fix(zero_trust_tunnel_cloudflared_virtual_network): fix sweeper panics #6392
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes panics observed in CI when sweepers run for the `zero_trust_tunnel_cloudflared_virtual_network` resource. ``` 2025/10/30 00:16:16 [DEBUG] Running Sweepers for region (all): 2025/10/30 00:16:16 [DEBUG] Running Sweeper (cloudflare_zero_trust_tunnel_cloudflared_virtual_network) in region (all) 2025/10/30 00:16:16 [DEBUG] Completed Sweeper (cloudflare_zero_trust_tunnel_cloudflared_virtual_network) in region (all) in 294.541µs Error: /30 00:16:16 [ERROR] Error running Sweeper (cloudflare_zero_trust_tunnel_cloudflared_virtual_network) in region (all): missing required account_id parameter FAIL github.com/cloudflare/terraform-provider-cloudflare/internal/services/zero_trust_tunnel_cloudflared_virtual_network 0.014s FAIL ⚠ Sweeper failed, retrying in 4s... ```
mgirouard
requested review from
RebeccaTamachiro,
SirCortly,
musa-cf,
rotem-cloud,
ssicard and
vaishakdinesh
Merged
mgirouard
added a commit
that referenced
this pull request
Oct 30, 2025
* feat: modernize zero_trust_tunnel_cloudflared_virtual_network tests and improve (#6293) coverage - Convert legacy resource.TestCheckResourceAttr to modern ConfigStateChecks - Add proper CheckDestroy function for resource cleanup verification - Enhance test coverage with minimal configuration test case - Add comprehensive state validation with computed attribute checks * feat: modernize zero_trust_tunnel_cloudflared_config tests and fix warp_routing (#6294) schema - Convert legacy resource.TestCheckResourceAttr to modern ConfigStateChecks - Add comprehensive tfjsonpath navigation for nested attributes - Fix warp_routing Unknown value issue by flattening to warp_routing_enabled - Add proper schema defaults and provider implementation - Update both resource and data source models * feat: chore: use cloudflare-go@next for the 'next' branch * chore: use cloudflare-go@next for the 'next' branch * chore(internal): codegen related update * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(internal): codegen related update * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * fix: enable skipped gateway policy tests and simplify quarantine test (#6296) Enable previously skipped Zero Trust gateway policy tests that were disabled due to feature flag and enterprise requirements. Simplify quarantine test to use single file type to avoid ordering issues. - Enable TestAccCloudflareTeamsRule_HTTP_Quarantine test - Enable TestAccCloudflareTeamsRuleEgressDedicated test - Uncomment testAccCloudflareTeamsRuleConfigEgressDedicated helper function - Simplify quarantine test to use single pdf file type - Remove outdated skip comments and commented code blocks * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(zerot trust dl resources): Add acceptance tests for DLP resources (rebased version of !5751) (#6233) * Add acceptance tests for DLP entries * Add acceptance tests for DLP profiles * added a deprecation date for the entries field * removed the changes to internal/services/zero_trust_dlp_integration_entry/schema.go so that they can be made at the openapi yaml level in our repo * fixed accidental change * Added Vaishak's suggested tests Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> * deprecated => sunset --------- Co-authored-by: jjohnson <jjohnson@cloudflare.com> Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> * codegen metadata * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(pages_project): only sweep pages projects resources created during testing (#6298) * chore(pages_project): update CLOUDFLARE_PAGES_OWNER and CLOUDFLARE_PAGES_REPO used for acceptance tests (#6300) * chore(api): update composite API spec * chore(api): update composite API spec * chore(r2_bucket_lock, r2_bucket_lifecycle): add acceptance tests (#6299) * chore(api): update composite API spec * fix: fix zero_trust_dex_test tests (#6301) * fix(cloudflare_workflow): download dependencies for workflow resource acceptance tests (#6302) * chore(api): update composite API spec * chore(api): update composite API spec * fix(cloudflare_workers_script): Update docs note for resource (#6304) - Soften language around deprecation based on customer feedback - Explicitly call out cloudflare_worker and cloudflare_worker_version resources as beta * test(r2_custom_domain): add acceptance tests (#6312) * test: add acceptance tests for r2_custom_domain resource * test: update r2 custom domain tests with additional scenarios + randomized subdomain --------- Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> * chore: fix errors in `cloudflare_pages_project` acceptance tests (#6318) This follows up #6298 to fix some errors introduced into the test, as well as fixing some longstanding errors in the assumed resource schema used in test cases and config files. This also removes `ExpectNonEmptyPlan: true` from several test cases that were masking false drift problems in the resource. Several tests have been temporarily marked as skipped waiting on upstream fixes to the resource to land. * chore(api): update composite API spec * chore(internal): codegen related update * codegen metadata * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(internal): codegen related update * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * chore(internal): codegen related update * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * fix: correctly detect more ID attributes for data sources * chore(api): update composite API spec * fix: read by id data sources should have required IDs * codegen metadata * chore(api): update composite API spec * feat: fix(content_scanning): content scanning terraform resource * feat(content_scanning): Add content scanning terraform resource * codegen metadata * fix(internal): correctly generate schema according to annotations * codegen metadata * chore(api): update composite API spec * chore(internal): codegen related update * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(internal): codegen related update * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(zero_trust_dlp_custom_profile): shared_entries acceptance tests (#6317) * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * feat: feat: SDKs for Organizations and OrganizationsProfile * chore: Add back in skips for Org accounts * chore: Maintain skips in Organization-Members resource * chore: remove codegen skips from Orgs related resources * chore(api_shield): Acceptance tests increase coverage (#6325) This change adds acceptance tests for the api_shield resource. * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * feat(zero_trust_access_application): Add support for MCP & MCP_PORTAL (#6326) * chore(zero_trust_network_hostname_route): Add acceptance tests for Hostname Routes (#6282) * fix(zero_trust_access_service_token): client secret versioning (#6328) * fix(notification_policy): address drift due to unordered lists, converted to sets (#6316) Co-authored-by: Henry Clausen <hclausen@cloudflare.com> * chore(organizations and organization_profiles): Acceptance Tests and wait after create (#6329) * feat: Add Organizations Acceptance Tests * orgs profile tests * chore: Add a sleep to orgs create, because of 403 issue. * Chore: remove the 30s sleep in update. * fix(cloudflare_r2_bucket_sippy): attribute name in example (#6336) * fix(migrate): add target flag to specify resources (#6324) * feat: fix(workers_domain): treat `PUT /workers/domains` as a create operation * fix(workers_domain): treat `PUT /workers/domains` as a create operation * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * codegen metadata * codegen metadata * codegen metadata * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * feat: feat(api): add mcp portals endpoints * feat: feat(radar): add new group by dimension endpoints; deprecate to_markdown endpoint * chore(api): update composite API spec * chore(zero_trust_connectivity_directory_service): Add wvpc / connectivity directory servic acceptance tests (#6334) * Add acceptance tests for content_scanning (#6344) * chore(api): update composite API spec * codegen metadata * feat: feat: add connectivity directory service APIs to openapi.stainless.yml * fix: add proper