cloudflare · veggiedefender · Dec 3, 2024 · Dec 26, 2024
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/access_application: fix domain and self_hosted_domains drift after import
+```
@@ -193,6 +193,10 @@ func resourceCloudflareAccessApplicationCreate(ctx context.Context, d *schema.Re
 }
 
 func resourceCloudflareAccessApplicationRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	return resourceCloudflareAccessApplicationReadHelper(ctx, d, meta, false)
+}
+
+func resourceCloudflareAccessApplicationReadHelper(ctx context.Context, d *schema.ResourceData, meta interface{}, importing bool) diag.Diagnostics {
 	client := meta.(*cloudflare.API)
 
 	identifier, err := initIdentifier(d)
@@ -215,7 +219,7 @@ func resourceCloudflareAccessApplicationRead(ctx context.Context, d *schema.Reso
 	d.Set("name", accessApplication.Name)
 	d.Set("aud", accessApplication.AUD)
 	d.Set("session_duration", accessApplication.SessionDuration)
-	if _, domainWasSet := d.GetOk("domain"); domainWasSet {
+	if _, domainWasSet := d.GetOk("domain"); domainWasSet || importing {
 		// Only set the domain if it was set in the configuration, as apps can be created without a domain
 		// if they define a non-empty self_hosted_domains array
 		d.Set("domain", accessApplication.Domain)
@@ -273,7 +277,9 @@ func resourceCloudflareAccessApplicationRead(ctx context.Context, d *schema.Reso
 		return diag.FromErr(fmt.Errorf("error setting Access Application Infrastructure app configuration: %w", targetContextsErr))
 	}
 
-	if _, ok := d.GetOk("self_hosted_domains"); ok {
+	if _, ok := d.GetOk("destinations"); ok || importing {
+		d.Set("destinations", convertDestinationsToSchema(accessApplication.Destinations))
+	} else if _, ok := d.GetOk("self_hosted_domains"); ok || importing {
 		publicDomains := make([]string, 0, len(accessApplication.Destinations))
 		for _, dest := range accessApplication.Destinations {
 			if dest.Type == cloudflare.AccessDestinationPublic {
@@ -283,10 +289,6 @@ func resourceCloudflareAccessApplicationRead(ctx context.Context, d *schema.Reso
 		d.Set("self_hosted_domains", publicDomains)
 	}
 
-	if _, ok := d.GetOk("destinations"); ok {
-		d.Set("destinations", convertDestinationsToSchema(accessApplication.Destinations))
-	}
-
 	scimConfig := convertScimConfigStructToSchema(accessApplication.SCIMConfig)
 
 	if scimConfigErr := d.Set("scim_config", scimConfig); scimConfigErr != nil {
@@ -474,7 +476,7 @@ func resourceCloudflareAccessApplicationImport(ctx context.Context, d *schema.Re
 	d.Set(consts.AccountIDSchemaKey, accountID)
 	d.SetId(accessApplicationID)
 
-	resourceCloudflareAccessApplicationRead(ctx, d, meta)
+	resourceCloudflareAccessApplicationReadHelper(ctx, d, meta, true)
 
 	return []*schema.ResourceData{d}, nil
 }
@@ -136,6 +136,47 @@ func TestAccCloudflareAccessApplication_BasicAccount(t *testing.T) {
 	})
 }
 
+func TestAccCloudflareAccessApplication_BasicAccount_Import(t *testing.T) {
+	t.Parallel()
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+	rnd := generateRandomResourceName()
+	name := "cloudflare_zero_trust_access_application." + rnd
+
+	checkFn := resource.ComposeTestCheckFunc(
+		resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID),
+		resource.TestCheckResourceAttr(name, "name", rnd),
+		resource.TestCheckResourceAttr(name, "domain", fmt.Sprintf("%s.%s", rnd, domain)),
+		resource.TestCheckResourceAttr(name, "type", "self_hosted"),
+		resource.TestCheckResourceAttr(name, "session_duration", "24h"),
+		resource.TestCheckResourceAttr(name, "cors_headers.#", "0"),
+		resource.TestCheckResourceAttr(name, "sass_app.#", "0"),
+		resource.TestCheckResourceAttr(name, "auto_redirect_to_identity", "false"),
+		resource.TestCheckResourceAttr(name, "allow_authenticate_via_warp", "false"),
+		resource.TestCheckResourceAttr(name, "options_preflight_bypass", "false"),
+	)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			testAccPreCheckAccount(t)
+		},
+		ProviderFactories: providerFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccCloudflareAccessApplicationConfigBasicImport(rnd, domain, cloudflare.AccountIdentifier(accountID)),
+				Check:  checkFn,
+			},
+			{
+				ImportState:         true,
+				ImportStateVerify:   true,
+				ResourceName:        name,
+				ImportStateIdPrefix: fmt.Sprintf("%s/", accountID),
+				Check:               checkFn,
+			},
+		},
+	})
+}
+
 func TestAccCloudflareAccessApplication_WithSCIMConfigHttpBasic(t *testing.T) {
 	rnd := generateRandomResourceName()
 	name := fmt.Sprintf("cloudflare_zero_trust_access_application.%s", rnd)
@@ -1166,6 +1207,22 @@ resource "cloudflare_zero_trust_access_application" "%[1]s" {
 `, rnd, domain, identifier.Type, identifier.Identifier)
 }
 
+func testAccCloudflareAccessApplicationConfigBasicImport(rnd string, domain string, identifier *cloudflare.ResourceContainer) string {
+	return fmt.Sprintf(`
+resource "cloudflare_zero_trust_access_application" "%[1]s" {
+  %[3]s_id                  = "%[4]s"
+  name                      = "%[1]s"
+  domain                    = "%[1]s.%[2]s"
+  destinations {
+		uri = "%[1]s.%[2]s"
+	}
+  type                      = "self_hosted"
+  session_duration          = "24h"
+  auto_redirect_to_identity = false
+}
+`, rnd, domain, identifier.Type, identifier.Identifier)
+}
+
 func testAccCloudflareAccessApplicationConfigWithCORS(rnd, zoneID, domain string) string {
 	return fmt.Sprintf(`
 resource "cloudflare_zero_trust_access_application" "%[1]s" {