Merge branch 'master' into add-content-scanning

.changelog/4565.txt

@@ -1,4 +1,4 @@
- ```release-note:new-resource
+```release-note:new-resource
 cloudflare_snippet
 ```
 

.changelog/4697.txt

@@ -0,0 +1,7 @@
+```release-note:enhancement
+resource/cloudflare_ruleset: improve diffs when only some rules are changed
+```
+
+```release-note:note
+resource/cloudflare_ruleset: rules must now be given an explicit `ref` to avoid their IDs changing across ruleset updates, see https://developers.cloudflare.com/terraform/troubleshooting/rule-id-changes/
+```

.changelog/4721.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/access_identity_provider: document scim_config fields
+```

.changelog/4737.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_teams_list: use PUT call to update list items
+```

.changelog/4741.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+resource/cloudflare_leaked_credential_check_rule: Fix bug in update method
+```

.changelog/4755.txt

@@ -0,0 +1,3 @@
+```release-note:dependency
+provider: bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /tools
+```

.changelog/4756.txt

@@ -0,0 +1,3 @@
+```release-note:dependency
+provider: bump golang.org/x/crypto from 0.30.0 to 0.31.0
+```

.changelog/4762.txt

@@ -0,0 +1,3 @@
+```release-note:dependency
+provider: bump github.com/hashicorp/terraform-plugin-framework-validators from 0.15.0 to 0.16.0
+```

.changelog/4802.txt

@@ -0,0 +1,3 @@
+```release-note:dependency
+provider: bump golang.org/x/net from 0.32.0 to 0.33.0
+```

.changelog/4803.txt

@@ -0,0 +1,3 @@
+```release-note:dependency
+provider: bump github.com/cloudflare/cloudflare-go from 0.111.0 to 0.112.0
+```

.github/workflows/next-acceptance-tests.yml

@@ -43,4 +43,4 @@ jobs:
       id: go
     - run: go install gotest.tools/gotestsum@latest
     - run: go get github.com/cloudflare/cloudflare-go/v3@next
-    - run: TF_ACC=1 gotestsum ./internal/services/{argo_smart_routing,argo_tiered_caching,bot_management,d1_database,dns_firewall,dns_record,healthcheck,list,origin_ca_certificate,queue,r2_bucket,secondary_dns_acl,secondary_dns_peer,secondary_dns_tsig,tiered_cache,total_tls,zone,zone_cache_variants,zone_setting,zone_subscription} -run "^TestAcc" -count 1 -v -timeout 120m
+    - run: TF_ACC=1 gotestsum ./internal/services/{argo_smart_routing,argo_tiered_caching,bot_management,d1_database,dns_firewall,dns_record,healthcheck,list,origin_ca_certificate,queue,r2_bucket,tiered_cache,total_tls,zone,zone_cache_variants,zone_setting,zone_subscription} -run "^TestAcc" -count 1 -v -timeout 120m

CHANGELOG.md

@@ -1,4 +1,36 @@
-## 4.48.0 (Unreleased)
+## 4.49.0 (Unreleased)
+
+## 4.48.0 (December 11th, 2024)
+
+NOTES:
+
+* resource/cloudflare_ruleset: rules must now be given an explicit `ref` to avoid their IDs changing across ruleset updates, see https://developers.cloudflare.com/terraform/troubleshooting/rule-id-changes/ ([#4697](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4697))
+
+FEATURES:
+
+* **New Resource:** `cloudflare_leaked_credential_check` ([#4674](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4674))
+* **New Resource:** `cloudflare_leaked_credential_check_rule` ([#4676](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4676))
+* **New Resource:** `cloudflare_snippet` ([#4565](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4565))
+* **New Resource:** `cloudflare_snippet_rules` ([#4565](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4565))
+
+ENHANCEMENTS:
+
+* resource/access_application: add support for destinations and domain_type ([#4661](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4661))
+* resource/access_identity_provider: document scim_config fields ([#4721](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4721))
+* resource/cloudflare_access_policy: adds support for Access infrastructure `allow_email_alias` connection rule flag ([#4665](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4665))
+* resource/cloudflare_ruleset: improve diffs when only some rules are changed ([#4697](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4697))
+* resource/cloudflare_teams_list: use PUT call to update list items ([#4737](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4737))
+* resource/cloudflare_zero_trust_access_policy: adds support for Access infrastructure `allow_email_alias` connection rule flag ([#4665](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4665))
+
+BUG FIXES:
+
+* resource/cloudflare_authenticated_origin_pulls: Fix issue where resources are disabled instead of being destroyed on `tf destroy` ([#4649](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4649))
+* resource/cloudflare_leaked_credential_check_rule: Fix bug in update method ([#4741](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4741))
+
+DEPENDENCIES:
+
+* provider: bump github.com/cloudflare/cloudflare-go from 0.110.0 to 0.111.0 ([#4709](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4709))
+* provider: bump golang.org/x/net from 0.31.0 to 0.32.0 ([#4718](https://github.com/cloudflare/terraform-provider-cloudflare/issues/4718))
 
