools/gotestsum@latest
     - run: go get github.com/cloudflare/cloudflare-go/v3@next
-    - run: TF_ACC=1 gotestsum ./internal/services/{argo_smart_routing,argo_tiered_caching,bot_management,d1_database,dns_firewall,dns_record,healthcheck,list,origin_ca_certificate,queue,r2_bucket,secondary_dns_acl,secondary_dns_peer,secondary_dns_tsig,tiered_cache,total_tls,zone,zone_cache_variants,zone_setting,zone_subscription} -run "^TestAcc" -count 1 -v -timeout 120m
+    - run: TF_ACC=1 gotestsum ./internal/services/{argo_smart_routing,argo_tiered_caching,bot_management,d1_database,dns_firewall,dns_record,healthcheck,list,origin_ca_certificate,queue,r2_bucket,tiered_cache,total_tls,zone,zone_cache_variants,zone_setting,zone_subscription} -run "^TestAcc" -count 1 -v -timeout 120m

CHANGELOG.md

@@ -1,4 +1,62 @@
-## 4.48.0 (Unreleased)
+## 4.50.0 (Unreleased)
+
+## 4.49.0 (December 25th, 2025)
+
+NOTES:
+
+* resource/cloudflare_teams_location: remove unusable `policy_ids` attribute ([#4817](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4817))
+
+FEATURES:
+
+* **New Resource:** `cloudflare_content_scanning_expression` ([#4734](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4734))
+
+ENHANCEMENTS:
+
+* resource/access_application: support multi-valued + Access service token authentication for SCIM provisioning to Access applications ([#4743](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4743))
+
+BUG FIXES:
+
+* resource/cloudflare_ruleset: handle when `disable_stale_while_updating` is an empty object but not nil ([#4814](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4814))
+
+DEPENDENCIES:
+
+* provider: bump github.com/cloudflare/cloudflare-go from 0.111.0 to 0.112.0 ([#4803](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4803))
+* provider: bump github.com/hashicorp/terraform-plugin-framework-validators from 0.15.0 to 0.16.0 ([#4762](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4762))
+* provider: bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /tools ([#4755](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4755))
+* provider: bump golang.org/x/crypto from 0.30.0 to 0.31.0 ([#4756](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4756))
+* provider: bump golang.org/x/net from 0.32.0 to 0.33.0 ([#4802](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4802))
+
+## 4.48.0 (December 11th, 2024)
+
+NOTES:
+
+* resource/cloudflare_ruleset: rules must now be given an explicit `ref` to avoid their IDs changing across ruleset updates, see https://developers.cloudflare.com/terraform/troubleshooting/rule-id-changes/ ([#4697](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4697))
+
+FEATURES:
+
+* **New Resource:** `cloudflare_leaked_credential_check` ([#4674](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4674))
+* **New Resource:** `cloudflare_leaked_credential_check_rule` ([#4676](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4676))
+* **New Resource:** `cloudflare_snippet` ([#4565](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4565))
+* **New Resource:** `cloudflare_snippet_rules` ([#4565](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4565))
+
+ENHANCEMENTS:
+
+* resource/access_application: add support for destinations and domain_type ([#4661](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4661))
+* resource/access_identity_provider: document scim_config fields ([#4721](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4721))
+* resource/cloudflare_access_policy: adds support for Access infrastructure `allow_email_alias` connection rule flag ([#4665](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4665))
+* resource/cloudflare_ruleset: improve diffs when only some rules are changed ([#4697](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4697))
+* resource/cloudflare_teams_list: use PUT call to update list items ([#4737](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4737))
+* resource/cloudflare_zero_trust_access_policy: adds support for Access infrastructure `allow_email_alias` connection rule flag ([#4665](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4665))
+
+BUG FIXES:
+
+* resource/cloudflare_authenticated_origin_pulls: Fix issue where resources are disabled instead of being destroyed on `tf destroy` ([#4649](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4649))
+* resource/cloudflare_leaked_credential_check_rule: Fix bug in update method ([#4741](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4741))
+
+DEPENDENCIES:
+
+* provider: bump github.com/cloudflare/cloudflare-go from 0.110.0 to 0.111.0 ([#4709](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4709))
+* provider: bump golang.org/x/net from 0.31.0 to 0.32.0 ([#4718](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4718))
 
 ## 4.47.0 (November 27th, 2024)
 

docs/resources/access_application.md

@@ -281,7 +281,7 @@ Required:
 
 Optional:
 
-- `authentication` (Block List, Max: 1) Attributes for configuring HTTP Basic, OAuth Bearer token, or OAuth 2 authentication schemes for SCIM provisioning to an application. (see [below for nested schema](#nestedblock--scim_config--authentication))
+- `authentication` (Block List) Attributes for configuring HTTP Basic, OAuth Bearer token, or OAuth 2 authentication schemes for SCIM provisioning to an application. (see [below for nested schema](#nestedblock--scim_config--authentication))
 - `deactivate_on_delete` (Boolean) If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
 - `enabled` (Boolean) Whether SCIM provisioning is turned on for this application.
 - `mappings` (Block List) A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. (see [below for nested schema](#nestedblock--scim_config--mappings))
@@ -295,14 +295,14 @@ Required:
 
