AUTH-6586 adds identity update behavior field to access identity prov…

…ider

.changelog/4602.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/cloudflare_access_identity_provider: Adds identity update behavior field in SCIM configuration
+```

go.mod

@@ -6,7 +6,7 @@ toolchain go1.22.5
 
 require (
 	github.com/agext/levenshtein v1.2.3 // indirect
-	github.com/cloudflare/cloudflare-go v0.109.0
+	github.com/cloudflare/cloudflare-go v0.110.0
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -30,7 +30,7 @@ require (
 	golang.org/x/net v0.31.0
 	golang.org/x/sys v0.27.0 // indirect
 	golang.org/x/text v0.20.0 // indirect
-	golang.org/x/time v0.7.0 // indirect
+	golang.org/x/time v0.8.0 // indirect
 )
 
 require (

go.sum

@@ -53,6 +53,8 @@ github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vc
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/cloudflare/cloudflare-go v0.109.0 h1:Wjp+RfJD1lidIFUlrTBqUQnCBrUnmVsLxgzWYiURueg=
 github.com/cloudflare/cloudflare-go v0.109.0/go.mod h1:m492eNahT/9MsN7Ppnoge8AaI7QhVFtEgVm3I9HJFeU=
+github.com/cloudflare/cloudflare-go v0.110.0 h1:aBKKUXwRWqErd4rITsnCLESOacxxset/BcpdXn23900=
+github.com/cloudflare/cloudflare-go v0.110.0/go.mod h1:2ZZ+EkmThmd6pkZ56UKGXWpz2wsjeqoTg93P4+VSmMg=
 github.com/cloudflare/cloudflare-go/v2 v2.4.0 h1:gys/26GoVDklgfq8NYV39WgvOEwzK/XAqYObmnI6iFg=
 github.com/cloudflare/cloudflare-go/v2 v2.4.0/go.mod h1:AoIzb05z/rvdJLztPct4tSa+3IqXJJ6c+pbUFMOlTr8=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -264,6 +266,8 @@ golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
 golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
 golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
 golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
+golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

internal/sdkv2provider/resource_cloudflare_access_identity_provider.go

@@ -283,6 +283,7 @@ func convertScimConfigSchemaToStruct(d *schema.ResourceData) cloudflare.AccessId
 		ScimConfig.GroupMemberDeprovision = d.Get("scim_config.0.group_member_deprovision").(bool)
 		ScimConfig.UserDeprovision = d.Get("scim_config.0.user_deprovision").(bool)
 		ScimConfig.SeatDeprovision = d.Get("scim_config.0.seat_deprovision").(bool)
+		ScimConfig.IdentityUpdateBehavior = d.Get("scim_config.0.identity_update_behavior").(string)
 	}
 
 	return ScimConfig
@@ -334,6 +335,7 @@ func convertAccessIDPScimConfigStructToSchema(secret string, options cloudflare.
 		"user_deprovision":         options.UserDeprovision,
 		"seat_deprovision":         options.SeatDeprovision,
 		"group_member_deprovision": options.GroupMemberDeprovision,
+		"identity_update_behavior": options.IdentityUpdateBehavior,
 	}
 
 	return []interface{}{m}

internal/sdkv2provider/resource_cloudflare_access_identity_provider_test.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"log"
 	"os"
+	"regexp"
 	"strings"
 	"testing"
 
@@ -253,12 +254,34 @@ func TestAccCloudflareAccessIdentityProvider_AzureAD(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "scim_config.0.user_deprovision", "true"),
 					resource.TestCheckResourceAttr(resourceName, "scim_config.0.seat_deprovision", "true"),
 					resource.TestCheckResourceAttr(resourceName, "scim_config.0.group_member_deprovision", "true"),
+					resource.TestCheckResourceAttr(resourceName, "scim_config.0.identity_update_behavior", "reauth"),
 				),
 			},
 		},
 	})
 }
 