terraform annotations to connectivity_directory_service * feat: add connectivity directory service APIs to openapi.stainless.yml * chore(api): update composite API spec * chore(queue): Acceptance tests (#6339) * fix(cloudflare_worker_version): replace when module content_sha256 value changes (#6335) - Previously, Terraform would attempt to update the resource in-place when module content_sha256 was the only change, but this resource can't be updated in-place - Instead, the resource should be replaced when any module content_sha256 value changes * chore(logpush_jobs): Add tests from basic to full fields, and changes on omitempty field (#6337) This adds tests in `logpush_jobs` for changing from basic to full fields, and changes on `omitempty` field. * chore(api): update composite API spec * chore(api): update composite API spec * chore(api): update composite API spec * codegen metadata * chore(api): update composite API spec * feat: chore(abuse): rename path parameter * chore(abuse): rename path parameter * fix(workers_version): inconsistent binding order causing inconsistent result after apply (#6342) * chore(organizations): wire up acceptance test in CI (#6349) * chore: wire up organizations acceptance test * chore: use email in plain text * fix(account_member): update policies test by selecting correct resource group (#6352) * chore(api): update composite API spec * feat: ci: trigger prod build * ci: trigger prod build * bug(cloudflare_list): don't explicitly import nested items (#6262) Co-authored-by: Brad Swenson <bswenson@cloudflare.com> * chore: update pr template (#6359) * codegen metadata * codegen metadata * chore(api): update composite API spec * chore(api): update composite API spec * feat: chore: pin cloudflare-go for provider release * fix(zero_trust_dex_test): fix duplicate key, imports (#6366) Fixes some invalid code in `zero_trust_dex_test`: - removes duplicate `targeted` attribute - adds missing `customfield` import * fix(custom_pages): update type enumerations (#6369) Enumeration values for the validator were somehow removed, most likely a bad conflict resolution. This patch adds them back. * fix(zero_trust_dex_test): ensure model/schema parity (#6370) Updates the `zero_trust_dex_test` resource to align the models' and schemas' `target_policies` attribute. * fix(custom_pages): fix broken tests (#6372) * feat: ci: remove zero_trust_connectivity_directory_service This resource was never released and will be renamed to just `connectivity_directory_service` in the future. This patch just removes the resource for now so we can release the provider. * fix: restore missing testdata (#6378) * fix(organization): restore missing testdata Restores custom code that was incorrectly removed as part of a conflict resolution. * fix(workflow): restore missing testdata Restores custom code that was incorrectly removed as part of a conflict resolution. * docs: generate terraform documentation (#6384) * fix: ensure model/schema parity across several resources (#6379) * fix(organization): fix model/schema parity * fix(r2_bucket_event_notification): fix model/schema parity * fix(zero_trust_access_application): fix model/schema parity * fix(zero_trust_dex_test): fix model/schema parity * fix(zero_trust_network_hostname_route): drop unnecessary prechecks * ci(organization): termporarily skip model/schema parity checks * chore(organization_profile): add org id env variable for acceptance tests (#6382) * ci: fix acceptance tests (#6385) * fix(queue): fix bad test data * ci(zone_dnssec): skip bad test Skipping since this test is consistently failing auth. This is consistent across v5.11.0 and the new release branch. ``` === RUN TestAccCloudflareZoneDNSSEC_Presigned resource_test.go:196: Step 1/2 error: Error running apply: exit status 1 Error: failed to make http request with cloudflare_zone_dnssec.urnfhldnml, on terraform_plugin_test.tf line 11, in resource "cloudflare_zone_dnssec" "urnfhldnml": 11: resource "cloudflare_zone_dnssec" "urnfhldnml" { PATCH "https://api.cloudflare.com/client/v4/zones/e3f462b432dd82b7329cc29bbbb4e8a6/dnssec": 403 Forbidden {"success":false,"errors":[{"code":10000,"message":"Authentication error"}]} ``` * fix(custom_pages): fix bad waf_challenge tests The `waf_challenge` type doesn't appear in the OpenAPI definition any more. Updating existing migration tests to use country_challenge instead. * fix(queue): work around inconsistent CRUD API Adds custom code to the `queue` resource to work around the API's inconsistent responses. The response payloads differ depending on the operation, causing issues withstate. ``` --- FAIL: TestAccCloudflareQueue_Basic (8.85s) resource_test.go:154: Step 3/3 error running import: ImportStateVerify attributes not equivalent. Difference is shown below. The - symbol indicates attributes missing after import. map[string]string{ + "consumers_total_count": "0", + "producers_total_count": "0", } ``` This patch ensure that ConsumersTotalCount and ProducersTotalCount are set to 0 when (and only if) the API doesn't return these fields. * ci(zero_trust_tunnel_cloudflared_virtual_network): fix broken sweeper * Revert " bug(cloudflare_list): don't explicitly import nested items (#6262)" (#6389) This reverts commit ea04616. * ci: fix acceptance tests (round 2) (#6390) * fix(queue): fix bad testdata Fixes invalid testdata for queues. ``` --- FAIL: TestAccCloudflareQueue_Settings_UpdateRetention (3.85s) resource_test.go:60: Step 1/2 error: Error running apply: exit status 1 Error: failed to make http request with cloudflare_queue.qnwlkvehqj, on terraform_plugin_test.tf line 11, in resource "cloudflare_queue" "qnwlkvehqj": 11: resource "cloudflare_queue" "qnwlkvehqj" { POST "https://api.cloudflare.com/client/v4/accounts/f037e56e89293a057740de681ac9abbe/queues": 400 Bad Request { "result": null, "success": false, "errors": [ { "code": 100128, "message": "Queue 'qnwlkvehqj' has invalid settings: message_retention_period must be between 60 and 1209600 seconds." } ], "messages": [] } ``` * ci(queue): skip TestAccCloudflareQueue_Settings_UpdateDeliveryPaused Skips the `TestAccCloudflareQueue_Settings_UpdateDeliveryPaused` test for now until the API changes can make their way through codegen. ``` --- FAIL: TestAccCloudflareQueue_Settings_UpdateDeliveryPaused (8.85s) resource_test.go:29: Step 2/2 error: After applying this test step, the refresh plan was not empty. stdout Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # cloudflare_queue.tdcolxmjmr will be updated in-place ~ resource "cloudflare_queue" "tdcolxmjmr" { ~ consumers = [] -> (known after apply) ~ consumers_total_count = 0 -> (known after apply) ~ created_on = "2025-10-29T20:40:33.662817Z" -> (known after apply) id = "99f0751ecf114c38a90a8cebce0a0ff5" ~ modified_on = "2025-10-29T20:40:36.647573Z" -> (known after apply) ~ producers = [] -> (known after apply) ~ producers_total_count = 0 -> (known after apply) ~ settings = { ~ delivery_delay = 0 -> (known after apply) + delivery_paused = true ~ message_retention_period = 345600 -> (known after apply) } # (3 unchanged attributes hidden) } ``` Root cause is that the API doesn't return `delivery_paused` in the response following the PUT request: ``` PUT /client/v4/accounts/f037e56e89293a057740de681ac9abbe/queues/3323539e98874020bf94c14ff44fd961 { "queue_name": "smyqtafgoi", "settings": { "delivery_paused": true } } ``` ``` HTTP 200 { "errors": [], "messages": [], "result": { "created_on": "2025-10-29T22:38:19.234751Z", "modified_on": "2025-10-29T22:38:22.327117Z", "queue_id": "3323539e98874020bf94c14ff44fd961", "queue_name": "smyqtafgoi", "settings": { "delivery_delay": 0, "message_retention_period": 345600 } }, "success": true } ``` * fix(ruleset): skip invalid test Mirage and the Disable Apps feature are currently deprecated, but it looks like they've been partially EOL'd. ``` --- FAIL: TestAccCloudflareRuleset_SetConfigRules (10.45s) ruleset_test.go:6489: Step 2/4 error: Error running apply: exit status 1 Error: failed to make http request with cloudflare_ruleset.my_ruleset, on 2.tf line 3, in resource "cloudflare_ruleset" "my_ruleset": 3: resource "cloudflare_ruleset" "my_ruleset" { PUT "https://api.cloudflare.com/client/v4/zones/0da42c8d2132a9ddaf714f9e7c920711/rulesets/b42c166fd6b34f54996fb6e4e093c6cd": 