 Optional:
 
-- `authorization_url` (String) URL used to generate the auth code used during token generation. Required when using `scim_config.0.authentication.0.client_secret`, `scim_config.0.authentication.0.client_id`, `scim_config.0.authentication.0.token_url`. Conflicts with `scim_config.0.authentication.0.user`, `scim_config.0.authentication.0.password`, `scim_config.0.authentication.0.token`.
-- `client_id` (String) Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. Required when using `scim_config.0.authentication.0.client_secret`, `scim_config.0.authentication.0.authorization_url`, `scim_config.0.authentication.0.token_url`. Conflicts with `scim_config.0.authentication.0.user`, `scim_config.0.authentication.0.password`, `scim_config.0.authentication.0.token`.
-- `client_secret` (String) Secret used to authenticate when generating a token for authenticating with the remove SCIM service. Required when using `scim_config.0.authentication.0.client_id`, `scim_config.0.authentication.0.authorization_url`, `scim_config.0.authentication.0.token_url`. Conflicts with `scim_config.0.authentication.0.user`, `scim_config.0.authentication.0.password`, `scim_config.0.authentication.0.token`.
-- `password` (String) Required when using `scim_config.0.authentication.0.user`. Conflicts with `scim_config.0.authentication.0.token`, `scim_config.0.authentication.0.client_id`, `scim_config.0.authentication.0.client_secret`, `scim_config.0.authentication.0.authorization_url`, `scim_config.0.authentication.0.token_url`, `scim_config.0.authentication.0.scopes`.
-- `scopes` (Set of String) The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. Conflicts with `scim_config.0.authentication.0.user`, `scim_config.0.authentication.0.password`, `scim_config.0.authentication.0.token`.
-- `token` (String) Token used to authenticate with the remote SCIM service. Conflicts with `scim_config.0.authentication.0.user`, `scim_config.0.authentication.0.password`, `scim_config.0.authentication.0.client_id`, `scim_config.0.authentication.0.client_secret`, `scim_config.0.authentication.0.authorization_url`, `scim_config.0.authentication.0.token_url`, `scim_config.0.authentication.0.scopes`.
-- `token_url` (String) URL used to generate the token used to authenticate with the remote SCIM service. Required when using `scim_config.0.authentication.0.client_secret`, `scim_config.0.authentication.0.authorization_url`, `scim_config.0.authentication.0.client_id`. Conflicts with `scim_config.0.authentication.0.user`, `scim_config.0.authentication.0.password`, `scim_config.0.authentication.0.token`.
-- `user` (String) User name used to authenticate with the remote SCIM service. Required when using `scim_config.0.authentication.0.password`. Conflicts with `scim_config.0.authentication.0.token`, `scim_config.0.authentication.0.client_id`, `scim_config.0.authentication.0.client_secret`, `scim_config.0.authentication.0.authorization_url`, `scim_config.0.authentication.0.token_url`, `scim_config.0.authentication.0.scopes`.
+- `authorization_url` (String) URL used to generate the auth code used during token generation.
+- `client_id` (String) Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
+- `client_secret` (String) Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
+- `password` (String)
+- `scopes` (Set of String) The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
+- `token` (String) Token used to authenticate with the remote SCIM service.
+- `token_url` (String) URL used to generate the token used to authenticate with the remote SCIM service.
+- `user` (String) User name used to authenticate with the remote SCIM service.
 
 
 <a id="nestedblock--scim_config--mappings"></a>

docs/resources/access_identity_provider.md

@@ -128,12 +128,12 @@ Read-Only:
 
 Optional:
 
-- `enabled` (Boolean)
-- `group_member_deprovision` (Boolean)
-- `identity_update_behavior` (String)
-- `seat_deprovision` (Boolean)
-- `secret` (String, Sensitive)
-- `user_deprovision` (Boolean)
+- `enabled` (Boolean) A flag to enable or disable SCIM for the identity provider.
+- `group_member_deprovision` (Boolean) Deprecated. Use `identity_update_behavior`.
+- `identity_update_behavior` (String) Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
+- `seat_deprovision` (Boolean) A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider.  This cannot be enabled unless user_deprovision is also enabled.
+- `secret` (String, Sensitive) A read-only token generated when the SCIM integration is enabled for the first time.  It is redacted on subsequent requests.  If you lose this you will need to refresh it token at /access/identity_providers/:idpID/refresh_scim_secret.
+- `user_deprovision` (Boolean) A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.
 
 ## Import
 

docs/resources/access_policy.md

@@ -70,6 +70,7 @@ resource "cloudflare_access_policy" "infra-app-example-allow" {
   connection_rules {
     ssh {
       usernames = ["ec2-user"]
+      allow_email_alias = true
     }
   }
 }
@@ -245,6 +246,10 @@ Required:
 
 - `usernames` (List of String) Contains the Unix usernames that may be used when connecting over SSH.
 