+func TestAccCloudflareAccessIdentityProvider_IdentityUpdateBehaviorErr(t *testing.T) {
+	skipForDefaultAccount(t, "Pending investigation into automating Azure IDP.")
+
+	t.Parallel()
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+	rnd := generateRandomResourceName()
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			testAccPreCheckAccount(t)
+		},
+		ProviderFactories: providerFactories,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccCheckCloudflareAccessIdentityProviderAzureADBadIdentityUpdateBehavior(accountID, rnd),
+				ExpectError: regexp.MustCompile("value dance was not one of \\[no_action reauth automatic]"),
+			},
+		},
+	})
+}
+
 func TestAccCloudflareAccessIdentityProvider_OAuth_Import(t *testing.T) {
 	t.Parallel()
 	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
@@ -439,6 +462,7 @@ resource "cloudflare_zero_trust_access_identity_provider" "%[2]s" {
 		group_member_deprovision = true
 		seat_deprovision         = true
 		user_deprovision         = true
+		identity_update_behavior = "reauth"
 	}
 }`, accountID, name)
 }
@@ -457,9 +481,32 @@ resource "cloudflare_zero_trust_access_identity_provider" "%[2]s" {
 	}
 	scim_config {
 		enabled                  = true
-		group_member_deprovision = true
+		group_member_deprovision = false
+		seat_deprovision         = false
+		user_deprovision         = true
+		identity_update_behavior = "automatic"
+	}
+}`, accountID, name)
+}
+
+func testAccCheckCloudflareAccessIdentityProviderAzureADBadIdentityUpdateBehavior(accountID, name string) string {
+	return fmt.Sprintf(`
+resource "cloudflare_zero_trust_access_identity_provider" "%[2]s" {
+	account_id = "%[1]s"
+	name       = "%[2]s"
+	type       = "azureAD"
+	config {
+		client_id      = "test2"
+		client_secret  = "test2"
+		directory_id   = "directory"
+		support_groups = true
+	}
+	scim_config {
+		enabled                  = true
+		group_member_deprovision = false
 		seat_deprovision         = false
 		user_deprovision         = true
+		identity_update_behavior = "dance"
 	}
 }`, accountID, name)
 }

internal/sdkv2provider/resource_cloudflare_teams_accounts.go

@@ -462,7 +462,7 @@ func inflateLoggingSettings(log interface{}) *cloudflare.TeamsLoggingSettings {
 				LogBlocks: l4RuleSettings["log_blocks"].(bool),
 			},
 		},
-		RedactPii: logSettings["redact_pii"].(bool),
+		RedactPii: cloudflare.BoolPtr(logSettings["redact_pii"].(bool)),
 	}
 }
 

internal/sdkv2provider/schema_cloudflare_access_identity_provider.go

@@ -2,12 +2,21 @@ package sdkv2provider
 
 import (
 	"fmt"
+	"github.com/hashicorp/go-cty/cty"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"slices"
 
 	"github.com/cloudflare/terraform-provider-cloudflare/internal/consts"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 )
 
+const (
+	IdentityUpdateBehaviorNoAction  = "no_action"
+	IdentityUpdateBehaviorReauth    = "reauth"
+	IdentityUpdateBehaviorAutomatic = "automatic"
+)
+
 func resourceCloudflareAccessIdentityProviderSchema() map[string]*schema.Schema {
 	return map[string]*schema.Schema{
 		consts.AccountIDSchemaKey: {
@@ -207,6 +216,27 @@ func resourceCloudflareAccessIdentityProviderSchema() map[string]*schema.Schema
 						Type:     schema.TypeBool,
 						Optional: true,
 					},
+					"identity_update_behavior": {
+						Type:     schema.TypeString,
+						Optional: true,
+						ValidateDiagFunc: func(val interface{}, path cty.Path) diag.Diagnostics {
+							s, ok := val.(string)
+
+							if !ok {
+								return diag.Errorf("value %s was not a string", val)
+							}
+
+							allowedValues := []string{IdentityUpdateBehaviorNoAction, IdentityUpdateBehaviorReauth, IdentityUpdateBehaviorAutomatic}
+
+							isValid := slices.Contains(allowedValues, s)
+
+							if !isValid {
+								return diag.Errorf("value %s was not one of %s", val, allowedValues)
+							}
+
+							return nil
+						},
+					},
 				},
 			},
 		},