400 Bad Request { "result": null, "success": false, "errors": [ { "code": 20251, "message": "disable_apps is deprecated", "source": { "pointer": "/rules/0/action_parameters/disable_apps" } }, { "code": 20252, "message": "mirage has been deprecated and will be ignored", "source": { "pointer": "/rules/0/action_parameters/mirage" } } ], "messages": [] } ``` * fix(zero_trust_dlp_custom_profile): fix read, refresh, import (#6391) Acceptance tests were failing on a non-empty refresh plan. ``` === RUN TestAccCloudflareZeroTrustDlpCustomProfile_Basic resource_test.go:46: Step 2/3 error: After applying this test step, the refresh plan was not empty. stdout Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # cloudflare_zero_trust_dlp_custom_profile.garhxylojy will be updated in-place ~ resource "cloudflare_zero_trust_dlp_custom_profile" "garhxylojy" { ~ ai_context_enabled = false -> true ~ created_at = "2025-10-30T01:33:30Z" -> (known after apply) id = "15e4364d-3692-42f6-b8c9-ec7b8818a944" name = "garhxylojy-updated" + open_access = (known after apply) ~ type = "custom" -> (known after apply) ~ updated_at = "2025-10-30T01:33:34Z" -> (known after apply) # (5 unchanged attributes hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ``` Fixes: - updated the Read operation to use `apijson.UnmarshalComputed`; makes attributes like `ai_context_enabled` visible for state - use `UseStateForUnknown` for `creted_at` - use `ImportStateVerifyIgnore` to work around inconsistent CRUD * fix(zero_trust_tunnel_cloudflared_virtual_network): fix sweeper panics (#6392) Fixes panics observed in CI when sweepers run for the `zero_trust_tunnel_cloudflared_virtual_network` resource. ``` 2025/10/30 00:16:16 [DEBUG] Running Sweepers for region (all): 2025/10/30 00:16:16 [DEBUG] Running Sweeper (cloudflare_zero_trust_tunnel_cloudflared_virtual_network) in region (all) 2025/10/30 00:16:16 [DEBUG] Completed Sweeper (cloudflare_zero_trust_tunnel_cloudflared_virtual_network) in region (all) in 294.541µs Error: /30 00:16:16 [ERROR] Error running Sweeper (cloudflare_zero_trust_tunnel_cloudflared_virtual_network) in region (all): missing required account_id parameter FAIL github.com/cloudflare/terraform-provider-cloudflare/internal/services/zero_trust_tunnel_cloudflared_virtual_network 0.014s FAIL ⚠ Sweeper failed, retrying in 4s... ``` * docs: generate provider documentation (#6394) * release: 5.12.0 --------- Co-authored-by: Tamás Józsa <tamas@cloudflare.com> Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com> Co-authored-by: Louis Sven Goulet <31444858+lorlouis@users.noreply.github.com> Co-authored-by: jjohnson <jjohnson@cloudflare.com> Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> Co-authored-by: Cina Saffary <cina@cloudflare.com> Co-authored-by: carolxu-maker <cxu@cloudflare.com> Co-authored-by: Caio Nogueira <56550668+Caio-Nogueira@users.noreply.github.com> Co-authored-by: Max Peterson <64494795+maxwellpeterson@users.noreply.github.com> Co-authored-by: Joshua Johnson <jspspike@gmail.com> Co-authored-by: Jan <1324490+janrueth@users.noreply.github.com> Co-authored-by: Eduardo Gomes <technikome@gmail.com> Co-authored-by: Gonçalo <GoncaloGarcia@users.noreply.github.com> Co-authored-by: Alex Holland <aholland@cloudflare.com> Co-authored-by: Henry Clausen <33390934+hc2116@users.noreply.github.com> Co-authored-by: Henry Clausen <hclausen@cloudflare.com> Co-authored-by: shwetangd <shwetang@cloudflare.com> Co-authored-by: Eric Falcao <efalcao@gmail.com> Co-authored-by: George <gyoxall@cloudflare.com> Co-authored-by: jkoe-cf <152918105+jkoe-cf@users.noreply.github.com> Co-authored-by: Sohei Okamoto <sohei@cloudflare.com> Co-authored-by: Adam Bouhmad <adbouhmad@gmail.com> Co-authored-by: Brad <broswen@users.noreply.github.com> Co-authored-by: Brad Swenson <bswenson@cloudflare.com> Co-authored-by: Michael Girouard <206137+mgirouard@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes panics observed in CI when sweepers run for the
zero_trust_tunnel_cloudflared_virtual_networkresource.Changes being requested
Additional context & links