+Optional:
+
+- `allow_email_alias` (Boolean) Allows connecting to Unix username that matches the authenticating email prefix.
+
 
 
 <a id="nestedblock--exclude"></a>

docs/resources/cloud_connector_rules.md

@@ -2,12 +2,12 @@
 page_title: "cloudflare_cloud_connector_rules Resource - Cloudflare"
 subcategory: ""
 description: |-
-  The Cloud Connector Rules add link to doc resource allows you to create and manage cloud connector rules for a zone.
+  The Cloud Connector Rules https://developers.cloudflare.com/rules/cloud-connector/ resource allows you to create and manage cloud connector rules for a zone.
 ---
 
 # cloudflare_cloud_connector_rules (Resource)
 
-The [Cloud Connector Rules](add link to doc) resource allows you to create and manage cloud connector rules for a zone.
+The [Cloud Connector Rules](https://developers.cloudflare.com/rules/cloud-connector/) resource allows you to create and manage cloud connector rules for a zone.
 
 ## Example Usage
 

docs/resources/content_scanning_expression.md

@@ -0,0 +1,49 @@
+---
+page_title: "cloudflare_content_scanning_expression Resource - Cloudflare"
+subcategory: ""
+description: |-
+  Provides a Cloudflare Content Scanning Expression resource for managing custom scan expression within a specific zone.
+---
+
+# cloudflare_content_scanning_expression (Resource)
+
+Provides a Cloudflare Content Scanning Expression resource for managing custom scan expression within a specific zone.
+
+## Example Usage
+
+```terraform
+# Enable Content Scanning before trying to add custom scan expressions
+resource "cloudflare_content_scanning" "example" {
+    zone_id = "399c6f4950c01a5a141b99ff7fbcbd8b"
+    enabled = true
+}
+
+resource "cloudflare_content_scanning_expression" "first_example" {
+	zone_id = cloudflare_content_scanning.example.zone_id
+	payload = "lookup_json_string(http.request.body.raw, \"file\")"
+}
+
+resource "cloudflare_content_scanning_expression" "second_example" {
+	zone_id = cloudflare_content_scanning.example.zone_id
+	payload = "lookup_json_string(http.request.body.raw, \"document\")"
+}
+```
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `payload` (String) Custom scan expression to tell the content scanner where to find the content objects.
+- `zone_id` (String) The zone identifier to target for the resource.
+
+### Read-Only
+
+- `id` (String) The identifier of this resource.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import cloudflare_content_scanning_expression.example <zone_id>/<resource_id>
+```

docs/resources/filter.md

@@ -13,7 +13,7 @@ Filter expressions that can be referenced across multiple features,
 e.g. Firewall Rules. See [what is a filter](https://developers.cloudflare.com/firewall/api/cf-filters/what-is-a-filter/)
 for more details and available fields and operators.
 
-~> `cloudflare_filter` is in a deprecation phase until January 15th, 2025.
+~> `cloudflare_filter` is in a deprecation phase until June 15th, 2025.
   During this time period, this resource is still fully
   supported but you are strongly advised to move to the
   `cloudflare_ruleset` resource. Full details can be found in the

docs/resources/firewall_rule.md

@@ -20,7 +20,7 @@ rule creation.
 Filter expressions needs to be created first before using Firewall
 Rule.
 
-~> `cloudflare_firewall_rule` is in a deprecation phase until January 15th, 2025.
+~> `cloudflare_firewall_rule` is in a deprecation phase until June 15th, 2025.
   During this time period, this resource is still
   fully supported but you are strongly advised  to move to the
   `cloudflare_ruleset` resource. Full details can be found in the

docs/resources/leaked_credential_check_rule.md

@@ -0,0 +1,47 @@
+---
+page_title: "cloudflare_leaked_credential_check_rule Resource - Cloudflare"
+subcategory: ""
+description: |-
+  Provides a Cloudflare Leaked Credential Check Rule resource for managing user-defined Leaked Credential detection patterns within a specific zone.
+---
+
+# cloudflare_leaked_credential_check_rule (Resource)
+
+Provides a Cloudflare Leaked Credential Check Rule resource for managing user-defined Leaked Credential detection patterns within a specific zone.
+
+## Example Usage
+
+```terraform
+# Enable the Leaked Credentials Check detection before trying
+# to add detections.
+resource "cloudflare_leaked_credential_check" "example" {
+	zone_id = "399c6f4950c01a5a141b99ff7fbcbd8b"
+	enabled = true
+}
+
+resource "cloudflare_leaked_credential_check_rule" "example" {
+  zone_id = cloudflare_leaked_credential_check.example.zone_id
+  username = "lookup_json_string(http.request.body.raw, \"user\")"
+	password = "lookup_json_string(http.request.body.raw, \"pass\")"
+}
+```
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `password` (String) The ruleset expression to use in matching the password in a request
+- `username` (String) The ruleset expression to use in matching the username in a request.
+- `zone_id` (String) The zone identifier to target for the resource.
+
+### Read-Only
+
+- `id` (String) The identifier of this resource.
+
+## Import
+
+Import is supported using the following syntax:
+
+```shell
+terraform import cloudflare_leaked_credential_check_rule.example <zone_id>/<resource_id>
+```