 ## 4.47.0 (November 27th, 2024)
 

docs/resources/access_identity_provider.md

@@ -128,12 +128,12 @@ Read-Only:
 
 Optional:
 
-- `enabled` (Boolean)
-- `group_member_deprovision` (Boolean)
-- `identity_update_behavior` (String)
-- `seat_deprovision` (Boolean)
-- `secret` (String, Sensitive)
-- `user_deprovision` (Boolean)
+- `enabled` (Boolean) A flag to enable or disable SCIM for the identity provider.
+- `group_member_deprovision` (Boolean) Deprecated. Use `identity_update_behavior`.
+- `identity_update_behavior` (String) Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate.
+- `seat_deprovision` (Boolean) A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider.  This cannot be enabled unless user_deprovision is also enabled.
+- `secret` (String, Sensitive) A read-only token generated when the SCIM integration is enabled for the first time.  It is redacted on subsequent requests.  If you lose this you will need to refresh it token at /access/identity_providers/:idpID/refresh_scim_secret.
+- `user_deprovision` (Boolean) A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider.
 
 ## Import
 

docs/resources/access_policy.md

@@ -245,6 +245,9 @@ Required:
 Required:
 
 - `usernames` (List of String) Contains the Unix usernames that may be used when connecting over SSH.
+
+Optional:
+
 - `allow_email_alias` (Boolean) Allows connecting to Unix username that matches the authenticating email prefix.
 
 

docs/resources/cloud_connector_rules.md

@@ -2,12 +2,12 @@
 page_title: "cloudflare_cloud_connector_rules Resource - Cloudflare"
 subcategory: ""
 description: |-
-  The Cloud Connector Rules add link to doc resource allows you to create and manage cloud connector rules for a zone.
+  The Cloud Connector Rules resource allows you to create and manage cloud connector rules for a zone.
 ---
 
 # cloudflare_cloud_connector_rules (Resource)
 
-The [Cloud Connector Rules](add link to doc) resource allows you to create and manage cloud connector rules for a zone.
+The [Cloud Connector Rules](https://developers.cloudflare.com/rules/cloud-connector/) resource allows you to create and manage cloud connector rules for a zone.
 
 ## Example Usage
 

docs/resources/filter.md

@@ -13,7 +13,7 @@ Filter expressions that can be referenced across multiple features,
 e.g. Firewall Rules. See [what is a filter](https://developers.cloudflare.com/firewall/api/cf-filters/what-is-a-filter/)
 for more details and available fields and operators.
 
-~> `cloudflare_filter` is in a deprecation phase until January 15th, 2025.
+~> `cloudflare_filter` is in a deprecation phase until June 15th, 2025.
   During this time period, this resource is still fully
   supported but you are strongly advised to move to the
   `cloudflare_ruleset` resource. Full details can be found in the

docs/resources/firewall_rule.md

@@ -20,7 +20,7 @@ rule creation.
 Filter expressions needs to be created first before using Firewall
 Rule.
 
-~> `cloudflare_firewall_rule` is in a deprecation phase until January 15th, 2025.
+~> `cloudflare_firewall_rule` is in a deprecation phase until June 15th, 2025.
   During this time period, this resource is still
   fully supported but you are strongly advised  to move to the
   `cloudflare_ruleset` resource. Full details can be found in the

docs/resources/rate_limit.md

@@ -13,7 +13,7 @@ Provides a Cloudflare rate limit resource for a given zone. This can
 be used to limit the traffic you receive zone-wide, or matching more
 specific types of requests/responses.
 
-~> `cloudflare_rate_limit` is in a deprecation phase until January 15th, 2025.
+~> `cloudflare_rate_limit` is in a deprecation phase until June 15th, 2025.
   During this time period, this resource is still
   fully supported but you are strongly advised to move to the
   `cloudflare_ruleset` resource. Full details can be found in the